Edit tour

Windows Analysis Report
O782uurN5d.exe

Overview

General Information

Sample name:	O782uurN5d.exe renamed because original name is a hash value
Original sample name:	09218598f4f0e650cf679a535b925359.exe
Analysis ID:	1582922
MD5:	09218598f4f0e650cf679a535b925359
SHA1:	021ba4bc51dbb9e2f3e3e4cc090b924f075e4c23
SHA256:	a5d763a75a1e676476c9fc43b354c94f9e10180352e1cb8b7d1a60a69bbd195b
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

O782uurN5d.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\O782uurN5d.exe" MD5: 09218598F4F0E650CF679A535B925359)

schtasks.exe (PID: 7388 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7404 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7420 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7436 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7464 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7480 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7512 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7528 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7544 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7560 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7576 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7608 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7636 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7672 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7688 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7704 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7720 cmdline: schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7736 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7752 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7772 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7792 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7816 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7832 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7888 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7904 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7928 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7952 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7984 cmdline: schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8000 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8016 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8032 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8056 cmdline: schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

System.exe (PID: 7448 cmdline: "C:\Program Files (x86)\windows multimedia platform\System.exe" MD5: 09218598F4F0E650CF679A535B925359)

System.exe (PID: 7488 cmdline: "C:\Program Files (x86)\windows multimedia platform\System.exe" MD5: 09218598F4F0E650CF679A535B925359)

hKONDisxvRbjdh.exe (PID: 7920 cmdline: "C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe" MD5: 09218598F4F0E650CF679A535B925359)

hKONDisxvRbjdh.exe (PID: 7944 cmdline: "C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe" MD5: 09218598F4F0E650CF679A535B925359)

Memory Compression.exe (PID: 7960 cmdline: "C:\Program Files (x86)\windows media player\Memory Compression.exe" MD5: 09218598F4F0E650CF679A535B925359)

Memory Compression.exe (PID: 7976 cmdline: "C:\Program Files (x86)\windows media player\Memory Compression.exe" MD5: 09218598F4F0E650CF679A535B925359)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"Z\":\"&\",\"I\":\".\",\"0\":\"~\",\"2\":\"$\",\"v\":\"*\",\"n\":\"_\",\"O\":\"<\",\"M\":\"|\",\"Y\":\"#\",\"R\":\"-\",\"h\":\"@\",\"w\":\")\",\"A\":\",\",\"k\":\"`\",\"F\":\";\",\"z\":\">\",\"4\":\"(\",\"d\":\" \",\"u\":\"^\",\"D\":\"%\",\"9\":\"!\"}", "PCRT": "{\"G\":\")\",\"E\":\"_\",\"N\":\"!\",\"F\":\"(\",\"u\":\"*\",\"H\":\"%\",\"M\":\"@\",\"R\":\";\",\"1\":\"-\",\"U\":\"#\",\"Y\":\"|\",\"k\":\"&\",\"Z\":\" \",\"l\":\"^\",\"J\":\">\",\"Q\":\"`\",\"5\":\"<\",\"h\":\".\",\"4\":\"$\",\"b\":\",\",\"v\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Me85EHyKMM31ho4asGX7", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000022.00000002.1781845260.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.1792324485.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.1792324485.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.1792348521.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1792034807.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.1776738270.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1792034807.000000000299D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1710524182.0000000012F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.1776805213.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1702012225.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: O782uurN5d.exe PID: 7324	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: System.exe PID: 7448	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: System.exe PID: 7488	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hKONDisxvRbjdh.exe PID: 7920	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hKONDisxvRbjdh.exe PID: 7944	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Memory Compression.exe PID: 7960	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Memory Compression.exe PID: 7976	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\O782uurN5d.exe, ProcessId: 7324, TargetFilename: C:\Users\All Users\Desktop\spoolsv.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f, CommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\O782uurN5d.exe", ParentImage: C:\Users\user\Desktop\O782uurN5d.exe, ParentProcessId: 7324, ParentProcessName: O782uurN5d.exe, ProcessCommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f, ProcessId: 7952, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: O782uurN5d.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Public\Desktop\spoolsv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: hKONDisxvRbjdh.exe.7944.31.memstrmin

Malware Configuration Extractor: DCRat {"SCRT": "{\"Z\":\"&\",\"I\":\".\",\"0\":\"~\",\"2\":\"$\",\"v\":\"*\",\"n\":\"_\",\"O\":\"<\",\"M\":\"|\",\"Y\":\"#\",\"R\":\"-\",\"h\":\"@\",\"w\":\")\",\"A\":\",\",\"k\":\"`\",\"F\":\";\",\"z\":\">\",\"4\":\"(\",\"d\":\" \",\"u\":\"^\",\"D\":\"%\",\"9\":\"!\"}", "PCRT": "{\"G\":\")\",\"E\":\"_\",\"N\":\"!\",\"F\":\"(\",\"u\":\"*\",\"H\":\"%\",\"M\":\"@\",\"R\":\";\",\"1\":\"-\",\"U\":\"#\",\"Y\":\"|\",\"k\":\"&\",\"Z\":\" \",\"l\":\"^\",\"J\":\">\",\"Q\":\"`\",\"5\":\"<\",\"h\":\".\",\"4\":\"$\",\"b\":\",\",\"v\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Me85EHyKMM31ho4asGX7", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	ReversingLabs: Detection: 78%
Source: C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\System.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\hKONDisxvRbjdh.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Desktop\spoolsv.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: O782uurN5d.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Desktop\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: O782uurN5d.exe

Joe Sandbox ML: detected

Source: O782uurN5d.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Sidebar\5811fce5ef954c	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Multimedia Platform\5811fce5ef954c	Jump to behavior

Source: O782uurN5d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: O782uurN5d.exe, 00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\O782uurN5d.exe	Code function: 0_2_00007FFD9B893545	0_2_00007FFD9B893545
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Code function: 5_2_00007FFD9B893545	5_2_00007FFD9B893545
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Code function: 8_2_00007FFD9B8A3545	8_2_00007FFD9B8A3545
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Code function: 29_2_00007FFD9B8A3545	29_2_00007FFD9B8A3545
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Code function: 31_2_00007FFD9B893545	31_2_00007FFD9B893545
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Code function: 33_2_00007FFD9B8A3545	33_2_00007FFD9B8A3545
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Code function: 34_2_00007FFD9B8A3545	34_2_00007FFD9B8A3545

Source: O782uurN5d.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hKONDisxvRbjdh.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hKONDisxvRbjdh.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: spoolsv.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hKONDisxvRbjdh.exe1.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: O782uurN5d.exe, 00000000.00000002.1701687707.0000000001520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs O782uurN5d.exe
Source: O782uurN5d.exe, 00000000.00000000.1653431968.0000000000D9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs O782uurN5d.exe
Source: O782uurN5d.exe, 00000000.00000002.1701622374.0000000001500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs O782uurN5d.exe
Source: O782uurN5d.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs O782uurN5d.exe

Source: O782uurN5d.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: O782uurN5d.exe, ShQV8t8hnllEdl2q3Vl.cs	Cryptographic APIs: 'TransformBlock'
Source: O782uurN5d.exe, ShQV8t8hnllEdl2q3Vl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: O782uurN5d.exe, ODCw57gOicTvVVVXpZG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: O782uurN5d.exe, ODCw57gOicTvVVVXpZG.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@41/43@0/0

Source: C:\Users\user\Desktop\O782uurN5d.exe

File created: C:\Program Files (x86)\windows multimedia platform\System.exe

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe

File created: C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\O782uurN5d.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\c7d36335718927701c63a238f1f94f919ac4a9ab

Source: O782uurN5d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: O782uurN5d.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\O782uurN5d.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O782uurN5d.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\O782uurN5d.exe

File read: C:\Users\user\Desktop\O782uurN5d.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\O782uurN5d.exe "C:\Users\user\Desktop\O782uurN5d.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\System.exe "C:\Program Files (x86)\windows multimedia platform\System.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\System.exe "C:\Program Files (x86)\windows multimedia platform\System.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\System.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe "C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe "C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe "C:\Program Files (x86)\windows media player\Memory Compression.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe "C:\Program Files (x86)\windows media player\Memory Compression.exe"
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\O782uurN5d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Sidebar\5811fce5ef954c	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Directory created: C:\Program Files\Windows Multimedia Platform\5811fce5ef954c	Jump to behavior

Source: O782uurN5d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: O782uurN5d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: O782uurN5d.exe, ODCw57gOicTvVVVXpZG.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: O782uurN5d.exe, brNmjQxaxV3vxLWDF40.cs	.Net Code: trlsUn6BMN System.AppDomain.Load(byte[])
Source: O782uurN5d.exe, brNmjQxaxV3vxLWDF40.cs	.Net Code: trlsUn6BMN System.Reflection.Assembly.Load(byte[])
Source: O782uurN5d.exe, brNmjQxaxV3vxLWDF40.cs	.Net Code: trlsUn6BMN

Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Code function: 5_2_00007FFD9B8900BD pushad ; iretd	5_2_00007FFD9B8900C1
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Code function: 8_2_00007FFD9B8A00BD pushad ; iretd	8_2_00007FFD9B8A00C1
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Code function: 29_2_00007FFD9B8A00BD pushad ; iretd	29_2_00007FFD9B8A00C1
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Code function: 31_2_00007FFD9B8900BD pushad ; iretd	31_2_00007FFD9B8900C1
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Code function: 33_2_00007FFD9B8A00BD pushad ; iretd	33_2_00007FFD9B8A00C1
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Code function: 34_2_00007FFD9B8A00BD pushad ; iretd	34_2_00007FFD9B8A00C1

