Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kdbG0dSi8w.exe

Overview

General Information

Sample name:kdbG0dSi8w.exe
renamed because original name is a hash value
Original sample name:85c9b91548b9877972880f5440632b5d.exe
Analysis ID:1576247
MD5:85c9b91548b9877972880f5440632b5d
SHA1:676fc0fb94a16bdab24dfaadf0bdd12c64a2add9
SHA256:5042dedc972a4f9dba5e8f217cf586c066d0b41c46da35a25ff8d90261152621
Tags:exePureLogStealeruser-abuse_ch
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • kdbG0dSi8w.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 7892 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 8064 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 8144 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 4024 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • kdbG0dSi8w.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\kdbG0dSi8w.exe" MD5: 85C9B91548B9877972880F5440632B5D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: New RUN Key Pointing to Suspicious Folder
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\kdbG0dSi8w.exe, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kdbG0dSi8w
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\kdbG0dSi8w.exe, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kdbG0dSi8w

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: kdbG0dSi8w.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\m5uqsx1i.3d3\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\qwjygtvt.2ue\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\r1l0k4so.tnr\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\s0ahr2a4.qvj\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\tr2xlcqg.532\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\uqlucxda.mfj\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\vjaxamnz.zho\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\whnpvvri.fxz\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\xhr2jucm.bvp\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\xmb0lyj2.zwh\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\xoqvpwym.z1f\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\y2khnq3g.5sr\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\yb3k11be.ngw\kdbG0dSi8w.exeReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: kdbG0dSi8w.exeReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: kdbG0dSi8w.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
Source: kdbG0dSi8w.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb_=y= k=_CorExeMainmscoree.dll source: kdbG0dSi8w.exe, kdbG0dSi8w.exe.13.dr, kdbG0dSi8w.exe0.14.dr, kdbG0dSi8w.exe.12.dr, kdbG0dSi8w.exe0.11.dr, kdbG0dSi8w.exe1.12.dr, kdbG0dSi8w.exe.10.dr, kdbG0dSi8w.exe0.8.dr, kdbG0dSi8w.exe0.12.dr, kdbG0dSi8w.exe1.10.dr, kdbG0dSi8w.exe0.13.dr, kdbG0dSi8w.exe.14.dr, kdbG0dSi8w.exe.8.dr, kdbG0dSi8w.exe0.0.dr, kdbG0dSi8w.exe1.13.dr, kdbG0dSi8w.exe1.14.dr, kdbG0dSi8w.exe1.8.dr, kdbG0dSi8w.exe.11.dr, kdbG0dSi8w.exe1.0.dr, kdbG0dSi8w.exe0.10.dr, kdbG0dSi8w.exe.0.dr, kdbG0dSi8w.exe1.11.dr
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: kdbG0dSi8w.exe, kdbG0dSi8w.exe.13.dr, kdbG0dSi8w.exe0.14.dr, kdbG0dSi8w.exe.12.dr, kdbG0dSi8w.exe0.11.dr, kdbG0dSi8w.exe1.12.dr, kdbG0dSi8w.exe.10.dr, kdbG0dSi8w.exe0.8.dr, kdbG0dSi8w.exe0.12.dr, kdbG0dSi8w.exe1.10.dr, kdbG0dSi8w.exe0.13.dr, kdbG0dSi8w.exe.14.dr, kdbG0dSi8w.exe.8.dr, kdbG0dSi8w.exe0.0.dr, kdbG0dSi8w.exe1.13.dr, kdbG0dSi8w.exe1.14.dr, kdbG0dSi8w.exe1.8.dr, kdbG0dSi8w.exe.11.dr, kdbG0dSi8w.exe1.0.dr, kdbG0dSi8w.exe0.10.dr, kdbG0dSi8w.exe.0.dr, kdbG0dSi8w.exe1.11.dr
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 193.58.121.250:7175
Source: unknownDNS traffic detected: query: 205.12.2.0.in-addr.arpa replaycode: Name error (3)
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: global trafficDNS traffic detected: DNS query: 205.12.2.0.in-addr.arpa
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeCode function: 11_2_00007FFAAC4E0A3911_2_00007FFAAC4E0A39
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe 5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exe 5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe 5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
Source: kdbG0dSi8w.exe, 00000000.00000000.1248101066.00000000007D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe, 0000000B.00000002.3101008305.0000000000675000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exeBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.13.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.14.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.12.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.11.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.12.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.10.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.8.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.12.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.10.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.13.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.14.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.8.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.0.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.13.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.14.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.8.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.11.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.0.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe0.10.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe.0.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: kdbG0dSi8w.exe1.11.drBinary or memory string: OriginalFilenameSystem.exe. vs kdbG0dSi8w.exe
Source: classification engineClassification label: mal88.winEXE@7/42@7/1
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMutant created: NULL
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22Jump to behavior
Source: kdbG0dSi8w.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: kdbG0dSi8w.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: kdbG0dSi8w.exeReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile read: C:\Users\user\Desktop\kdbG0dSi8w.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: unknownProcess created: C:\Users\user\Desktop\kdbG0dSi8w.exe "C:\Users\user\Desktop\kdbG0dSi8w.exe"
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: kdbG0dSi8w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
Source: kdbG0dSi8w.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: kdbG0dSi8w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb_=y= k=_CorExeMainmscoree.dll source: kdbG0dSi8w.exe, kdbG0dSi8w.exe.13.dr, kdbG0dSi8w.exe0.14.dr, kdbG0dSi8w.exe.12.dr, kdbG0dSi8w.exe0.11.dr, kdbG0dSi8w.exe1.12.dr, kdbG0dSi8w.exe.10.dr, kdbG0dSi8w.exe0.8.dr, kdbG0dSi8w.exe0.12.dr, kdbG0dSi8w.exe1.10.dr, kdbG0dSi8w.exe0.13.dr, kdbG0dSi8w.exe.14.dr, kdbG0dSi8w.exe.8.dr, kdbG0dSi8w.exe0.0.dr, kdbG0dSi8w.exe1.13.dr, kdbG0dSi8w.exe1.14.dr, kdbG0dSi8w.exe1.8.dr, kdbG0dSi8w.exe.11.dr, kdbG0dSi8w.exe1.0.dr, kdbG0dSi8w.exe0.10.dr, kdbG0dSi8w.exe.0.dr, kdbG0dSi8w.exe1.11.dr
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: kdbG0dSi8w.exe, kdbG0dSi8w.exe.13.dr, kdbG0dSi8w.exe0.14.dr, kdbG0dSi8w.exe.12.dr, kdbG0dSi8w.exe0.11.dr, kdbG0dSi8w.exe1.12.dr, kdbG0dSi8w.exe.10.dr, kdbG0dSi8w.exe0.8.dr, kdbG0dSi8w.exe0.12.dr, kdbG0dSi8w.exe1.10.dr, kdbG0dSi8w.exe0.13.dr, kdbG0dSi8w.exe.14.dr, kdbG0dSi8w.exe.8.dr, kdbG0dSi8w.exe0.0.dr, kdbG0dSi8w.exe1.13.dr, kdbG0dSi8w.exe1.14.dr, kdbG0dSi8w.exe1.8.dr, kdbG0dSi8w.exe.11.dr, kdbG0dSi8w.exe1.0.dr, kdbG0dSi8w.exe0.10.dr, kdbG0dSi8w.exe.0.dr, kdbG0dSi8w.exe1.11.dr
Source: kdbG0dSi8w.exeStatic PE information: 0x9C1C66E1 [Sun Dec 29 17:44:01 2052 UTC]
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\s0ahr2a4.qvj\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\qwjygtvt.2ue\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\y2khnq3g.5sr\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\whnpvvri.fxz\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\uqlucxda.mfj\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\yb3k11be.ngw\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\xhr2jucm.bvp\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\xmb0lyj2.zwh\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\m5uqsx1i.3d3\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\vjaxamnz.zho\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\r1l0k4so.tnr\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\tr2xlcqg.532\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeFile created: C:\Users\user\AppData\Local\Temp\xoqvpwym.z1f\kdbG0dSi8w.exeJump to dropped file
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8wJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1AF40000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1AFA0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 870000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1A790000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 5B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1A750000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1AEB0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1B050000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: 1ADC0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7316Thread sleep time: -90000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7316Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7896Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7896Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 8068Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 8068Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 8148Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 8148Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 6768Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 6768Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7164Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 7164Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 2024Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exe TID: 2024Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeThread delayed: delay time: 30000Jump to behavior
Source: kdbG0dSi8w.exe, 00000000.00000002.3100480845.0000000000D22000.00000004.00000020.00020000.00000000.sdmp, kdbG0dSi8w.exe, 0000000A.00000002.3100689697.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, kdbG0dSi8w.exe, 0000000B.00000002.3101008305.000000000063F000.00000004.00000020.00020000.00000000.sdmp, kdbG0dSi8w.exe, 0000000C.00000002.3100451586.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, kdbG0dSi8w.exe, 0000000D.00000002.3100828022.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, kdbG0dSi8w.exe, 0000000E.00000002.3101023532.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kdbG0dSi8w.exe, 00000008.00000002.3100754149.0000000000E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\kdbG0dSi8w.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder		1
Process Injection		1
Disable or Modify Tools		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		21
Virtualization/Sandbox Evasion		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
kdbG0dSi8w.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%AviraTR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\m5uqsx1i.3d3\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\qwjygtvt.2ue\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\r1l0k4so.tnr\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\s0ahr2a4.qvj\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\tr2xlcqg.532\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\uqlucxda.mfj\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\vjaxamnz.zho\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\whnpvvri.fxz\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\xhr2jucm.bvp\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\xmb0lyj2.zwh\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\xoqvpwym.z1f\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\y2khnq3g.5sr\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\yb3k11be.ngw\kdbG0dSi8w.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
205.12.2.0.in-addr.arpa
unknown
unknownfalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    193.58.121.250
    		unknownGermany
    		210017DCHASSELTBEfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1576247
    Start date and time:2024-12-16 17:31:36 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 7m 5s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:kdbG0dSi8w.exe
    renamed because original name is a hash value
    Original Sample Name:85c9b91548b9877972880f5440632b5d.exe
    Detection:MAL
    Classification:mal88.winEXE@7/42@7/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 95%
    • Number of executed functions: 47
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 52.149.20.212
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 4024 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 6508 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 6660 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 7312 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 7892 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 8064 because it is empty
    • Execution Graph export aborted for target kdbG0dSi8w.exe, PID 8144 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: kdbG0dSi8w.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    17:32:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe
    17:32:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe
    17:32:50AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe
    18:46:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe
    18:47:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe
    18:47:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run kdbG0dSi8w C:\Users\user\Desktop\kdbG0dSi8w.exe