Source: O782uurN5d.exe, mA1aoB0FsCRn8dUn8Rg.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'KSQdITg5ug', 'DWK5G81NTL', 'Fq4dtkIo80', 'T8loRGo7I06wO9tdvTw', 'MZ6ptio95XTPdIOufmM', 'ofl1ACo4GKWWwUDcgR7', 'KBfAyxoInQdmQ52lCoX', 'qH5Pvoo5Phu3qOppyjJ'
Source: O782uurN5d.exe, RojouGtbb54PaXNiQi.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'rGoegmlCQiPI8AKnXlv', 'cNSyC5lLZBiD1KvbgMc', 'fP0p2klDm0QXOCX7uBr', 'WcFgbylRNFVcRVl9TQb', 'peZPdqlzHSYUNupH64k', 'eU92qaZB2pX9F7xaXd6'
Source: O782uurN5d.exe, lNsEPIIWHQfUZar3eR.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'cG8PeVSDhu89Bcxb2SF', 'ylwhOHSRMRMYJLLgtcm', 'cu6lAHSz153NPu1p3aM', 'XW0sKrlBUYjgqOdIqbL', 'XMbhVelH1bfMkdgoFRO', 'R2vKAHlSMP602GGog3M'
Source: O782uurN5d.exe, ShQV8t8hnllEdl2q3Vl.cs	High entropy of concatenated method names: 'wDDHxwjxGM', 'lgoHmFpdXM', 'snPHam04lP', 'nLhHv6XtTw', 'MZZHXZFi7w', 'ACLHLuREqI', '_838', 'vVb', 'g24', '_9oL'
Source: O782uurN5d.exe, OVApvUxNkBs8uYvWGWb.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'hQ66E1ZJko', 'JAK6uSMFTP', 'WvT6erltUs', 'oCD6YE6NDG', 'MgJ6TSutTH', 'kRtqtQF6t0PXg19EJqM', 'mOkPrMFyrp5rq10PYML', 'JXPUU4FAjFXwe0Jo8pb'
Source: O782uurN5d.exe, CGIMGUep2bFE68fevpB.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'K9yljh634tkRI7VsK64', 'fdEiDZ6XGOjqSPjZ5G4', 'K0fo4f6sU7TQpDAq4oF', 'cNUTaI6YdHFKqoL6dfJ', 'LRXQhr6Tkwto8rva6No', 'FuNINd6aP0Mqjot5lQ5'
Source: O782uurN5d.exe, LvMHmIe9Q7qQW0i1yh0.cs	High entropy of concatenated method names: 'v7ZOcGO2e7', 'XvrO1h1FjEMIfKVF2QR', 'KnjVSX1NmxTpfYFiIbE', 'MuIqmx1IwE6prK0mmqe', 'GqSEBX15DthL2bBGQcG', 'KJVxj81hN7Xpaw1pigd', 'Mjc3Iv12MJuqbYPgSq5', 'mO0MxW1vGyPZYg2KyNn', 'qAT8mU1Egx2ip4L17wh', 'f28'
Source: O782uurN5d.exe, swbUlMxbvhOOvR7uUfi.cs	High entropy of concatenated method names: 'eRCswcuQdC', 'Aptdk59lVlNWEWfe0s3', 'pNpu1r9ZWlAcrBY3HN3', 'EE9rVS9Hd1SXrXZUEJ0', 'JceReV9S2g9wA4ee1OP', 'zUtVJT9dI9NyNwfkPiD', 'XqdbhT9tWNUikcCW7m0', 'YJUAxj9ALYqBhTNfhwk', 'nKpVjr91WtNpjFOJQuP', 'vLKHmd96XEch2PjWUho'
Source: O782uurN5d.exe, KElBZwGReNV8vgkHWNn.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: O782uurN5d.exe, gmpRkSegWgyK6AxCPqB.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'NpdP3GtWNjjvnDogSFx', 'XweO49tCDDcwjB7qE27', 'AqSfWetLUXUE798uuN5', 'e8JEF5tDUNCSkrvC9GB', 'SwuioEtRH4EVn1drLyS', 'Civ2nXtzKLc9Uc8JxxC'
Source: O782uurN5d.exe, LMdaTa0eR6vQ9eRRmg9.cs	High entropy of concatenated method names: 'RVNIcCKROx', 'quIIy2VNbg', 'R1cIgsRkD9', 'v5AIdjuqfj', 'GuTI8yNzKBUwBuNXYmI', 'YAsboeNDULtVclyjCcg', 'Yu3kkvNRaoZQjIlkdFA', 'KJ2HnXhBjkZy80OZRPx', 'XLixewhH78S88xbvTks', 'qi3R1QhS2TqxkXh4LBh'
Source: O782uurN5d.exe, DhR06VGLsbLb32El0dp.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'gM1DJY92tA', '_3il', 'Hf5DOm1qkY', 'wYED0Ov7VB', '_78N', 'z3K'
Source: O782uurN5d.exe, eB94mCGDNbE2RkQHY8C.cs	High entropy of concatenated method names: 'WkjrB3cSfE', 'XK5ZLZVNNcJj83AtZVS', 'HMmifCVhGO2QnyoVFFh', 'lDoOUDV59fxQOPIO5vv', 'BiQNy9VFQiLSuGFB6G8', 'mJP5ykCI3t', 'OT75gS9oGU', 'jvX5d7NRVi', 'H5g5P5bkli', 'Jim5Ev8o7b'
Source: O782uurN5d.exe, WIsZXyGECrmGfTMO4nb.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'ohfUkVlLiA', 'amQUNuqH8Z', 'r8j', 'LS1', '_55S'
Source: O782uurN5d.exe, CjaYV00bt3o8w6uPpI5.cs	High entropy of concatenated method names: 'I6Etlabm8l', 'N8Lt7qaTe6', 'q3ltxjdA86', 'k7MtmYqU9B', 'rrv1cuvKsq1UBwoxUIr', 'Dv5TBUvrXNDRcf9uYLh', 'ooNpApv3jZ4Spy6fDdV', 'GeuNyRv8SY0sadh02hh', 'j2HWlcv0XJfoLRUNkri', 'rY2vv7vXypyrbPsCNJJ'
Source: O782uurN5d.exe, uU3LbnopfARZJFUK8A.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'WTIEZASx6oI3trP2iMP', 'JpFm2VSgpHqCsfgFpKY', 'TRk4h2SQV7kphEGgsJe', 'mH88XWS7kRSdYD1PdgA', 'Rf0Q6xS9UpLEpB6inaQ', 'aAmrWMS4AXY6lmrlREm'
Source: O782uurN5d.exe, spW6tZGPvdCkFcxPBAC.cs	High entropy of concatenated method names: '_7zt', 'Jye3Cwf1wk', 'cNM32DYMYR', 'SSU3QxwaOC', 'cZh3pddv0V', 'a7j3hQbC7w', 'qxd3idoI8J', 'LQp4QIOnFmY3I8WkeNE', 'sQ2hxZOoKjM4rU93Mnj', 'jCe5KjOv1oOPY7yMiJf'
Source: O782uurN5d.exe, VNu7fdevIHvbR1PhNoN.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'vtlLd91rdOAijPJoYfp', 'SDfu1w13Hjxvx36Bgvv', 'VGq9v91XZQtd5IG5fZA', 'bOWwac1skuMGEDSkFhO', 'aNCkS31Y3x7l4NhOM3M', 'xvSSFh1T9oGf7Ta0q6m'
Source: O782uurN5d.exe, dx0ODQ0zJQ5OOh0jwPC.cs	High entropy of concatenated method names: 'SRu54KQOZX', 'OH55MIvTMP', 'rTP5cUQuHB', 'HrRpdPjaPRycMFREjYP', 'nNtc5DjfOeuEeLTYAwr', 'KjXHoijYW29oPXVNgMA', 'gSpw5QjTnPPCJF5R3AZ', 'jLaevSjbd5bwqjTLhqE', 'TeryimjJq8vGhbkxFPb', 'cgQt0OjiC4PvgDYARYe'
Source: O782uurN5d.exe, X7GchmAZC73ehmNhn5.cs	High entropy of concatenated method names: 'F1AEKGBs0', 'EBBuigjxt', 'VUuep0qNc', 'matn7pHscUHej8vfMjM', 'GS3YRqH3G7QmD0AAtVZ', 'SDsgbrHXlr4MpgQs4pN', 'IeY2xsHYJTMfbsLOy1r', 'uW5m2LHTmw2bMeXdGj8', 'PutbLbHaqDS2Xm1Qnkd', 'bdJ75bHfRcVGGv5g7gW'
Source: O782uurN5d.exe, vQ1FYBlaRKwUFhi2BN.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'S7114XdpDfCvAsKNcJh', 'ov62mQdkt3OID2YcPMy', 'c21OGudq7jNLdZC50am', 'rC57dXdu84AarOqIPZ9', 'HVyOVyd8kwUT4B4Gu4N', 'wXqsbUd05wdDTAbU0Jf'
Source: O782uurN5d.exe, syHIk914OqKr6gSRiL.cs	High entropy of concatenated method names: 'NAynUDlhU', 'AmXHjsY97', 'OdKWffSaR', 'WBFSURsHD', 'h794PapMv', 'mDUMaNQTr', 'A9rcJfkc2', 'BLwqu8H1EvZd9Yo8X1C', 'KCNlovH6g7owu4nwHgk', 'uM6FD9HyQaJoccoUh6E'
Source: O782uurN5d.exe, f1JlejeD6QEWhxIOjus.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'XVio6otiEtv0gWhZSwU', 'D7W76YtMLDpRmcOoXiJ', 'w2TW5StGjrdjpUbPRro', 'ShF5uDtUk6Mic5mKrAK', 'RahMsftmy1r55UqVPh2', 'uHsv2Mtwy4lZD72r1Zh'
Source: O782uurN5d.exe, UhslPu0urSmoNsFAfNp.cs	High entropy of concatenated method names: '_223', 'iIfhwsvFmLiIZOPKCWa', 'eDwZWGvNoOq2tOkixJn', 'd2K0xmvhtXufJ4LclmI', 'X6o6UUv2wg9oNKEOl1P', 'F2qZYAvvWRom8TWNwDd', 'gqD8VZvElqd6bppBqLU', 'tryMtLvnDYbbudVfQLq', 'nFS2YyvoNRBUQLmVUIm', 'DrxChxvjNNMT5Ebwy6A'
Source: O782uurN5d.exe, jy6wyeeZTaDtal9HIwA.cs	High entropy of concatenated method names: 'mFX0hQib68', 'VUW0i0Qhd9', 'PC50nZtdCq', 'zj83HXgx3gh9AT1Sv9j', 'WANGMrg6t5ZgofuNK0C', 'LYHjhrgy6SrvRFmUVaV', 'eKroLZggN54J1dBEMu1', 'ywGde3gQpK9E93eDas5', 'VmuRaSg7Ggewc5Uq4re', 'sy2KHfg9S0q5pZFWZiv'
Source: O782uurN5d.exe, rnAur7DaFOERhWKWI2v.cs	High entropy of concatenated method names: 'Usdn2jMaAJ', 'M6unQhaVmo', 'RccS7Z3e9JKMgGWXc2o', 'fA25Fn3WlKasZCmrtm4', 'DKfe9q3C93p7TmKW5Jl', 'kPvCCF3L71cVCcieIST', 'suowdm3Dsr1XXXqJnG9', 'zNovA23RsYRFXOrLfaW', 'nXkLyU3z7qTBQds0TLw', 'WQy0VOXBswpwYXsh0Vs'
Source: O782uurN5d.exe, QbWB2A8Bk08Bttugh7j.cs	High entropy of concatenated method names: 'qRAvd8bZKKliMrTU0A7', 'm0GnKFbdDLqRm3Q6wEe', 'Uakg0vbSaWjms6C4XhY', 'hTJtnFbluiEs8A5co9k', 'mJuSEtBmjL', 'WM4', '_499', 'P42SuMuhrc', 'mcPSeOeIq7', 'DtRSYoiLpe'