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    193.58.121.250uZgbejeJkT.batGet hashmaliciousUnknownBrowse
      ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
        AV4b38nlhN.exeGet hashmaliciousUnknownBrowse
          AV4b38nlhN.exeGet hashmaliciousUnknownBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            DCHASSELTBEuZgbejeJkT.batGet hashmaliciousUnknownBrowse
            • 193.58.121.250
            ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
            • 193.58.121.250
            AV4b38nlhN.exeGet hashmaliciousUnknownBrowse
            • 193.58.121.250
            AV4b38nlhN.exeGet hashmaliciousUnknownBrowse
            • 193.58.121.250
            WYU9WnEMkg.elfGet hashmaliciousMiraiBrowse
            • 193.58.122.184
            NHe8WKGQ7U.elfGet hashmaliciousMiraiBrowse
            • 193.58.122.195
            5i1SGTKIslGet hashmaliciousMiraiBrowse
            • 193.58.122.195

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exeuZgbejeJkT.batGet hashmaliciousUnknownBrowse
              ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
                C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exeuZgbejeJkT.batGet hashmaliciousUnknownBrowse
                  ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
                    C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exeuZgbejeJkT.batGet hashmaliciousUnknownBrowse
                      ni2OwV1y9u.batGet hashmaliciousUnknownBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Joe Sandbox View:
                        • Filename: uZgbejeJkT.bat, Detection: malicious, Browse
                        • Filename: ni2OwV1y9u.bat, Detection: malicious, Browse
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\1lonpmlb.kck\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Joe Sandbox View:
                        • Filename: uZgbejeJkT.bat, Detection: malicious, Browse
                        • Filename: ni2OwV1y9u.bat, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\2jb5z0bh.vph\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Joe Sandbox View:
                        • Filename: uZgbejeJkT.bat, Detection: malicious, Browse
                        • Filename: ni2OwV1y9u.bat, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\3cmpklnw.l22\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\5n24j040.bii\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\5ni0e12o.esl\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\jqvpkt5t.ve3\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\jxvp4esm.jyw\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\m5uqsx1i.3d3\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\m5uqsx1i.3d3\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\qwjygtvt.2ue\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\qwjygtvt.2ue\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\r1l0k4so.tnr\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\r1l0k4so.tnr\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\s0ahr2a4.qvj\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\s0ahr2a4.qvj\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\tkks4qgn.dmb\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\tr2xlcqg.532\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\tr2xlcqg.532\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\uqlucxda.mfj\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\uqlucxda.mfj\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\vjaxamnz.zho\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\vjaxamnz.zho\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\whnpvvri.fxz\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\whnpvvri.fxz\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\xhr2jucm.bvp\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\xhr2jucm.bvp\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\xmb0lyj2.zwh\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\xmb0lyj2.zwh\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\xoqvpwym.z1f\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\xoqvpwym.z1f\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\y2khnq3g.5sr\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\y2khnq3g.5sr\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Temp\yb3k11be.ngw\kdbG0dSi8w.exe

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):5.0040047570688655
                        Encrypted:false
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        MD5:85C9B91548B9877972880F5440632B5D
                        SHA1:676FC0FB94A16BDAB24DFAADF0BDD12C64A2ADD9
                        SHA-256:5042DEDC972A4F9DBA5E8F217CF586C066D0B41C46DA35A25FF8D90261152621
                        SHA-512:1497EC52E70E97DB59A853F347D2E8C92B8CC187AD7C4A316EEF59A8954791B67182A9273C4E418C8FD2746002AF51577E4ABF3F0D939EBC5DBDAB92FE081E7E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@.................................7=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................k=......H.......('...............;...............................................0..........s.....r...p ......s.......o....}....(...........s....s....(...........s....s....(....(.....(.....o.......{..........io....(....r...po.......{..........io.... 0u..(....+.....0..I.......(.......+4(....(....(....%(....&.( ...(........(!....(......X...2..(....*....0..........~"...r#..p.o#......($....o%......,..o&....~'...r#..p.o#......($....o%......,..o&....~"...r...p.o#......($....o%......,..o&..

                        C:\Users\user\AppData\Local\Temp\yb3k11be.ngw\kdbG0dSi8w.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.0040047570688655
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:kdbG0dSi8w.exe
                        File size:10'240 bytes
                        MD5:85c9b91548b9877972880f5440632b5d
                        SHA1:676fc0fb94a16bdab24dfaadf0bdd12c64a2add9
                        SHA256:5042dedc972a4f9dba5e8f217cf586c066d0b41c46da35a25ff8d90261152621
                        SHA512:1497ec52e70e97db59a853f347d2e8c92b8cc187ad7c4a316eef59a8954791b67182a9273c4e418c8fd2746002af51577e4abf3f0d939ebc5dbdab92fe081e7e
                        SSDEEP:192:VPCFBuVdv2lRkVnhs2oN22toTtlhVy5Z:isVdv2l+ZDoN22toRVM
                        TLSH:4E22E916D7E8C376DB6E0E7549B253500771F7568C33DEAE28C9114A5E333948BA2BB0
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..............=... ...@....@.. ....................................@................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x403d8a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x9C1C66E1 [Sun Dec 29 17:44:01 2052 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3d370x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x59c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3ca80x38.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x1d900x1e006fe7533d0bc41678cc76439e827a6ccbFalse0.52421875data5.430669362608262IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x40000x59c0x6001d8154658b5c9e5a42418345d239e730False0.4140625data4.0263704433387915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x60000xc0x200e393f7b6c01dc1752d5101de11fca5dcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x40900x30cdata0.4282051282051282
                        RT_MANIFEST0x43ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 16, 2024 17:32:31.027548075 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:31.147568941 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:31.147706985 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:31.371131897 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:31.491421938 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:31.491539955 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:31.611331940 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:42.567631960 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:42.691603899 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:42.691986084 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:42.999545097 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:43.119379044 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:43.119430065 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:43.241199970 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:50.979824066 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:51.103755951 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:51.103918076 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:51.364440918 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:51.484532118 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:51.484606028 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:51.604605913 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:59.433739901 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:59.555493116 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:59.555665016 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:59.747530937 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:59.867412090 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:32:59.867523909 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:32:59.987569094 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:01.376786947 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:01.496860981 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:07.660753012 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:07.781100988 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:07.781567097 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:07.975518942 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:08.095751047 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:08.095906019 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:08.216125965 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:13.000761032 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:13.120723009 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:15.837193012 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:15.957133055 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:15.957247019 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:16.142797947 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:16.262739897 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:16.262814999 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:16.383218050 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:21.375710964 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:21.619385958 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:23.994064093 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:24.114150047 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:24.114250898 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:24.310902119 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:24.431135893 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:24.431221962 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:24.551403999 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:29.750926971 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:29.870929956 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:31.423111916 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:31.545300961 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:37.985266924 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:38.106097937 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:43.016490936 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:43.136564970 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:46.157632113 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:46.277745008 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:51.391499996 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:51.511617899 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:54.314709902 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:54.434701920 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:33:59.766413927 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:33:59.887459993 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:01.438369036 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:01.559497118 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:08.002788067 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:08.122706890 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:13.032514095 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:13.152442932 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:16.172882080 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:16.292879105 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:21.407354116 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:21.527519941 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:24.329269886 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:24.449115992 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:29.782262087 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:29.902108908 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:31.454015970 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:31.574085951 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:38.016645908 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:38.136724949 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:43.047899008 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:43.171694040 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:46.188657045 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:46.312824965 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:51.423218966 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:51.544003010 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:54.344854116 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:54.465447903 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:34:59.797918081 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:34:59.917751074 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:01.469791889 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:01.590029001 CET717549699193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:08.032265902 CET497677175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:08.152245045 CET717549767193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:13.063863993 CET497067175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:13.187171936 CET717549706193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:16.204265118 CET497877175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:16.325571060 CET717549787193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:21.438688993 CET497257175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:21.558732033 CET717549725193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:24.360620975 CET498037175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:24.480714083 CET717549803193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:29.813627005 CET497467175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:29.934463024 CET717549746193.58.121.250192.168.2.7
                        Dec 16, 2024 17:35:31.485444069 CET496997175192.168.2.7193.58.121.250
                        Dec 16, 2024 17:35:31.605376005 CET717549699193.58.121.250192.168.2.7

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 16, 2024 17:32:31.227458000 CET5388153192.168.2.71.1.1.1
                        Dec 16, 2024 17:32:31.366882086 CET53538811.1.1.1192.168.2.7
                        Dec 16, 2024 17:32:42.757518053 CET5202353192.168.2.71.1.1.1
                        Dec 16, 2024 17:32:42.897371054 CET53520231.1.1.1192.168.2.7
                        Dec 16, 2024 17:32:51.213941097 CET5527753192.168.2.71.1.1.1
                        Dec 16, 2024 17:32:51.362178087 CET53552771.1.1.1192.168.2.7
                        Dec 16, 2024 17:32:59.607623100 CET6177753192.168.2.71.1.1.1
                        Dec 16, 2024 17:32:59.745851040 CET53617771.1.1.1192.168.2.7
                        Dec 16, 2024 17:33:07.834264040 CET5255853192.168.2.71.1.1.1
                        Dec 16, 2024 17:33:07.973184109 CET53525581.1.1.1192.168.2.7
                        Dec 16, 2024 17:33:16.003391027 CET6498153192.168.2.71.1.1.1
                        Dec 16, 2024 17:33:16.140912056 CET53649811.1.1.1192.168.2.7
                        Dec 16, 2024 17:33:24.168498039 CET5217253192.168.2.71.1.1.1
                        Dec 16, 2024 17:33:24.308990002 CET53521721.1.1.1192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Dec 16, 2024 17:32:31.227458000 CET192.168.2.71.1.1.10x9b03Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:42.757518053 CET192.168.2.71.1.1.10x857bStandard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:51.213941097 CET192.168.2.71.1.1.10xb5c4Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:59.607623100 CET192.168.2.71.1.1.10xa6b9Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:07.834264040 CET192.168.2.71.1.1.10xf626Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:16.003391027 CET192.168.2.71.1.1.10x5014Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:24.168498039 CET192.168.2.71.1.1.10x9d25Standard query (0)205.12.2.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 16, 2024 17:32:31.366882086 CET1.1.1.1192.168.2.70x9b03Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:42.897371054 CET1.1.1.1192.168.2.70x857bName error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:51.362178087 CET1.1.1.1192.168.2.70xb5c4Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:32:59.745851040 CET1.1.1.1192.168.2.70xa6b9Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:07.973184109 CET1.1.1.1192.168.2.70xf626Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:16.140912056 CET1.1.1.1192.168.2.70x5014Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Dec 16, 2024 17:33:24.308990002 CET1.1.1.1192.168.2.70x9d25Name error (3)205.12.2.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:32:29
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x7d0000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:8
                        Start time:11:32:41
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x9e0000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:10
                        Start time:11:32:49
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x220000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:11
                        Start time:12:46:55
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x130000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:12
                        Start time:12:47:03
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x9b0000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:13
                        Start time:12:47:12
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x9e0000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:14
                        Start time:12:47:20
                        Start date:16/12/2024
                        Path:C:\Users\user\Desktop\kdbG0dSi8w.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\kdbG0dSi8w.exe"
                        Imagebase:0x860000
                        File size:10'240 bytes
                        MD5 hash:85C9B91548B9877972880F5440632B5D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFAAC4E0389 Relevance: .5, Instructions: 547COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9be0577164f5461f5e30e75ad14f56674d4906e88bb31533925a6ab12878946c
                          • Instruction ID: 77cf1380d7acc9822ddca306d505b00ef3a296ed9cabbe6c7aebbaa70b26584e
                          • Opcode Fuzzy Hash: 9be0577164f5461f5e30e75ad14f56674d4906e88bb31533925a6ab12878946c
                          • Instruction Fuzzy Hash: 4302F491A0EBC94FEB8ADB3884517E43FE1EF5A204F5944FAD04DC71A3DE289C058791
                          Function 00007FFAAC4E0B54 Relevance: .2, Instructions: 200COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a5d3bdce375bd1abbe4c94a9ca1b4a132c49932fae4bb0815e8c46de0cf2244
                          • Instruction ID: 674225bd227f12c1f509e2050316fa930f13a2e9d2a03a5fd27ba38a9edb7e30
                          • Opcode Fuzzy Hash: 7a5d3bdce375bd1abbe4c94a9ca1b4a132c49932fae4bb0815e8c46de0cf2244
                          • Instruction Fuzzy Hash: 69514B60A0DA498FE759EB6C8899BB47FD0FF5A304F0541B9D04ECB293DE28EC458385
                          Function 00007FFAAC4E008D Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61106f7f6bc3378ba69f2caaeed225b429c511898926f6f1b7ac364348754c46
                          • Instruction ID: 0d28adea496853b999f3f9e0d128eb551b009523408eb46ecc29ead6cc7f5691
                          • Opcode Fuzzy Hash: 61106f7f6bc3378ba69f2caaeed225b429c511898926f6f1b7ac364348754c46
                          • Instruction Fuzzy Hash: 4A419382E0EBC58FF2979338186A5B5AFE09F57504B4941BED08ECB1C3E9099C0D539A
                          Function 00007FFAAC4E0D43 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f70fba2356a2948c09db373420c9629f57d3f4abeed2284a85a264aca854fee0
                          • Instruction ID: 0af8a7d4410b6052a6544143d85e908985987aa0ee6dc153cdfd86f853198101
                          • Opcode Fuzzy Hash: f70fba2356a2948c09db373420c9629f57d3f4abeed2284a85a264aca854fee0
                          • Instruction Fuzzy Hash: 2841E421B19A498FE799AB3C8459BB4BBD1EF5A300F0581F9E44DC7293DE28EC0587C5
                          Function 00007FFAAC4E01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c0a0ede58fdffc010437df5dc216aada464654d947ef64d511f7f16ad9bdd69
                          • Instruction ID: 290ec711bbe5aeb6f273d0a4454b387f4ecbfd9e4224edb6d42e6ab28d5bfec1
                          • Opcode Fuzzy Hash: 5c0a0ede58fdffc010437df5dc216aada464654d947ef64d511f7f16ad9bdd69
                          • Instruction Fuzzy Hash: 0211FE60718A058FEB88FB38C49DEB977D2EF9D301B1588B9A40EC7297DD24EC458741
                          Function 00007FFAAC4E02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3105994476.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction ID: 32f2e1714cd7e374147967903923c5bcc19a00c8e8e9b5c9bad2779532f1d8a8
                          • Opcode Fuzzy Hash: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction Fuzzy Hash: B3018C53F18A4A0BE789FB7C98966B855C6DB99205B8589FAE00EC2297DC18980A4251