Source: O782uurN5d.exe, GSvqVaekSN9i8304rC4.cs	High entropy of concatenated method names: 'nm90OZsNhI', 'NT300xOCDv', 'k180sjs4N8', 'tumFJOywUHCcIN8UTLH', 'UsuRjeyceB6xnNCgitO', 'cltOZByUCy9CN7hRjbX', 'yOZ4nHymiCl9ZqlVUX4', 'W7uOoOye3NFwWZ1p76y', 'EYq6xTyWtpIb7tgV1Ev', 'cIj9aGyCnWhgDuD2wui'
Source: O782uurN5d.exe, prZ0eF88sHKPf9sYKH9.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: O782uurN5d.exe, brNmjQxaxV3vxLWDF40.cs	High entropy of concatenated method names: 'JkgsdBPKYw', 'n2EsPMaqgv', 'IR8sETqA4l', 'AFSsuY7TBN', 'N4rse1upoZ', 'dxKsYktWr6', 'IC0sTlL1KP', 'Rjpqm37jIZ4qsxVNE9Z', 'UF9E6r7noliLp5oBUmP', 'iIgEUC7ok3F3at553E3'
Source: O782uurN5d.exe, FTQXymGm1hcA5Lr3TON.cs	High entropy of concatenated method names: 'WgHtGAP3NlxBZiYw8Hg', 'W1L9A6PXsbVhF5oBqiQ', 'L0ngQsPKBvJR9Uh0jY7', 'lyGTehPrsuNLkXRClk4', 'iWxhCOPsOEoMdPwu61i'
Source: O782uurN5d.exe, gILaC9G2QfA6uRtkFDS.cs	High entropy of concatenated method names: 'zm23GBRWfI', 'Yp136Sx3aa', 'dYG3bZdNfE', 'KR7ckPO5KytamR82M2s', 'IEb9dMOFB0FpABZRWwL', 'X2UNBjO4KHfu75jYosP', 'n7KrjZOInqnFoq3eSqa', 'BTPwcCONJBDki1NjRcM', 'nSTTjROh4nSiqwMvrQI', 'xNxWClO2IGG3B3V46gh'
Source: O782uurN5d.exe, qIHXLUGlWJL7fG9NnvN.cs	High entropy of concatenated method names: 'Yv1UFQjtZP', 'G7PUEfnyDn', 'YBiUuicUPs', 'EPJUe4mkpr', 'qX7UYghRN0', 'uUrUTksUuJ', 'ojxUoVPv72', 'gpEUZKnd4T', 'B7ZU8QYSOr', 'e5qUlMlQak'
Source: O782uurN5d.exe, hOOuwsxtUvnS8oCNaJr.cs	High entropy of concatenated method names: 'A8nbt5Zd1T', 'lecbVmJqtR', 'GiPDWZFW9K13mAiy5I1', 'I0hP7dFC0lEehbpkptS', 'P2uBJLFcUHj11f2AcpN', 'hZopJAFecfRcjjjL8Gr', 'f8XbBOnEPb', 'HCewDjNBiGiLs6oP6Sx', 'DvM3IyNHbT19RVlNBgr', 'sqhLCeFRu9W3wIlilE0'
Source: O782uurN5d.exe, xhlO5m0js98ZECIH5n3.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'sZsOdEn7mIWgSwIIOaa', 'H7vgDin9vU6xff4gxqj', 'NmVSJLn4VEOqBXc56Ms', 'whk8CvnIZJ11TvX6lf8'
Source: O782uurN5d.exe, AtFo666kkwyhb6hEXP.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'ATSMjKdeX2OEjhCGkqH', 'CJfbmLdWoYWk7V2Qyy2', 'LLGhWtdCTYlbYjAXP8i', 'om5IkmdLuCX5xWHwfQO', 'qvyPDhdD7pAXSsbEDUF', 'sQ0RQddR7LseAQ1XfLk'
Source: O782uurN5d.exe, hwUldxeYUXlY4yFLNj3.cs	High entropy of concatenated method names: 'U2C0CjrLvp', 'aRG5TxgtLEWeNKrSWVE', 'bnjQFIgAeuSWABO3NDx', 'ntbLdvgZsxyHeKVjuwW', 'cPLHpugdsV10GHdnADM', 'YoBCyUg1Jtm96h1Y3Hc', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: O782uurN5d.exe, Ifli0Jesttd33sjqdSP.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'neSxOnx8BRU196nFFTr', 'C7cPqhx0ESrw7xchdiq', 'y7gJLGxKPIj3WJkaA2b', 'lMBQIVxrHqZiGD74hY0', 'Kw0Hoox3uTqyv4T7Blh', 'U4PA0XxXJuHUmud1psC'
Source: O782uurN5d.exe, ABf57M8v7qyGAkobuUb.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'lw4Wnw2QS9', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: O782uurN5d.exe, KtbUcZGuOrdEIYpdAct.cs	High entropy of concatenated method names: 'Kn1rukS23y', 'WNereI6JDQ', 'csxrYxIefh', 'tCqrTUn0NK', 'MlTroZ2sbs', 'nFu3j9VRXlD7Aj5SUXo', 'BwmlKgVzlkc6EE2bDFt', 'kTsWCVVL5uPlZ7VcfY3', 'buD7C0VDme07U8dJEb3', 'ji45EKOBbL5Ll5bq0qr'
Source: O782uurN5d.exe, X3VDfreUJl7rdN7lmso.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'N5RJmQ1BIQMJXADPkdd', 'CLd1RT1H6oqjpfegfmQ', 'AciUae1SaHRnDZBdmys', 'H7xeQN1leEEsF08FoQ4', 'QkIjVn1ZlxROE8AaMih', 'TDuFwN1dYmNLnAkI9vB'
Source: O782uurN5d.exe, CPDj6GeubRuAdvpYPOM.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'W1c5s2APyiNoCdfAnDU', 'oJPydkAp6EPH0OlNUQd', 'uIGNJxAkBDEoyry4bOU', 'XGgTDwAqxhWkVV9UngT', 'ydEogRAuk7N2qK4tFDa', 'HLeNiyA88QpWJqbeGQ9'
Source: O782uurN5d.exe, gwEoNNDXMomajhTOoMm.cs	High entropy of concatenated method names: 'uJvn9em3fR', 'qBjnARWusU', 'n1NnKs8a4l', 'VKBnwNud4u', 'Ou4nfspldg', 'lABnFDyHBe', 'Q8MfoSXGNS8vIZTUssV', 'AdakkFXifwHnniR2jgD', 'YEXVNIXMaorgTU2O5B7', 'FvkADcXUvJWpPhY8WPU'
Source: O782uurN5d.exe, K06Cip8pj3Ent59B8GL.cs	High entropy of concatenated method names: 'ApHSVBwBDi', 'jWLS5EmV77', 'l00SqMdlUr', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'mx9SrTN3bR'
Source: O782uurN5d.exe, w5GhmpDZVRs4Ghfm56i.cs	High entropy of concatenated method names: 'adeH4ROG85', 'Dx9HMxFxUX', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'qTTHc2qo0y', '_5f9', 'A6Y'
Source: O782uurN5d.exe, MvXNGWGCUT4TS9snn5E.cs	High entropy of concatenated method names: 'JXnDPOvC9x', 'BihDEl2L3n', 'ud4DuVvdVV', 'VtDDeMHrXJ', 'aIMDYK6rF5', 'lCLru2PhuQDk9sxc9xt', 'Pqrc8bPFMNaq8Twqax9', 'b9UExhPN1H9GN18kwxk', 'cTEVUtP2PMMTcb9f09m', 'acIGasPvw0vlvQnx952'
Source: O782uurN5d.exe, HDLQwIxPs5Cl6brCgUJ.cs	High entropy of concatenated method names: 'dMjszG08ZH', 'moCGJ01Qeb', 'VwcGOLMjAQ', 'H3WG0NaCUV', 'kSZGsHNpsk', 'nQmGGkxiA2', 'tLcG6W19we', 'VXlGbfI2Cp', 'MFlGIqZj2u', 'YXvGtEH8dh'
Source: O782uurN5d.exe, X2UjJl8C4k9gIXmOd3i.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: O782uurN5d.exe, V7v6WKssJBOehqiq7Z.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'my873Qd4ep8AaPbAGJf', 'owToDpdIl3WjGXX2lFF', 'cTtVhed5XQELV4AO86O', 'EXK8QIdFRi8R5EG1Ach', 'bS0CAYdNLn4pph3wbIo', 'ciI5ZXdhqBSFmY3hQny'
Source: O782uurN5d.exe, WbRda6FV9JMMyvi3md.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'E6OncUZbfEbEBPeVYNJ', 'fjydAnZJ5lBmVNkgwbX', 'Xftx7EZiurB5n3OduFL', 'vpffaIZMq7cus2SEbx2', 'JmS67PZGmf4Ce5i9Z6F', 'VZFOlRZUteA3bqb0PwV'
Source: O782uurN5d.exe, DUxBTW0cAVx3Bb89Olx.cs	High entropy of concatenated method names: '_5u9', 'hVrdGkG1FI', 'nvY5Je6g2t', 'fIAd6PpJdj', 'a8lG2vnLpgyLNGfJ3Xp', 'XhiRGKnDUtmKcTDlNVg', 'JCMFrsnR2hVmodQIQCL', 'x9E9A0nWUpMDsv8GNHE', 'F9VbHVnCcrK4jATWxLn', 'BRhmIJnzYIHWTMgSTln'
Source: O782uurN5d.exe, FAEaBP0YF0ntrLLR8sa.cs	High entropy of concatenated method names: 'Y6ox1mjX5RsfSCWgYI8', 'tAUdLbjsWwmRlZWJqDV', 'dea9mGjr8ddvPHivOCo', 'lFretdj3hu9ItsxNefo', 'IWF', 'j72', 'UFq5BP9dnF', 'hIU5jxygJF', 'j4z', 'G6a51K0fZA'
Source: O782uurN5d.exe, jZ3ZS9DW8Kxcw42FMau.cs	High entropy of concatenated method names: 'hLNnaJILkF', 'uj4nvlLtJU', 'MEUnXa3tg5', 'YLrwuuXT1F6XZXLh4ec', 'MHesusXsuglq7leJZbO', 'HAG2btXYMyplTIKDxjI', 'E6ifZZXabhanRgwbYsm', 'RxqMp2XfXmT0q5VRH6t', 'y1Ixl2XbIa9AFteyoki', 'eQVmMPXJHJhDa90NoAJ'
Source: O782uurN5d.exe, VsaLaLeeQIm3YEhQZnS.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'FoZFxWthuIGQe3YHSxb', 'rMrMrEt2MwcXlAImc2d', 'rhjdAOtvIgthKIZv07Y', 'NrPtYxtEcP92AGbWER0', 'x7aWRytnGFCfy7ypevY', 'wi8xUOtoH9qBcxQGGYA'
Source: O782uurN5d.exe, KpsxYqe4jb3lBbw5Eac.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'jvVfKMActxHIYcCcMSd', 'Y0xLIyAeGH76uh2JWgb', 'YQjWRFAWpBvOVk3Pm9l', 'eBoa56ACBmF3QoSJU3C', 'Eq0ciFALbEPI10IWbYY', 'KT4SgyADnw5kSbILors'
Source: O782uurN5d.exe, Q4FOZCx2OnuNdg8El6G.cs	High entropy of concatenated method names: 'goWsFBCyiZ', 'qT6sRjOU8m', 'BQklHW9hFp2bpS6q3JK', 'hHpaVK92ogVISoaPrgn', 'lJRRQ59vgkDqVOAPC4Y', 'T4nYxK9EJbFcatDCw68', 'cWDHu39nAkWCrud7M7b', 'UqUKoy9omHKSIQmCLK5', 'p6JrSE9jxNbFRuqy59r', 'EQ32E79V8acuCqkauLS'
Source: O782uurN5d.exe, LWN8vJejW7jQabBvwAI.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'slup7T1jhgFWpQXiJ27', 'iUnMIJ1VeJx3oPXwPNp', 'NIBfF61OneiocofnKKs', 'DO7qTG1PNRo3sHD6bUs', 'CFcnbM1p666a0iXoyDE', 'qv1O701kEPPFU4bmZeo'
Source: O782uurN5d.exe, pdByyuxZuHFEbJp33NN.cs	High entropy of concatenated method names: 'DLJIHneOe4', 'qsPdx6NmYY43PuFVLHU', 'VBhCoNNG84O6gwyXCdS', 'HsfeqjNUlEeogEmoDEi', 'guvQUdNwFMTyDjFTk50', 'Fyyq52NcIkIB3K7U4C2', 'VSrI1adocq', 'FeGICEyX4W', 'Gl3I21PWM9', 'A5DIQuC6xE'
Source: O782uurN5d.exe, UfXKGvD0DrscCrpfldF.cs	High entropy of concatenated method names: 'hsraeO0na5BhERoPJvu', 'Tvue040oHVJRb4btxNI', 'pQM7MX0v7LZYmCvkoid', 'RW0f0h0EDrfVCGdSbO6', 'cqs2nopNwY', 'T3xMJx0O6ZLDoxThFLe', 'QZSIk10PObYZYSWjjo1', 'ziSJbY0jxpKAB2SaPvC', 'SHMkxm0VEsJXNnUqSIo', 'ViewZv0pQvGOkCd457i'
Source: O782uurN5d.exe, Ov0Qw70UgNo9aeKUykB.cs	High entropy of concatenated method names: 'x2Ut9C9fWJ', 'tcJtAWLGLP', 'IfktKQmqIe', 'dx4tw1OhiL', 'PHYtfTXyl2', 'pGVptWEtEegLt3F9G6D', 'pg3plZEAGTJbc5fxCKw', 'GhJOXIEZjWaWJRMsSt2', 'FPRUtTEdo8lxl2RlDdo', 'hRyZbYE1SOlsv5Gkg1w'
Source: O782uurN5d.exe, epnDJq091ml0AkNTnFj.cs	High entropy of concatenated method names: 'yLOVk22EZ7', 'r5IVN2HUOM', 'c52VBqCdv7', 'OYTRAVEbfdxRuE7sBOb', 'WgRGSDEatXxkZsetQky', 'oFFMIqEf6QGZdb68KaU', 'ULZi5hEJRRulxL3uL3I', 'UX6VbjZKml', 'VqHVIbIxU2', 'aEFVtRKT9b'
Source: O782uurN5d.exe, itW4iUG6k83sGinjM9j.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: O782uurN5d.exe, KEqBEgxp36Cw6bPWn7C.cs	High entropy of concatenated method names: 'btFGFlUMNc', 'Jo9GRrHkGJ', 't57GzSdPTG', 'Hta6Jg9KSn', 'oHW6OTLqhs', 'zWN60w0pVU', 'sFw6sdnLXa', 'BoG6GPxgqL', 'CiP66Q2jHP', 'AyGb20IWkpDfgKMXj8H'
Source: O782uurN5d.exe, O3TOZ8eQxjaTb8UeewN.cs	High entropy of concatenated method names: 'W8SOA7fdtD', 'qYwHmjyj9Srk0T5DogF', 'NibTEFyVLjwVa43gkbW', 'cNj5fCynYPYJHEr7khZ', 'xyWpB7yooHbjrojdCZs', 'JBvdTdyO9t3V9LRZnpS', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: O782uurN5d.exe, vfWKEMeNUQ8islEO4Wx.cs	High entropy of concatenated method names: 'qQ5OFx7sVn', 'iXgOu4yXO084JP81Hqi', 'e9VGxwysLhjAv7BXAq1', 'UMSIhyyrHhLuriRdlJK', 's1f8qPy3nZ9mC0mAeZy', 'gtXgZXyYoTbhGnbG6Vc', '_3Xh', 'YZ8', '_123', 'G9C'
Source: O782uurN5d.exe, SkHx5geHaFyBGeKwmQK.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'yYyZH5xvlIS6fsPvuGt', 'NaxEYJxEeajK1sVccAD', 'O5SvqQxnA0r7QtjeSfJ', 'K1XX4gxotTPfs2Aj2AN', 'ogkOPHxjeoHo76PLOMp', 'rJ9ynPxVjOG0CxMPVFh'
Source: O782uurN5d.exe, cYDCfpeCKaA2LZQb8qV.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'E59xty1REDfUxtl8lkP', 'hJn4vd1zJj11T36DIy7', 'I929A76BXZ4rq2oNLpd', 'DlAYMN6HyPygPjn22qa', 'VOoaXR6S9UmuhnOpYnT', 'C8MiLA6l8WEwAHgFl1c'
Source: O782uurN5d.exe, DIYj0HYQDVCD2eSW7f.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'Yx4OLidJLJdYoUn6rNy', 'Qase58di7BE1s06TaAU', 'SXhwjKdMvnf9G6s0vlC', 'lrxa52dGXQmD6D2cDJy', 'VpDUmBdUAZf0H83IAoe', 'vMiibcdmPLE6heJmN0Z'
Source: O782uurN5d.exe, F4DjP30LeRAZA5Um7nq.cs	High entropy of concatenated method names: 'q8fVdVdgGx', 'a9pVPWm3eH', 'dHtPnbnNoEysfvCBx3c', 'qaPtaKnhSMQRrWCLfRs', 'RkTF77n5kEomE5yAUEs', 'gbFrDfnFMl5IqDBpTGS', 'RxHEKun2v84sYa1e0BV', 'sVNKdBnvMEkRGDc7CLV'
Source: O782uurN5d.exe, fhrc5AD7AkS5rvfZVUZ.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'uRSHiNRNaE', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: O782uurN5d.exe, A0ciaR8mE5Vmcu0PnlK.cs	High entropy of concatenated method names: 'XMkMY06MOP', 'PnbuSabq7nue8VKg9eS', 'i1MyexbuJs4dRwpQOno', 'Xc5JJybprWi4CjQGUU2', 'BeQjfjbktpPa86sZ8nP', '_1fi', 'SOI4LvMFxa', '_676', 'IG9', 'mdP'
Source: O782uurN5d.exe, TklU1E8rBRHg6gic4oL.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: O782uurN5d.exe, wD3EqMxJoxucKQ5IFbZ.cs	High entropy of concatenated method names: 'LjbGD2WfMD', 'uwSGUWJP4o', 'H11Qlu4joN1pDGOBxKc', 'hKg8r94VXrxrL2xZlFY', 'GL4tDR4nrYXvT0vCxZR', 'UZmBME4o8rmcr9M7nb2', 'kRxwMS4OwLXuPNEwcKX', 'qQUDVb4PsUqFOJE8aW5', 'n13o4y4p9vTQSSnUOYP', 'RheWNe4k3ycicqfKdAB'
Source: O782uurN5d.exe, aI7YbS8VaX3cCysHEXN.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'SBiSHABs8g', 'ETrSWWTdEZ', 'EDWSS5V3qd', 'lsZS47OdWK', 'qMsSMuf3US', 'kMBSc2hAfw', 'uiBMOTfXA5T7Z9UTGOc'
Source: O782uurN5d.exe, q5KftSNJ8X8yvHsCuC.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'fgKxILl3F0YSB0VeoKe', 'LEt2VWlXOY3fmrxVb6J', 'ei5UdTlsCyT5dEOREL5', 'fogHtrlYbbXAHjxBfMp', 'KemcCulTW7s5FggYCUP', 'i2JhPtlaPYbmfqsy2Yx'
Source: O782uurN5d.exe, oF5LOxxQavfuf3jN4Q8.cs	High entropy of concatenated method names: 'tI96cKRgG7', 'T82BxD5D3cn8OrjbUYl', 'm2mvrw5Rxvl4Uoj6x5L', 'mJYIFO5CAfUiBrdVZRW', 'jYIuhU5Lc1aKkHDBIGa', 'PJNNYH5zl5pnRFwMMjM', 'fCy9gIFBFZTRECSnEi2', 'ps80OOFHEBT2p0Zduum', 'tVotxAFS6c5B5xvTvC8', 'g8lyBZFlJnLioPWK6OJ'
Source: O782uurN5d.exe, cp9YRdeWYKsSOHqkkpe.cs	High entropy of concatenated method names: 'v7KOxjJxLy', 'm9o313yStship3j5HnQ', 'zCp8oyylQTsKGRWahD7', 'ynDuwyyBoglR7JHwyHy', 'vp34ZwyHw4E92XIhTsf', 'MCsbZAyZDntwUdHBavV', 'Ievy33ydLVi1bu9en33', 'duA3v0ytX6TRBewSHHp', 'yxtOaXlNg0', 'ysmFEqy6UiSAi7GCLVL'
Source: O782uurN5d.exe, tyb7tjGdVG4g9utDEm5.cs	High entropy of concatenated method names: 'mLS3PR6qvs', 'L8r3EEAtcH', 'GKf3uI96GS', 'yAd3ePdcSt', 'uyJ3YyLCwi', 'zQimu4OraHvlUwHOIPI', 'BTuhdxO3Uj2RSSUUi0w', 'Lw2wWGO0FKdY14KXCgy', 'QZeQ2xOKvpWm6BMio32', 'Sw6WEFOXWmPNUk87OF9'
Source: O782uurN5d.exe, klkv7L0lVA2t9tROacU.cs	High entropy of concatenated method names: '_269', '_5E7', 'WBFdUURsHD', 'Mz8', 'mDUdNaNQTr', 'ArWgCnowE699SlKmDEf', 'EQdiUWocSR9DEBgF1LK', 'dlNmmqoePVyECiG1Jra', 'y38PDXoWlkVbMY3dfXw', 'kDXaADoCr5bWacLh9SV'
Source: O782uurN5d.exe, FXbGuFebESR9lspB9qC.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'kfx33oAYS0jkOQ8MQOH', 'lrmDZ7ATe4QCHoWlEKZ', 'dGvtXLAaUu8a6EXYQxJ', 'Q2Isn7Af9RPVJjamNkd', 'AtEybHAbW2Q8ypZMvA7', 'zLqnVsAJ3vKIJiIql9J'
Source: O782uurN5d.exe, zGLQffDCV9bmocfd8Ct.cs	High entropy of concatenated method names: 'ya9nT7Ad2e', 'nL3noAi92j', 'QxpnZdymlD', 'AwYn84KnSl', 'yfmnlGLPm8', 'uN0bStXpaLNZjnHMSro', 'scLOXUXOlVWN0OWxMP9', 'LOlgv4XP4bqqKludok0', 'OmVIjrXkJuErjmyhH0G', 'QBwm84XqBbiASba4k6Z'
Source: O782uurN5d.exe, ItkpMTGa7dNAIfyGXho.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: O782uurN5d.exe, SExFxEgrbSwfUhFtLoI.cs	High entropy of concatenated method names: 'OSagnsuMe5', 'MGDgHeigTI', 'UjtgWTFsbp', 'JTJgSWA9iw', 'uhrg4pQdkB', 'A7WgMZx1rr', 'y8SgcqZHCC', 'Lp3gy0ZYqv', 'hEDggVOWQ7', 'Mf3gdWj88i'
Source: O782uurN5d.exe, OeFaGTgRXdMC5WKcSVQ.cs	High entropy of concatenated method names: 'F6nRegCCwYlrm', 'J1rgtLi4rSrLfewFbyU', 'ShxDYiiIcoLi1HVZwa7', 'kaQoDVi5QiPiQQqQCvT', 'QFAarxiFsblvTXxpoYd', 'HL97dBiNlC6MaB8Ojqc', 'xpcIuyi7lJjAUOMN0we', 'BBZLyRi9bgwAeSGt6TU', 'o9tsXBihntF7Ro0PLUl', 'GQiLWKi2xvdlq46c06L'
Source: O782uurN5d.exe, Sv63LF8EtXEN2uF39kw.cs	High entropy of concatenated method names: 'erhch7g3Mg', '_1kO', '_9v4', '_294', 'oiWciF49EM', 'euj', 'Tticnyb5IB', 'yuXcHffl4M', 'o87', 'uPncWFunAP'