                          Executed Functions

                          Function 00007FFAAC4C0389 Relevance: .5, Instructions: 547COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4e0a43172409cd7ff2f4bbacd765e83cb9a5df155ce608fb8f63aab846b35c1
                          • Instruction ID: c4e8d512c229106e4ceccd54331ba4e2dd0a3a0c9aa2b9dee898b152e2b71819
                          • Opcode Fuzzy Hash: b4e0a43172409cd7ff2f4bbacd765e83cb9a5df155ce608fb8f63aab846b35c1
                          • Instruction Fuzzy Hash: 1702F551A0EB894FE78BDB3884657A53FE1EF5A244F5840FBD04DC72A3DE289C058792
                          Function 00007FFAAC4C0E32 Relevance: .2, Instructions: 217COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc324344c43189bf70e004e14aaf8eb9179807f2626e9fcea30442575b31473d
                          • Instruction ID: 859539ef8ed4b25d2a016ee86cf39ff30e2c9ce8a4bf8745e543ed8405601451
                          • Opcode Fuzzy Hash: fc324344c43189bf70e004e14aaf8eb9179807f2626e9fcea30442575b31473d
                          • Instruction Fuzzy Hash: 6631F66150E7C58FE7179738C8A5A657FE0DF5B200F0E85EAE089CF1A3EA18D849C391
                          Function 00007FFAAC4C008D Relevance: .2, Instructions: 164COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 26f229f3c1985bd7c302b3033452c67b27f68488a86646f03a70cce8e8559323
                          • Instruction ID: 527cf69e110162fb6b782cd366e3d890766299bc19ea9aa9131e3858902451df
                          • Opcode Fuzzy Hash: 26f229f3c1985bd7c302b3033452c67b27f68488a86646f03a70cce8e8559323
                          • Instruction Fuzzy Hash: 12419382A0EBC58FF3979338186A5796FA09F57204B0944BED08DCB5E3EC0D9C0D4396
                          Function 00007FFAAC4C0CA4 Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81e99a6b8068f538c956e9b67b2a7b8746b3822beff30a70c9eedd44d9e76f98
                          • Instruction ID: 7cd6c1df80752d9f2270413a594f1d33d1064641eba4b6e9c86c41e930aa02d4
                          • Opcode Fuzzy Hash: 81e99a6b8068f538c956e9b67b2a7b8746b3822beff30a70c9eedd44d9e76f98
                          • Instruction Fuzzy Hash: F0418261B1DA098FE799EB3C8459B79B6D1EF59300F0485B9E40EC3292DE28EC4547C1
                          Function 00007FFAAC4C0B24 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ccb23ee02ed8c2be1e2627ce3028e29e9a25420be959ec42fea6e7315db4d974
                          • Instruction ID: 1f5438e68dc2889b422f76f68323abb6bcd7f60c3d6a8bc4e7f8ceb55195d262
                          • Opcode Fuzzy Hash: ccb23ee02ed8c2be1e2627ce3028e29e9a25420be959ec42fea6e7315db4d974
                          • Instruction Fuzzy Hash: 6821F570A0DA498FE759EBAC885A7B97BD1FF69304F00817AE44DC7192DE64E8058781
                          Function 00007FFAAC4C01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cabc1d0b0ce1c5d5df39545abc5f9e21c53584380ce3e513828b1eacf636f499
                          • Instruction ID: 04ac0505af0032af04c22f134fb31874ac653a6017e1eb5a4c83b182fda822d2
                          • Opcode Fuzzy Hash: cabc1d0b0ce1c5d5df39545abc5f9e21c53584380ce3e513828b1eacf636f499
                          • Instruction Fuzzy Hash: D711FE60718A058FDB88BB38C49DE79B7D2EF9D301B1588B9A40EC7297DD24ED458741
                          Function 00007FFAAC4C02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5a41873e2e7109b15b3c9616855fa7f5d836756a55b8bcd51a27b757df8ac52
                          • Instruction ID: 114b2bb964545bd186c6dbd0a7a49c64b7b333b5b30d80b0f36d5ea850bcb0dc
                          • Opcode Fuzzy Hash: f5a41873e2e7109b15b3c9616855fa7f5d836756a55b8bcd51a27b757df8ac52
                          • Instruction Fuzzy Hash: FA01DE43F1CA0A0FF789FB7C98D66BC55C6DB99201B8489FAE00EC32D3DC18980A4351
                          Function 00007FFAAC4C0BC6 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.3106051777.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_7ffaac4c0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0cf4b69c433b42b5e269d596b22f6b74c41752db6d64afe510ba565543ec359
                          • Instruction ID: af06f4bb638b5aa37d0295b22d6a7d0b881d94a661e42206af30d9e4e7316f13
                          • Opcode Fuzzy Hash: c0cf4b69c433b42b5e269d596b22f6b74c41752db6d64afe510ba565543ec359
                          • Instruction Fuzzy Hash: AB11822071CE098FEBA9EB6C84A9BB977D1EFA9305F008579D44EC7292DE24EC054781