Source: O782uurN5d.exe, EWhR6wDq3nEI2iK1ALU.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: O782uurN5d.exe, cpHGUk8jBI7K6UF52t0.cs	High entropy of concatenated method names: 'X1CW2b9uvw', 'pDEWQoX5ss', 'YJLWpyJeiv', 'uPRWhLLIuV', 'YTUWiNgpfB', 'oCoaUETLxLi3aCiOY9X', 'mMZD42TDN5JM3oDP6bx', 'nFDuZPTRvTyd07yL0RX', 'UDIp2KTzebIBX8KWCTF', 'Cb42XEaByqRLZXnKdtX'
Source: O782uurN5d.exe, GsPfojggUm5CEVQL09.cs	High entropy of concatenated method names: 'JT1Da1s8U', 't6pU820OAUtBl29HcX', 'oYlGXRuw9GPoXK65hm', 'aWGcNu8eHm400xFPHV', 'jBdnTxKlWAnhLAucpL', 'dcZ2ARrgj2OD7Dch4Z', 'Jt70L7qAg', 'xXusHun0H', 'v9AGj9oUT', 'Gs269812Z'
Source: O782uurN5d.exe, MGfpq4x1wakvkUJ5b10.cs	High entropy of concatenated method names: 'bQUGQNEuA5', 'mNfGpHbvYi', 'ElpGh16aNV', 'xW5GigGLG5', 'ny2GnCiy7f', 'uxicTyIBLQFvKurILlG', 'EteRgZIH9Jx1qKHOolT', 'rFPmqi4Rc95oDNJPAJR', 'MfHy6U4zesCMCmWfZcs', 'OHE0pNISTU1XsWsSlXM'
Source: O782uurN5d.exe, Kw20Od8cxlWqJI3BcaA.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'R8lcVYw4vt', 'kvxc545LiZ', 'mLccqUMctw', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: O782uurN5d.exe, rfoLiYeFCbYgWIhNM7T.cs	High entropy of concatenated method names: 'PLG0qbNlf0', 'UuP0rHCGYj', 'hs1Tvvxg1mdFZWA7l6g', 'XcCHqMxyaAxaHsM6pmR', 'mNeTIgxxKnddIIKHfn0', 'gvcZDexQg1l1wiFK111', 'UBwq9vx7PPDKkmEqGZW', 'NM3gJHx9gPWy6tLJjVE', 'gd6dXwx4IZ8yWKjlSAU', 'duLkX8xITvGekI6eB9j'
Source: O782uurN5d.exe, WTO2gieruFZJJFd7bdI.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'X9dESP1MJXiwMvJDpJL', 'hI5dPd1GhwJHNDgFSv5', 'rut7hY1UAO728GjK5cB', 'hwhjOS1mirSFJHO4QjV', 'PPWeMD1wZD8k42Ih3UN', 'msJnKo1cpfWuhSWrhb3'
Source: O782uurN5d.exe, fBit9sVO5n4P6OVV6A.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'qjAoaPYVa', 'IToHMBShPY7H5fuKwO7', 'tnv4PqS25JGY28wUCHJ', 'hwfjHMSv4vNdndq7PoM', 'SqxxeXSEjVcmL8dloQM', 'XtAG8ISnkaS6JmwvoXj'
Source: O782uurN5d.exe, LoCVd0cS1qS0aUVwt8.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'X2DEgoZFI7yuqnd3OKC', 'wJP2DmZNMbDUiOyqk5X', 'gwpCVgZhebU5DcDCqr9', 'wtDF9HZ2jjkwMPTfWYA', 'IBjmuhZvgrCXQtULEXi', 'UneJWKZEk0sBCRbtE7A'
Source: O782uurN5d.exe, YGkEFxeaFv9N8xnKOqt.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'qKfx4bAAqgej0C0bogq', 'oyIoggA1b2LZ5cnfx94', 'IPPqseA6a8kTyJDD5BY', 'odtam4AyEm9GTmi6O3v', 'FAhTdZAxBZvvk9aYD5i', 'GaEBgwAghZZm7jJOUC7'
Source: O782uurN5d.exe, PH0vE70GFoxuT3hOGv1.cs	High entropy of concatenated method names: 'f4lI8yk7os', 'gBdIlASYHb', 'pYYI7hd1Tw', 'm59Ixmr6Xr', 'e2ZImGiJcd', 'JXUIavmii9', 'KANwkxhkfAgZNj3ALiV', 'BnJPJ2hPTtJConV1AZj', 'a5xoxohp1EQxi0xqaGU', 'EsDBq6hqJQdj3NMBNhr'
Source: O782uurN5d.exe, XBLMRs05EZBmQRS5V9y.cs	High entropy of concatenated method names: 'OJttP7PJjN', 'ADitE22hR2', 'BMJtupRbtk', 'shvoOmv91gcWMmFmD5m', 'vMseO0vQIE1J34903qh', 'sM9koSv7BOCiogQDNCx', 'zP9Pmuv4HMJkjoNjYEf', 'PRwtkPLjom', 'pxMtNm3sSP', 'v7btB5Hpuo'
Source: O782uurN5d.exe, EsLJA60HVaBhPXss3uC.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'm9Sd5Gon7C', '_168', 'j4hASloVffNtGsO4dmo', 'DiIpMuoOL5TOv88fo4f', 'wyD4fqoPhZwOK0T82yK', 'V9suyuopjoqe4dQvQUV', 'V2sbonokf9av8L5SGf0'
Source: O782uurN5d.exe, GXVMX4xxnMTJK9hPDwQ.cs	High entropy of concatenated method names: 'IrT0aHkiVG', 'jP50vDxqbo', 'e1i0XQI6uw', 'vti0LdLLRa', 'xEb09Ghxor', 'jVO0AGRDkX', 'e34AoJQFIVolDiEyvjB', 'CqqMcVQNTUg6XYXQZOm', 'nOVrgWQIgppPGUr9yBZ', 'W53sILQ5JcrOB8RYagQ'
Source: O782uurN5d.exe, XuJRAB0sXA1tS8FE0GL.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'Hpj5qny9R2', 'AmXd3jsY97', 'DtQ5rsQCXU', 'OdKdDffSaR', 'T9L328osIPotW9oEEtd', 'VEEm58oYTbyIMEmxa2H', 'CSB3umo304bXNqW8mhD'
Source: O782uurN5d.exe, ODCw57gOicTvVVVXpZG.cs	High entropy of concatenated method names: 'ro9Bi8iOk9RCErN8wvE', 'gxVODdiPyLKolybsiSN', 'TgppPuijJ5Ms4mke0DD', 'tgsGSGiVZDqhfZSj3py', 'aQigU1OgqA', 'kPHsbMiqa4esTuCPUVT', 'zlupsPiuhVcBxQhF4UK', 'OK97BXi8BtjoCcx1fxv', 'A6403di0AZtq03c1eRH', 'p6esOxiKdDjyEnbeiTI'
Source: O782uurN5d.exe, LjLJHs04HrXC5U8MwLa.cs	High entropy of concatenated method names: 'ClitvIpW1W', 'nxBtXfmasV', 'AL5tLKCwpH', 'UtiKh8vi5kO7h57oLPD', 'Clk14hvMXnWcqvZfepf', 'o5sEaAvGikePYXHZDhm', 'qkobxBvU5tkQgeDmgiP', 'jv0XKYvmh2XLh84obaJ', 'DPIn4pvwko5rkwIgmIS', 'YTfsc2vcmAs7vAqXOwr'
Source: O782uurN5d.exe, c8p1AT8xAnifsFKA9Bu.cs	High entropy of concatenated method names: 'kHnWtSY01T', 'jmyWVHUTPl', '_8r1', 'IXIW5sptQ1', 'jbxWqIcZ7b', 'Yr2Wrd8KFW', 'XdLW3Vhq94', 'drQnoVTIAgKG7r784nx', 'IfXpokT5dZjJce7uHyr', 'gMWKipTFiyCktUa9mS4'
Source: O782uurN5d.exe, kbyJDHeRinsw7cs0CMM.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'jmUMoyAhXU4MbjquWSg', 'hB4GpHA2NLAy4xtLlc9', 'icsq4jAvmMW1eL4AmIZ', 'ahJIsdAEjNmLBfw8h7G', 'd0QJXBAn8imQZQcfdCr', 'RvLaQiAo2JkGFeL6Gjc'
Source: O782uurN5d.exe, Q6qEUIzWAZUEOjD4WJ.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'gV0Qv5tlbXNaLnqI1SM', 'T3RdiXtZjtTGtUo1A9n', 'mxde9ytdneb61j9sXln', 'ynflYMtt5ckvITJrxg3', 'dqc2KntAYKQKWPXiAGB', 'HWdM0xt11Yxey3e1tHt'
Source: O782uurN5d.exe, frIaZ7GYT5muGQVawBm.cs	High entropy of concatenated method names: 'kg1kHDTpOq', 'fhYkStKje4', 'JBAkDsFRVF', 'EdKkUMLpp3', 'PSCkkBWIIx', 'YETkNas6th', 'MW9kBipPGd', 'NnOkjjtNVC', 'jT5k1Rh5KR', 'pgfkCCxOtX'
Source: O782uurN5d.exe, qV64PCxhV1YnbLYrs8N.cs	High entropy of concatenated method names: 't1s0HEQvdc', 'iJW0Wgphdo', 'Emy0SE6ZUk', 'LgNweVg0brvZWUSvGKY', 'LlnoKlgKy6hhSee0c6M', 'L49ANRgr4CQ36NsPEKs', 'jv56yig3Kak4PUtE9aA', 'QFnbOkgX4fLiZfqqRuM', 'avHgc6gsZR3J8BYMSLP', 'dFqKogguRnpdbnjxEyF'
Source: O782uurN5d.exe, yCxgLQDwsbOKyZGgY1E.cs	High entropy of concatenated method names: 'oKeHGcOKqu', 'J7IH6fNFu0', 'S7MHb1aGkF', 'U3FHI74qI8', 'mo6Ht05xj0', 'CvLHVDjXt1', 'iQCH5Zk04Z', 'WsOHqCF1Bk', 'g4OHrb2WKy', 'eHvH3Lk5KU'
Source: O782uurN5d.exe, B3wGmHH5VleK62gg83.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'JTJ65FdtYZxqDuN0SBo', 'w1kUx1dAg8ot8PgfCbC', 'retLesd1VUIg8ESmQBV', 'jVBW9Jd61UIkkXZLriA', 'zGVRTDdysxRYcrNhrma', 'Nedf4pdx0neyt2FoOZk'
Source: O782uurN5d.exe, wUUt5U03nU915REgHwk.cs	High entropy of concatenated method names: 'sg9', 'PqCdO0DD8T', 'NmJVFqqoso', 'TOyd0rx8Be', 'rwKmVpnGK5R0YPbq400', 'ar1ZFBnU51KyD8Sl3mG', 'hFMBEpnmOW2FVUfXCNv', 'jSVXLcnirIApSdEUY3D', 'fGQxtjnMmi9gpHLQ15s', 'FXJHbJnwiEqlPxJSdgj'
Source: O782uurN5d.exe, MQMSnde0FQnZTTqtxBh.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'H3l7LrtqPAOxtnT8i8u', 'HKDnHatux44pSs53duI', 'iOY0BHt8wMsEtJKNw6U', 'jvKylUt0VvUp3avQt6q', 'uURsLvtKm1LUqcGPmtg', 'YmxlIStroVDGAuxCDSV'
Source: O782uurN5d.exe, OXev0OBed6sHsqFN3B.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'O8YlbEiRF', 'ThGDxrSrvmAigcXXvn4', 'TJ4Aj3S39j88VQX72Ug', 'z2dBksSX06I0rGGdAqg', 'SroaZqSsfo8J9U5qCvN', 'O5GcFGSYELRq3YZWIbv'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O782uurN5d.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\O782uurN5d.exe

File created: C:\Users\Public\Desktop\spoolsv.exe

Jump to dropped file

Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Recovery\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Users\Default\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Users\Public\Desktop\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\hKONDisxvRbjdh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Jump to dropped file

Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe			Jump to dropped file
Source: C:\Users\user\Desktop\O782uurN5d.exe	File created: C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe			Jump to dropped file

Source: C:\Users\user\Desktop\O782uurN5d.exe

File created: C:\Users\Default\hKONDisxvRbjdh.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\O782uurN5d.exe

File created: C:\Users\Default\hKONDisxvRbjdh.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\O782uurN5d.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /f

Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\O782uurN5d.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Memory allocated: 1AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Memory allocated: 1AC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Memory allocated: E20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Memory allocated: 1A960000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Memory allocated: 1390000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\O782uurN5d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\O782uurN5d.exe	Window / User API: threadDelayed 1216	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe	Window / User API: threadDelayed 909	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Window / User API: threadDelayed 364
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Window / User API: threadDelayed 361

Source: C:\Users\user\Desktop\O782uurN5d.exe TID: 7372	Thread sleep count: 1216 > 30	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe TID: 7364	Thread sleep count: 909 > 30	Jump to behavior
Source: C:\Users\user\Desktop\O782uurN5d.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe TID: 7868	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe TID: 8080	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe TID: 7800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe TID: 3748	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe TID: 4076	Thread sleep count: 338 > 30
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe TID: 3104	Thread sleep count: 364 > 30
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe TID: 1720	Thread sleep count: 361 > 30
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe TID: 1868	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\O782uurN5d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\O782uurN5d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Thread delayed: delay time: 922337203685477

Source: O782uurN5d.exe, hKONDisxvRbjdh.exe.0.dr, hKONDisxvRbjdh.exe0.0.dr, hKONDisxvRbjdh.exe1.0.dr, spoolsv.exe.0.dr, hKONDisxvRbjdh.exe6.0.dr, hKONDisxvRbjdh.exe5.0.dr, RuntimeBroker.exe.0.dr, hKONDisxvRbjdh.exe4.0.dr, System.exe0.0.dr, hKONDisxvRbjdh.exe3.0.dr, System.exe.0.dr, Memory Compression.exe.0.dr, hKONDisxvRbjdh.exe2.0.dr	Binary or memory string: HGfsNOgf1s
Source: O782uurN5d.exe, 00000000.00000002.1713694476.000000001C59A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\O782uurN5d.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\O782uurN5d.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\O782uurN5d.exe	Queries volume information: C:\Users\user\Desktop\O782uurN5d.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Queries volume information: C:\Program Files (x86)\Windows Multimedia Platform\System.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\System.exe	Queries volume information: C:\Program Files (x86)\Windows Multimedia Platform\System.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\Memory Compression.exe VolumeInformation

Source: C:\Users\user\Desktop\O782uurN5d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1781845260.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1792324485.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1792324485.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1792348521.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1792034807.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1776738270.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1792034807.000000000299D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710524182.0000000012F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1776805213.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702012225.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O782uurN5d.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hKONDisxvRbjdh.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hKONDisxvRbjdh.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 7976, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1781845260.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1792324485.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1792324485.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1792348521.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1792034807.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1776738270.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1792034807.000000000299D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710524182.0000000012F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1776805213.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702012225.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O782uurN5d.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hKONDisxvRbjdh.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hKONDisxvRbjdh.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 7976, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	213 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
O782uurN5d.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
O782uurN5d.exe	100%	Avira	HEUR/AGEN.1323984
O782uurN5d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Public\Desktop\spoolsv.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\System.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\System.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Users\Public\Desktop\spoolsv.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\System.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\System.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Windows Media Player\Memory Compression.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Windows Multimedia Platform\System.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\System.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\hKONDisxvRbjdh.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\Desktop\spoolsv.exe	78%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	O782uurN5d.exe, 00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582922
Start date and time:	2024-12-31 22:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	O782uurN5d.exe renamed because original name is a hash value
Original Sample Name:	09218598f4f0e650cf679a535b925359.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@41/43@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 62% Number of executed functions: 367 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 13.95.31.18, 13.107.246.45
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Memory Compression.exe, PID 7960 because it is empty
Execution Graph export aborted for target Memory Compression.exe, PID 7976 because it is empty
Execution Graph export aborted for target O782uurN5d.exe, PID 7324 because it is empty
Execution Graph export aborted for target System.exe, PID 7448 because it is empty
Execution Graph export aborted for target System.exe, PID 7488 because it is empty
Execution Graph export aborted for target hKONDisxvRbjdh.exe, PID 7920 because it is empty
Execution Graph export aborted for target hKONDisxvRbjdh.exe, PID 7944 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: O782uurN5d.exe

Simulations

Behavior and APIs

Time	Type	Description
21:26:56	Task Scheduler	Run new task: System path: "C:\Program Files (x86)\windows multimedia platform\System.exe"
21:26:56	Task Scheduler	Run new task: SystemS path: "C:\Program Files (x86)\windows multimedia platform\System.exe"
21:26:58	Task Scheduler	Run new task: hKONDisxvRbjdh path: "C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe"
21:26:58	Task Scheduler	Run new task: hKONDisxvRbjdhh path: "C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe"
21:26:58	Task Scheduler	Run new task: Memory Compression path: "C:\Program Files (x86)\windows media player\Memory Compression.exe"
21:26:58	Task Scheduler	Run new task: Memory CompressionM path: "C:\Program Files (x86)\windows media player\Memory Compression.exe"
21:27:01	Task Scheduler	Run new task: RuntimeBroker path: "C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe"
21:27:01	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe"
21:27:01	Task Scheduler	Run new task: spoolsv path: "C:\Users\All Users\Desktop\spoolsv.exe"
21:27:01	Task Scheduler	Run new task: spoolsvs path: "C:\Users\All Users\Desktop\spoolsv.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	bKxtUOPLtR.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.210.172
	46VHQmFDxC.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	199.232.214.172
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	Qu3ped8inH.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	DIS_37745672.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	199.232.214.172
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.214.172
	222.msi	Get hash	malicious	XRed	Browse	199.232.214.172
	universityform.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (732), with no line terminators
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.886795484787177
Encrypted:	false
SSDEEP:	12:7fpkh7x5wVXB8GHUtM+7eLEbSdKtV4mYKMhB4mvo/8cSCgKlF2QmueKjn:7BkRKB8GHUtMvAWktCfDolrF2QmueKj
MD5:	9EC0124ED7AA581EA5A4604DBF882659
SHA1:	635152F6EE29339792AD9FC16FCF882F44551F7D
SHA-256:	D2FFC8B5B364F322C90E369C282FB9F4146E4D0E503D954EF1B54628C5EEA4F4
SHA-512:	F1067424F9F17FC8BFD1337D41A1E589C8609317750F75D2CD5F5FA2EF93319038A5EDB18D6212FDCE788C5A30AD616DFE9E7508442696F6AE6C6443C3C90736
Malicious:	false
Preview:	DRGDQaTXZbvn0xi4eRAHxtBAKBzYQjp2dZTqhSn0alFcAJypKZH6Fl5TPG2Ol5H0w3Jbe2WMnJrMoj9ANKN0csw2d9abZYPfeOpG9WKRD4S54toqG2BarQYEGR8fc5xO4Lra33B095xhZ17tUuUhXyyN0lArYpzIHDAsBOwN1Kbvd0oOUOKrlP1FXejR2TcTFpZV0PsF7GqNXCt96vXKfIh1M5UhpeVhsHpyaSYEgEuejosUukVH5Ry7IiJ54KacvIePW5inXSnaXCSiMAwEJNmaSsq2JcKVoRtbJc7yBrunnYjFQlt4YVShgE7oPqe4ISvFT0YtC7Dcd8w3IkmitQ6S9L5FfTjVMzfVmdwZM92aRzDhRDgoD5K1VdGH5SOtYsQndbQoyNVuYgAJIYybw4RQpn9JXoe4vJCjjZDzw100kadzc79gew6da980cHRJsb8PdbjsU8o4EbqPKJrZp7a8MjIkbNXpkqHJbOWAXQMfHCY9StqSZ1duAAC3T9RHl9TXTgx5xqCYv41KLIRrhFQsMWIbLcrY9F4IsApw5uetyF9GI2sKrjjfslK7YWtV9oYpAscKdfvwkg3HWCSTugqZfYZHzsXiAJuKqUGZahrMyw5MrDkVEakc89JlTVVuHMwawtbC623MzdlsdNZwICekiSLrKeGFM7ElAfZ7lhZMgYneXbIF5imFsL1ehu2bvyA1YAs8ycKkmSDKprTtWAJnV92y