                          Executed Functions

                          Function 00007FFAAC4E0389 Relevance: .5, Instructions: 535COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: efaffe42ce27c25853cc7b2195042bb07db0c2e4cd14bdd3a4ca8a70514b955f
                          • Instruction ID: 3027000ad683e4a45d943f2f433fe85d6fd2ce12b61d7681df42884b1b8375a7
                          • Opcode Fuzzy Hash: efaffe42ce27c25853cc7b2195042bb07db0c2e4cd14bdd3a4ca8a70514b955f
                          • Instruction Fuzzy Hash: FBF104A1A0EB894FEB8ADB3884557E83FD1EF5A340F5940FAD44DC72A3DE249C058791
                          Function 00007FFAAC4E0CA4 Relevance: .2, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52ccb791fa57edacb75c799dcd857c0ab4cd81197663e08de381db79d5eb963f
                          • Instruction ID: 449395719f78bcc7cd91752c7cce6c078735fe93a3404b4098bee0b4360336c1
                          • Opcode Fuzzy Hash: 52ccb791fa57edacb75c799dcd857c0ab4cd81197663e08de381db79d5eb963f
                          • Instruction Fuzzy Hash: CC61E261B09A498FE759EB3C8499BB87BD1EF5A300F0581B5E44EC7293DE28EC448785
                          Function 00007FFAAC4E008D Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbcd8ea989edd28f3f82e59a50fee5faea919a3adcc06a51434a3489a7d8f1c8
                          • Instruction ID: 55551d2d8527b58240740453ce7b6a5b42e291f504da441b0c1a7b6f7cfe5411
                          • Opcode Fuzzy Hash: fbcd8ea989edd28f3f82e59a50fee5faea919a3adcc06a51434a3489a7d8f1c8
                          • Instruction Fuzzy Hash: F3419382E0EBC58FF2979338186A5B5AFE09F57504B4940BED08ECB1C3E9099C0D539A
                          Function 00007FFAAC4E0B24 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6dfa603f269fa27ee004d5c676057879fbcf424e7dabf04f34c5713acbc36a63
                          • Instruction ID: 1ecbf3d1e6d0ce75664cf0965c22f1e9fda1ce5507e7fce668852e785fec7779
                          • Opcode Fuzzy Hash: 6dfa603f269fa27ee004d5c676057879fbcf424e7dabf04f34c5713acbc36a63
                          • Instruction Fuzzy Hash: DF21063060DE488FE758EB5C88596B97BD0FB65304F01417AE44DC3192DE64E8058785
                          Function 00007FFAAC4E01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d7bf9a1c174144da1447f077aa91cd94e32181d78303af63a547389d0a04f2b
                          • Instruction ID: 09897d0ba56280fff628c52c777fbb13cea428652be41b75e10b5086cf5b9117
                          • Opcode Fuzzy Hash: 8d7bf9a1c174144da1447f077aa91cd94e32181d78303af63a547389d0a04f2b
                          • Instruction Fuzzy Hash: 7511FE60718A058FDB88FB38D49DEB977D2EF9D301B1588B9A40EC7297DD24EC458741
                          Function 00007FFAAC4E02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction ID: 32f2e1714cd7e374147967903923c5bcc19a00c8e8e9b5c9bad2779532f1d8a8
                          • Opcode Fuzzy Hash: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction Fuzzy Hash: B3018C53F18A4A0BE789FB7C98966B855C6DB99205B8589FAE00EC2297DC18980A4251
                          Function 00007FFAAC4E0BC6 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.3106020167.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bcf773c83c97022ec9cf51f0d00db4b20c1d47003e09e3313d4c74e5577f7495
                          • Instruction ID: 3eacad035f2fcf80c7ac629c430bb4ddeb63bc8a147c59b3c55deddb6a0b33b6
                          • Opcode Fuzzy Hash: bcf773c83c97022ec9cf51f0d00db4b20c1d47003e09e3313d4c74e5577f7495
                          • Instruction Fuzzy Hash: 5C11A32071CE098FEBA8FB6C8499BB973D1EB58300F014579D45EC7292CE24EC054785

                          Executed Functions

                          Function 00007FFAAC4E0A39 Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b09c96c811a9a7e211e9b809e941f4554a2cb1c50921daf35d76c252c780531
                          • Instruction ID: e8a4378bbb1027bb478aacfc1db8b53084bad943123d6cc16cb58b393d0615f9
                          • Opcode Fuzzy Hash: 6b09c96c811a9a7e211e9b809e941f4554a2cb1c50921daf35d76c252c780531
                          • Instruction Fuzzy Hash: 17716C6040F7C65FE7478B3498696617FB1EF13228F0F85DAD088CF1A3E6098809C766
                          Function 00007FFAAC4E0389 Relevance: .5, Instructions: 535COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f70a0becc8c7bf2e80cb92b789785185df56095d37735ce41b7872e3f1ddda34
                          • Instruction ID: 68044222a44537f5f1c2c6e12394642c6a32a8f858f0c67863c83d7f94b17d29
                          • Opcode Fuzzy Hash: f70a0becc8c7bf2e80cb92b789785185df56095d37735ce41b7872e3f1ddda34
                          • Instruction Fuzzy Hash: AFF11591A0EB894FEB8ADB3884547E97FD1EF5A340F5940FAD04DC71A3DE249C058791
                          Function 00007FFAAC4E008D Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6e87adcb825610d1645e569e5200f825f30ee95557eb6a860e7291aaf3c5540
                          • Instruction ID: d2e2d2f8522e1894b07bc2962c9245b7fd6686190c8b3772e9d5fe5120439753
                          • Opcode Fuzzy Hash: f6e87adcb825610d1645e569e5200f825f30ee95557eb6a860e7291aaf3c5540
                          • Instruction Fuzzy Hash: 82419382E0EBC58FF2979338186A5B5AFE09F57504B4940BED08ECB1D3E9099C0D539A
                          Function 00007FFAAC4E0BE4 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d1b5658a3f70fa15f863d92df8b0b620bd0d864c3a8f37df07ce531572eaeacc
                          • Instruction ID: 48d2571e162e0e6459ff53d16c8a080e363f29794758adf56d014ea329bcbbca
                          • Opcode Fuzzy Hash: d1b5658a3f70fa15f863d92df8b0b620bd0d864c3a8f37df07ce531572eaeacc
                          • Instruction Fuzzy Hash: 1941B421B19A098FF798EB3C8459BB4B6D1EF59300F0582B9D40EC3293DE28EC4447C5
                          Function 00007FFAAC4E0DC4 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b328d8eaa56b752b794b320279146203c733da245b7657091c5a8d855a4ee47
                          • Instruction ID: 3d22f004a7eb13f5a399e378a403175e47cad1045ee3f5d5196374a0e0074f85
                          • Opcode Fuzzy Hash: 8b328d8eaa56b752b794b320279146203c733da245b7657091c5a8d855a4ee47
                          • Instruction Fuzzy Hash: 4121F860B0DE4D8FE799EB6C889A7B577D1EB59300F01427AE44EC7292DE24EC0587C5
                          Function 00007FFAAC4E01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 007bb6b8baafea8c12cfd76873a6bcbaa14f63c3284206c48fafdbe5384bd0ab
                          • Instruction ID: 8e84bbd1480100e05e7feac418abae2bc35ea5ebb9a35dd675ea5c0eb9e2b002
                          • Opcode Fuzzy Hash: 007bb6b8baafea8c12cfd76873a6bcbaa14f63c3284206c48fafdbe5384bd0ab
                          • Instruction Fuzzy Hash: F811FE60718A058FDB88FB38C49DEB9B7D2EF9D301B1588B9A40EC7297DD24EC458741
                          Function 00007FFAAC4E02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3106087937.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ffaac4e0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction ID: 32f2e1714cd7e374147967903923c5bcc19a00c8e8e9b5c9bad2779532f1d8a8
                          • Opcode Fuzzy Hash: 40a108b8cf0197c9d122cd8ca0c335e8db34114425f83e53dc6b86c69c1c732f
                          • Instruction Fuzzy Hash: B3018C53F18A4A0BE789FB7C98966B855C6DB99205B8589FAE00EC2297DC18980A4251