C:\Program Files (x86)\Windows Media Player\Media Renderer\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (493), with no line terminators
Category:	dropped
Size (bytes):	493
Entropy (8bit):	5.854083845735685
Encrypted:	false
SSDEEP:	12:mI5sIvUsDyk5+RzBgPCIA6CxywAXztQu1OkQ:3sIEk5sg3CEwiBQo5Q
MD5:	1063AF8E77E98247A416F23CDD745796
SHA1:	1CE0222B28A81011ED505D4F4FBA03784FF12426
SHA-256:	76AF4EEEE0E264D8BAF430B6E9970EDC0B87AB9F9C64C29940ADE78724237B35
SHA-512:	5034945E9AAAD2DEB6E5A0380E2B1FF8CEC99E8D3ABCE3CB043C1E35215C4D7B142B97714357780FB87D1120E58A44C57A25E33DFDEBF5AA000F8A8E311A02F9
Malicious:	false
Preview:	gGKnRojPpF2XCDT3ftS2Yep6UEU5MqWtPPYkiv98bgabTs2JtTdAJ2GBaNSNUoC8sJIxpsUttTa1DNmlLKL2MWjWJWJUcwoxdbsKkFeA9uQ0cO8NkqBJcKvWjvnSj9Q7pnXmecBGqK2cFt44Y6uvueUTpWkybLb9dTKy0VsHp4cSRTR01t3nPeMLSD6I2Npet39wiFDCNmG0BCCWEt6sSxu8G9gxYjOcO8jYTeRwp0ZnYWJPBkDJQ7M5IBpjiQnoXolDdoCjbKCbXHkt0RvyfFLQwnPSzrNYNvQtvFvXherF4vhBa6tRfzIRdUR0Yuut7oOm108ufYQBXFVBFO12852Xn8Qay58xt8IQg5Kj79wGiG4X8QuK22vBw083ki5jZdSZ7FeJDR48JvygD3biLy41MHeq6R9ZDNrFyfa3vkGk7w1ACczrGWYljbMzlyMwSf46EsshdiwksT3aPdnebSTryGgWTkR7XTSc155TtRNij

C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Media Player\Memory Compression.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Media Player\Memory Compression.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (495), with no line terminators
Category:	dropped
Size (bytes):	495
Entropy (8bit):	5.8402511174468055
Encrypted:	false
SSDEEP:	12:j3r7VH7o+GKIYnLUGr4n6gvtxAdADy2Axah++:jNDEXvtxoosc++
MD5:	82805F3E560DEB5E363CF531E4BD0E8D
SHA1:	63D9112167C9F12BF99017497A7BC103A2F8A019
SHA-256:	EE4EFEA207E470A08BE8A5656E53262A79849AE6F09095EF54BC1266B8FFABD4
SHA-512:	215885BDC8F68727AB0642F7F97A41941FA88F717FE9135E8A812679B656F5FCD5BB8EC716ADED8A16D1921AD9AE32ECA70FEE7D1A206B24B42293942FCB4A85
Malicious:	false
Preview:	cOdSFPuDLNd2nodsgSIpqPi2dGiCBJ7hmAoh4jQsYibKs10z5RsQolyMqky9qsCBP5Pm95y6CaRHyXKmPtGubr3BMb1TuRBpga5wlOzAcvOOTqYTaMt6lRjhBNaiDfMuYllXbXAB4GRpdprfCh2iiEEO0XuXxR67jdzsFA1CMrCfA3EWg4ffmnMThWhEmmNmJUGAz9aBqzV0CiO6SY13vaV5QfLsdwakdZVpxEghddzwSVR8IlvOuU1t9LtTxsi3ZvXmMiJO2UZRkin4OMk2ALzIimqmUMtv55Xg8pwjchWa4jIbhyFlIq2N6ODk1g3pkoWpKG6jaAadzYO9dPEgGHnPCKjtlLr5nqzQMdQa2gLHPZXh9EGmcXicAHmAgM7OSfzJi8wA9nnk6f9nwBugEFdQIXPF0Q3qi6zujO9BRGnyu8gfH9NecaJMCiBLtrKst6BAqPDhCsP8cogJ1t70CYOHwmsANyRk54Ex6fy26qctLLu

C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Multimedia Platform\System.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Portable Devices\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	5.219126169478352
Encrypted:	false
SSDEEP:	3:RjLr8qAuqPVJFj2QpwdgBPYSlxVKIu7fp/:Rvr8qAuq96dktHuTR
MD5:	478DAFA41BE0FEE2DA4CB6E3C746A73B
SHA1:	2830B69408B9E16A7692958E0F3BABD7B6D078CB
SHA-256:	4A0E936488F51CEBB5C6A9E343D9EBF9C8BA16370D60707D06C279D90FBD99EF
SHA-512:	6CD2D4CBD003C19D3A01363EE54D2C5773FCDBE7891DE3B2D062F67A0DA572526299EC68FD9DF3D03E25D96A6808DF921EA12501A6A5473B4B8008D3AB463821
Malicious:	false
Preview:	gCUOaoChktNV5F3W6e6l1V8WdS0lNtECSuW4VNSgIMxTn8EobUYO7mMLD8uIybT0oLCKt8AsLZ

C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Multimedia Platform\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (528), with no line terminators
Category:	dropped
Size (bytes):	528
Entropy (8bit):	5.875495060380749
Encrypted:	false
SSDEEP:	12:vkgEx1nK3O5DWrtWLGJlLJhfP9VoyM/pGC7lrv9G:vUgcEW6H1h39izxGCNvE
MD5:	B7528A58BE1DE540672F64AD9ABE532A
SHA1:	60E91420F376DC853DB464BEEA0F183C1F91273A
SHA-256:	4466F7EEA1F3C52C265B6273DDD80C097FE729FCDB1FDD47D9B63AF3E5FF490E
SHA-512:	5051E04C4D93B8C445B6D0A99418D11279F7B0D61687747390CB07D5F0B3C8FC7FD10F92CECBFF2A70745A761C8F59579F0F8A3CB82DB66278009973A398BB5E
Malicious:	false
Preview:	fXfoKSi6tCkmJOmaRzqkY4c5v2V6m8qqcAWyx3Cqz0b6mY34XU03A8Il4j2R6mTvW3KJ1xnYwAvhcgTX9biSHwpe2v4OAvuMhqksNtCkqcGANkIYPfSeEBnjNqRG3ZYBPiAw5lJPY7lpppRRnf8ecPIgCAehc6rRDEuokVcoWDGGZ74iZ9dXa3jAaet5GlwcQUlk5mqRCUHYJBGFF6IddT1JftOGmgiuQnzFVTmwSLUGwL1YXozJdT87dcFLXkpfwWHfLBtwUVKR8uXU20t7qYR7o2m3OaYsgyUZDVMV5DzHJr8sEvTh0rzYFK0TZzi36bvJa8QgnXCniJx743ycH11y96U2e36Ff6Lr5ySGew4dpLz5W3YfAFwFj7KdnYCtb7Hl8GCGls7U6YJxGZflfaEaKFH8oydGuKBrEO6Q1S4SHbJLxWXO2aOB2qb38DbwP1kwXbt1cOtMfvSs66KSaOOT59zXwCSx0HDQ1WyWmfvnrCgHYt7B3JWAnQ0XmVEZ56VXrC0jIyp5ckm3

C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Sidebar\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (347), with no line terminators
Category:	dropped
Size (bytes):	347
Entropy (8bit):	5.8202010611394135
Encrypted:	false
SSDEEP:	6:Xr8K9TT7hI6DDLGtSEk+kVL5giwnb9IA/B7Ui8P/QSTdBlbPRfHQ81Ilvm7nHb:bbv3/LGhkJBwnbJUfPzTJblQ8d7
MD5:	BA92E1C4B5DA80432FD6169E9D416144
SHA1:	FA15F91544E19CA4FC550C623C3CC611EE93E4A9
SHA-256:	D3E2BCE79E8AB2FDD37D384A87296BEAC654D8C2D15D569366F7DFEDD9996A29
SHA-512:	91A1D9A5C577A497B362418549C5D018137CE39F87CE4635F0C68F8BC0E267ABE561ACC3D89895A607C970061EF883544A0DFE3914DD1785ED167E14AEC07F19
Malicious:	false
Preview:	0EqiK0XdKsq26ob645cTpCiJhnYPP5lRafyHWliHnPBqvwkARiTRrkpxfgBgcINPGZcb0TjSWUqaB1XuCY7rlUj00AlzkBpeCwkWTJJ79A4X3PwoJQeEKfnvzml0susVoLXPRBa3OAslaM6kN7qThlUgIygrhTPOSjss1hXIzkzKxCVnqAmuEYxD00GcetW5udS0dNsqkhd7wJsGc3BgqeK3vo1Aa4nGO4ZUteJcR6Kg50RrHA9lszOQSYFyWsPp4Ws1uYW8tjPuUo85XK2a4CYZpJCUZUFjqemiHZ6toB1Ike6naJbLzzv18TMlWBiZdpDzCZx8NJv3KPzKMY3P33u1tuk

C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\SoftwareDistribution\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (526), with no line terminators
Category:	dropped
Size (bytes):	526
Entropy (8bit):	5.8562326610583
Encrypted:	false
SSDEEP:	12:pcLQIQjBxYyHlP8Y83Mznlw4zK4r12MA2fPCPIDuOWvNB5nPhJzHKWn:VI7yHBWmlS4rs34gIMNBxTzLn
MD5:	2E0C1569E2F65055BF4F69E31BB6890E
SHA1:	4051F0E8E3F314ADA5E2862D9D8CEAC9B99FB77C
SHA-256:	02F4E48C42339509BA47E5C253AAB10603576D379B10BA357E3018FC2917811F
SHA-512:	A9E1173743A0122337280315AB73D34C1B4D2830F66A95296BDD8EFDF88B0F835082DCA32C51311A3AB3745E9E4FB57B11F1E6FD8C3E1973074A704853688E9F
Malicious:	false
Preview:	auRaVrvqIaV2X3FeahCo734VBUoBomoZPDrDXeG21MVRnKrYzMUfk6ihz5ZBCtCfv6nULBG5aJxuhns0mQLbRIySeKOcFFzHKzfrgWMyFYEaJx9MNiYwikOnIV0Axo0VUqksHATQDXW2DXJqLBOgrDijl2iLfMBaitGdNRFMOIsLNWjvMKzvaToQHAHPcIu1V5TUQqc36BSiUXVOSx9VWPAOFzVMJ0uGX1zSCPefr5zYBF6to26oIZeG5FPaUQuFRLLciDMDTdnaZlN93lhR3F88XsW79DLbLtH04dLlp3VovDrU1PhstcMLMMFzrPDPSMPpeXFZa6lAuTMTBCFugcrsh5nrYV3azFWjyBzeKHSx1Lb3AwypJTszegHjtYBECKKo6mf9MljZK41VdtqmhORgXhFR3QuvGNvqBx7XRycitTokovFArZhx3oRYhNG50xS6JLUqwSVswswD2fnHKuErp7wWgi0Dsgr5BsacbZNYDzBL1OgCj8vGtlRLZ8JNcRAPA0CKELqvgp