                          Executed Functions

                          Function 00007FFAAC4B0389 Relevance: .5, Instructions: 535COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afafca467d1fff8950fae9b19cc1ac4c4015f1be873fa4121aae9abb5b393a52
                          • Instruction ID: 928e9fefd8551e62da78d8086e5852a58f9dd24868f7a3fbe2dd98856bab132a
                          • Opcode Fuzzy Hash: afafca467d1fff8950fae9b19cc1ac4c4015f1be873fa4121aae9abb5b393a52
                          • Instruction Fuzzy Hash: 12F104A1A0EB894FEB8ADB3884517A83FD1EF5A341F5480FAD44DCB1A3DE249C058791
                          Function 00007FFAAC4B0B24 Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c55fc90cc1a9ae93049d7a3cecb550c69b0ae2d557fe3b9a97251d4ccda96463
                          • Instruction ID: 1d31f54a384b8b725df7095894eff240fa97cc88d3247e3862e3743a1787907e
                          • Opcode Fuzzy Hash: c55fc90cc1a9ae93049d7a3cecb550c69b0ae2d557fe3b9a97251d4ccda96463
                          • Instruction Fuzzy Hash: BE513C6060DA498FE759EB6C8899B747FE0EF5A305F0481FAD04DC7293DE28EC458781
                          Function 00007FFAAC4B008D Relevance: .2, Instructions: 168COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd4bdda7be5fe6a76e5d173ddfa2ec86e95b75aa1e0f960659713769b2096e15
                          • Instruction ID: 5f1a4c57c10a12416ba1410f849650cc23366656848af4d4fa1bf9db3a727a16
                          • Opcode Fuzzy Hash: cd4bdda7be5fe6a76e5d173ddfa2ec86e95b75aa1e0f960659713769b2096e15
                          • Instruction Fuzzy Hash: 674170C2E0EBC58FF79A9338586A5786FA09F57205B0884BED08DCB1D7E81D9C0D4396
                          Function 00007FFAAC4B0D64 Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0407f3e6074b64a8ae0aaa9cf1b818992bcddf2b24edc4979caa73db97a94f1
                          • Instruction ID: 217341a0688b01d007adef2ac2e795bf8173ee2713509c474ba9683a4e29e7a9
                          • Opcode Fuzzy Hash: a0407f3e6074b64a8ae0aaa9cf1b818992bcddf2b24edc4979caa73db97a94f1
                          • Instruction Fuzzy Hash: 90418161B19A598FE798EB388459B78B6D1EF99301F04C1B9E44DC3293DE28EC4447C1
                          Function 00007FFAAC4B01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b5ddd69a71f13f98a3716ab27ee6c916a2a37aa0e6eede1f736bf65adc6e648
                          • Instruction ID: 60a80be685aa46a281b891bd7079ee2001c6d320f3ba2332421846136e40892c
                          • Opcode Fuzzy Hash: 1b5ddd69a71f13f98a3716ab27ee6c916a2a37aa0e6eede1f736bf65adc6e648
                          • Instruction Fuzzy Hash: D711FE60718A058FDB88FB38C49DE7977D2EF9D301B1588B9A40EC7297DD24EC458741
                          Function 00007FFAAC4B02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.3105990558.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4726c58962958a0b98d86f0696d7a0c439fe1fe49a256cf1ee75cc71e87c5ebc
                          • Instruction ID: 5ee2fb94973034569a4b2021cf84334ab2140daa39e31e3895cd06f5b16a2b64
                          • Opcode Fuzzy Hash: 4726c58962958a0b98d86f0696d7a0c439fe1fe49a256cf1ee75cc71e87c5ebc
                          • Instruction Fuzzy Hash: 7E018053F189490BF789FB7C98966B855C6DB99105B8489FAD00EC6297DC1898094251

                          Executed Functions

                          Function 00007FFAAC4D0389 Relevance: .5, Instructions: 545COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 975df715a3f26e76bff66386f328a7b51012e567d6c158b2b8b2ee5b4ec4de55
                          • Instruction ID: 2ac4fb999dbf3595b8f9e18d77d886a172fb5a965eb941dd733e6d5cd7f95e1d
                          • Opcode Fuzzy Hash: 975df715a3f26e76bff66386f328a7b51012e567d6c158b2b8b2ee5b4ec4de55
                          • Instruction Fuzzy Hash: DD02C451A1EBC94FEB8AEB3884657A83FD1EF5A240F5840FBE44DC71A3DE249C058791
                          Function 00007FFAAC4D0C83 Relevance: .2, Instructions: 246COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99e783431f73ce1561bfa60a9a1a96f80e9e52b154a212d8417835183f35fcf9
                          • Instruction ID: 9494098ef5e1278663966636d03ec9cb20b1b66e1cfb1a415c4e95e63a844836
                          • Opcode Fuzzy Hash: 99e783431f73ce1561bfa60a9a1a96f80e9e52b154a212d8417835183f35fcf9
                          • Instruction Fuzzy Hash: 6371D661A0DA858FE75AEB388499B787BD1EF5A300F0581F6D44DC7293DE28EC458781
                          Function 00007FFAAC4D008D Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38855f32f929ab455346f6baf9d22ea87f88e0d6a7325ac6c27715e0fe45eb44
                          • Instruction ID: 7130805ac24fe95c1c56e9473d8b30cd2543c54011aa7ac779bf2c711ae5cf95
                          • Opcode Fuzzy Hash: 38855f32f929ab455346f6baf9d22ea87f88e0d6a7325ac6c27715e0fe45eb44
                          • Instruction Fuzzy Hash: 9B416282E0EBC59FF797A378186A6796FA09F57604B4840BFD08DC71D3E8199C0D4396
                          Function 00007FFAAC4D0B54 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 513a2b0345c21a181c1d441e67dab5c2e56d1652454329728d605616191a6047
                          • Instruction ID: 3baa0226eb699400be3af57f5772d79e6f62d78693008c7f790d5c205fedf7f1
                          • Opcode Fuzzy Hash: 513a2b0345c21a181c1d441e67dab5c2e56d1652454329728d605616191a6047
                          • Instruction Fuzzy Hash: 2021F86070CE4D8FE799FB6C885A7B97BD1FB59305F00817AE44DC7292DE64E8054781
                          Function 00007FFAAC4D01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 503a5c40597f03b3c71e08b2b0d723a9823ab71baf0563215c90b5bfb863ca62
                          • Instruction ID: aa61b69c40554d3207696a3d993bea10c6426b43e04db7674d57ab8289517d79
                          • Opcode Fuzzy Hash: 503a5c40597f03b3c71e08b2b0d723a9823ab71baf0563215c90b5bfb863ca62
                          • Instruction Fuzzy Hash: 0D11FE60718A098FDB88FB38C49DE7973D2EF9D301B1584B9A44EC7297DD24EC458741
                          Function 00007FFAAC4D02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.3106581235.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffaac4d0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8885b80e3e4a3af739d63aad88fe8b890e044fcd4bde0b4445bf72fcd8c8d519
                          • Instruction ID: 1250d47e6f71dd70311092fb4912ae211946dc25e2e2bc6ac5fe86117be33fbb
                          • Opcode Fuzzy Hash: 8885b80e3e4a3af739d63aad88fe8b890e044fcd4bde0b4445bf72fcd8c8d519
                          • Instruction Fuzzy Hash: 54018C53F18A4A0BE789FB7D98D66BC55C6DB99205B8489FAE00EC3297DC18980A4251

                          Executed Functions

                          Function 00007FFAAC4B0389 Relevance: .5, Instructions: 535COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d0ba41794878ae2c8bb24b1d531fccf7f66e2064ebcb99d262fff700e3938d20
                          • Instruction ID: fab630a16eb917c355416adb78336a304f8de1e7d68f861323f6f72a004bb9d3
                          • Opcode Fuzzy Hash: d0ba41794878ae2c8bb24b1d531fccf7f66e2064ebcb99d262fff700e3938d20
                          • Instruction Fuzzy Hash: E7F1F592A0EB894FEB8ADB3884517A87FD1EF5A341F5480FAD44DC72A3DE249C058791
                          Function 00007FFAAC4B0CA4 Relevance: .2, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be6e604060457ed79986226715a289779a4060ddf87446ce49b7984f543efe16
                          • Instruction ID: 15792248353d0426df194ecdde8e547d7a876e2183ca3ea18ea1f4aa792b6b8d
                          • Opcode Fuzzy Hash: be6e604060457ed79986226715a289779a4060ddf87446ce49b7984f543efe16
                          • Instruction Fuzzy Hash: 3661E261B09A498FE759EB3C8499B787BD1EF5A300F0485B9E40EC7293DE28EC458381
                          Function 00007FFAAC4B008D Relevance: .2, Instructions: 168COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87fc4858e17be9890da6de6b039820a4cd9b31269e20fc05131c8d08a8173440
                          • Instruction ID: 9680817e74d212824f6733988dc1f3855dc762a470c804b6e9545ae2856e9839
                          • Opcode Fuzzy Hash: 87fc4858e17be9890da6de6b039820a4cd9b31269e20fc05131c8d08a8173440
                          • Instruction Fuzzy Hash: BD4172C2E0EBC58FF79A9338586A5786FA09F57205B0884BED08DCB1D7E81D9C0D4396
                          Function 00007FFAAC4B0B24 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5d7bc26620b80ef7119eb44c7652f8341bb8fa42d4d4db49d9a398d45a93e6cd
                          • Instruction ID: 5c247893306f1d39ab279d36a3e85d116bdd1f162fa89dc10c3c269eba3ab8cb
                          • Opcode Fuzzy Hash: 5d7bc26620b80ef7119eb44c7652f8341bb8fa42d4d4db49d9a398d45a93e6cd
                          • Instruction Fuzzy Hash: 2A21F570A0DA498FE758EB6C885EBB97BD0FB69305F00817AE44DC7193DE64E8058781
                          Function 00007FFAAC4B01F6 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdbbd4b327dc7ac159d508edfd893a52a9e740984d84a8e1d20da6405f896a6b
                          • Instruction ID: 6bfe61652bcb3cd5938c5613cf3100b50ce3bd6d1161614150593db1a8729687
                          • Opcode Fuzzy Hash: fdbbd4b327dc7ac159d508edfd893a52a9e740984d84a8e1d20da6405f896a6b
                          • Instruction Fuzzy Hash: B111FE60718A058FDB88FB38C49DE7977D2EF9D301B1588B9A40EC7297DD24ED458741
                          Function 00007FFAAC4B02E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4726c58962958a0b98d86f0696d7a0c439fe1fe49a256cf1ee75cc71e87c5ebc
                          • Instruction ID: 5ee2fb94973034569a4b2021cf84334ab2140daa39e31e3895cd06f5b16a2b64
                          • Opcode Fuzzy Hash: 4726c58962958a0b98d86f0696d7a0c439fe1fe49a256cf1ee75cc71e87c5ebc
                          • Instruction Fuzzy Hash: 7E018053F189490BF789FB7C98966B855C6DB99105B8489FAD00EC6297DC1898094251
                          Function 00007FFAAC4B0BC6 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.3106469548.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7ffaac4b0000_kdbG0dSi8w.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 098bac291fa458511ae9a4d3a352e7cc61bda759c0a51d9553c74eb148907a2c
                          • Instruction ID: 5d2c92c410149892bf496ac493c9b89b89a104ebd1506dce4fd7211df24a1c45
                          • Opcode Fuzzy Hash: 098bac291fa458511ae9a4d3a352e7cc61bda759c0a51d9553c74eb148907a2c
                          • Instruction Fuzzy Hash: 5A11866071CE098FEBA8EB6C84A9BB977D1EB59305F008579D44EC7292DE24EC054781