C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\WindowsHolographicDevices\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (463), with no line terminators
Category:	dropped
Size (bytes):	463
Entropy (8bit):	5.822714061856721
Encrypted:	false
SSDEEP:	12:Iyn8kZeegOBhfLs37LqRlu/L7wHBmItEX4/Iz9dQ:/cshw3HqRluT78BmIwKwdQ
MD5:	B4E1E304393E30E537BBB9E4FCE13372
SHA1:	8F3E60D415644547A68B2C884B6FEA1B21363C7B
SHA-256:	CD4109D6A1BBF1EC4EDA516760692B2028BC95FCE908DE915AB97A20EE63F5FE
SHA-512:	BDD0876E2E1A69EB8FE52EFF88281E93D9F5E1869E867D2B1E847F8DA51C465CC1ADB6C6DC2F64704046D54C77B5C6978A990160A5CEEB3DA43434ED3AF2FCAD
Malicious:	false
Preview:	T4CJWT2vGmh0wSq3m7vkfxHYPjpNjQBaYuYhYJw19pHCxceYofEUYY6gxo4wnoMzlHbB4IfdL4l0qEkxFRiEMqC9x2tuO9NUcRbqAcdf9lJdwGztDHrWFIn5EcNBYvOLqRXYm4wmxCElgiNqCAqHR0OUogliOcGNW8wetaGJUEjDDBYgOh9YEH30CDtGSNYV50Oiws7m4hwNRLQmIFTrcsIPE6cqqA0HqOHNxztgjWehUqi1wH7M3q2Nr9ezQR53qpgDEDzSVxIGOl5YYk3jCnN9V4fyV4PSbk1oJfxsRp1Fiw8GDFbpXV1CcgrKiA6bizontQO2xLRXwHbj5YuPdj5FtyMmxmKQsahsHUWx1i2MEePUFHOJQq784j44DlEKAAoWjsckC6Y4rtBPj1hqYBABciyiabtPerLDz3uWpoGTSDRLhoVMDYw8Am4B43JkNIa9h8ZpGLAt4qt

C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\WindowsHolographicDevices\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\27d1bcfc3c54e0

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.645997579041044
Encrypted:	false
SSDEEP:	3:GuA/vR2hQQOlYxVyILJnQZBB+zYWA1HLkVqMD23qW3Q:GBvRaQQtTyI1QZBEzYW+kMMq3qW3Q
MD5:	1A251830A28B7D2D1DE74CFFFCB95C22
SHA1:	1155EDD85208B1C8518E02884DABD04886335FBB
SHA-256:	CD1C917A63FCC8A11581FFE0DDB8DF3D569E03AB39577F93D156DC9E2866D519
SHA-512:	74BF1132A34C58C8F39730175613546EFC605E0022E931CB9A1969A9BE606F6DAED4CB33994C11BFFD9FEEAC591E9754BB40580588ECB19D2F161DFB690F7A06
Malicious:	false
Preview:	3iWHHiJMxLNAEJrAz2oZTcTuCd4Tgq8LqBYV0jRSd59pbrpQoWJlTpzbOmEonzpGNCTDuVJQkV6XdnSVyopJhW1BL7GOenonP2cZXlgSM2A7tb8lUt09Kgi0LS2wP5v7rSHkL27MIW7oV3Ru

C:\Recovery\System.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\System.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (739), with no line terminators
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.903426614006376
Encrypted:	false
SSDEEP:	12:wA+5JK+eo4KUSw8v0cXd2NPARRm9kolJz84XIuoKOLzEpeq1/O+fxxi4ym2j34Cz:2kFoHUovlN2NPARA9kolJz84XiG1/O+S
MD5:	82BFB4ABDF8245D75AE756AE05506382
SHA1:	629F0E5F490A9ECAA2E7BD045EA08C4736DA14A0
SHA-256:	496A45C95DD29E4BA8DB9E27A16063C8DC363B110B75F8C6B8C848BAFEEACDA5
SHA-512:	51DC3E704EA0A524744563A98E78065184B1318B1B039329F24A506947D13DFCE96A1FA2593517BD831461535E427D07BCBDA1BD8A4FAB37D793CB9BDC64C50F
Malicious:	false
Preview:	rLNufun6Boh2VUQQeX8UOmMzStC5zkiRf87is8Nuf0xlzWlpxCwXDPeF9YbwsrHaFQXWXrhfKOyYzk96HXIwyLNQd1iTgbBxtWfj8PRFeRMzaGQYYfoVjUm4CH2fIN8tMBpcFa71FCSg9YzXlJ5BwqNYulh1Ww6QScmZbyT7hxPhCF5nRf39S67fxQrd3GeTFBOgwa5xz7e8bqWpq3j1278VfGlLG0EbS6bB0Y10jGJUc8EH4Cx9gmbHC2Bpzuq93CqeOUyRCsSvyo2gCeQDCF4pfT88XLByZJbaSj2jOg6xUpTY9emVen7yHA94Wz30rdWoMcNdlrzgIHUzAj82jqUwMnSSj8NYmFG1ToLgRJtwyapApJ4w1ARAIjcjK43nda4CAdgVYblZ6h7v7RnaEaglyFstLlWWPGTXgn9LniYaZ2Eklqm3RdjD3SO5uwJwFOJzOkPURbwfCGM6BHHe9cFwhPeNYEb0YlVLsOWBbSl0qDBwGS4mopxmIXR8FB5NA6HavANwvGDq1PGeOrHGKyLtysCV7X5ZXYzt6kBFEI1ilGv3QxuY3yDLvXlC82yYKnTcZWinqCBC7nHr7JEKnhfjVo8i98GMTdX7xSd4OGs1wAOHQ4FyxounHtGvX9or5ztePJ3opK5hyowUZ0SF2RZosu0DMshObA57Ru2GAbJntNyd7wVgrjynZEweTzc6mqFyszCp8LEbIv4e6XGZWAg1LShM8XxK9MA

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (918), with no line terminators
Category:	dropped
Size (bytes):	918
Entropy (8bit):	5.92372245071908
Encrypted:	false
SSDEEP:	24:at1jMW9AAThgZi2Rob/PWdfN4wMuPJCVK1HeJt917pbTcTa:Y1P9Af5eGBNMVh91lgTa
MD5:	CB18A952A5EE25C4B768939B29864E1D
SHA1:	422534DC11B0412FD0162376D467764150295EFF
SHA-256:	D84C0BE7754DD2F60AA09A193F21FB25FE21CC51ED4CA938CB07A3E80D68013A
SHA-512:	060A477100136141F59AD8D9D33BC95B58A64ECC2B89D7713E35B8CF338D8E78133F7F5BB3208587703BD3705C78B8AF42A6E840E8A799066729AD083970ECF2
Malicious:	false
Preview:	bGlBVd8pD2rteBY8HSgj4LGSz9v2wIarj4tGw24Z5Ex0C0TL7ZfJ6FAPASMWrG35b9JkSSLPYGo0YPP8pj4XnQve4dGeqhrzK2YCrt2pOQv0bK1uCNqHLgRLOpqzLqi0Yzpg0NR6rPIXf5DtmVbc1jnokNyCDDdhr4clfV3z6ta5X4qTl6MzPF9yLA5nYP3nwlpkdbOQclgHJrQpgfaG0nRl5nZeZQbq0xJvPG0Kr6Xni1peuPG3ywwIUEozBu0MKzRVheaapQZ4QnCE85tKJh2DABbKbAI6FLdsjT6PzpOiX22qBk0GAqCm7NVgDP9oHcyEKTfp9eUeTTqIJuJ1KC6YJ0vV8ZMjqka4DxgsFKGgVhTnhMXSGIdFgZ5TiJrjRvyt2vFWObv95ZDlhHyvC4chGVYn1NJ5dhOktjuvHBEpWdJGWTvaV5gXSQmhXbeAR0gYLc28WCoB0xLmMSRhbtjhA1Sc6NYqgDYf7u44bxESReheF9UEK6ihQ8XUKZBIo8fwYppbXWGooQQgTxW73Tgje0O9XkuBw5oT9uGaU2qx042Ar1AWDEPUb5SiaqExmE1tm7hjr6mAnstj7ORfkX8spU1EchAox3KwCJYuUbpHbPrtLskLYjMOFJERGdGJ58Mti7gy0hLIs1QanI2t7yPOq5q3FGn1UfLdC7KOLvV1XDgO2oo8kXLHs8CmQntu3UyMqxXp7nhLdX0mZbAacpQ6TDuE5i7hCl8CPTiFQ9A7zAoUHZNznSRNE12mCTuZp9J2ZxXF34KcoSHTZZ7fVI4tTu8Xb5C7OlR00v5TCH6sIzivujNmVPEhFZjpz9o71MNDBQcnencNMLleLMm2sal9huubMQdCd816lfudGjIsw0V3yFdnWwObkOgRfBaOJZtNUp3qbJvJS3NqY1mHw0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\5811fce5ef954c

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (762), with no line terminators
Category:	dropped
Size (bytes):	762
Entropy (8bit):	5.902315182140428
Encrypted:	false
SSDEEP:	12:vFWwGS6MzubG0niQHEfnV5eR5gddWPfDUrzlohjMgXRg2Ic0d/ne6wUiBVvl38Z:k26I0NkwQdWPfDUrqhYgpd0VDhU6
MD5:	7CFCC8A4355DBBFEA0AC8C539D8A4772
SHA1:	12C31CA07794F25D6985763A65C87DDF46639CFE
SHA-256:	2A8FC1863520756936E3ECE00173224DD83C8F98204121086E134F5179D03BF5
SHA-512:	B61A92BDD09A87FEE11AB2F7E3D7709DF54CC75A63ABEB3A8B35D62FB74438EAA914E37AC5F4F8EC333991AAE63C21494B20F8342928902B5C2AFE1FF3328F6F
Malicious:	false
Preview:	FWsKRcYBdaIqz0aIEvoWgZH3U3CS5n2Uw3l7AMsrPTgcq7Fjbg3oEBOqOzzYZFGzhy45OdI2C7HM2pNXyd1YtNQvp5sKWURJNq41CJU8YBmG3Bxjmck6OrFUhIQTv7fsq89MuVUoJ3AslJ2oIIi3uU5gkkU43BNaf3a5ClyQI5wUqXsYQmLmYm7VCclKBZvIqjMrs7lhURvzhkzM15oR0kB35F2j9oPsJooGLBpSAnSG0IxbmYSFveSFhSvnEChpCCp36sB0PVQMS4DwSb6lVJ7oWji3PCO8GmExd3f3XczZNGwmP8VnF6U2FAhXKHkNHSFq0PTY6DO2ThbQw5oQrk2KRLscWHtP1mS4AGw9p7rCrbjijRkOdUgga4Zpg1ByT8BrOgPqJolt30czmK3FhfvhFveFrHdx53ssa1TCB4EyswnjcjCW75RxNelcCJ9CLxyAHtZu00Dmb6yTI4nHEG0Al5f6P0A25Cn58mbsJRgH1oWQpSUHf17F7xYMNdf90LqZT3Vgd48wjsI6iPQ7g2WEEi7KNOepwgQq877v6yok2LfOpbn8Mhd8ymUu6KSOaS9Dbb8lSeBsNvL3DsfwkgdPDS2VmMzvfaKkLbxNcCqsguuCabrNpgn4zuAIin9FoPMxllsl5RTizvtSi05KemG9wQuabopzCkDQi6bytGSYNEEEAsksrylCJNBU1RKRldgPrctmYHbYUrwsLqatD6IN9AHU5G7c6AwtizWi87TkXMsbaSIL1aNpVS

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\hKONDisxvRbjdh.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\hKONDisxvRbjdh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Desktop\f3b6ecef712a24

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.837380787926723
Encrypted:	false
SSDEEP:	6:6ztnLGNlbQ4dnvKKIKKSu7kdBtHQBPF1G9k1DkW0OSeGpvYkT:6pLalbQEvKhKKSu7kr1OPFj1f0Or+vh
MD5:	C817E6180841785617BD16AC29D5916D
SHA1:	015A409F9F5A230DC6F1AF58F38A077B0F225FD9
SHA-256:	CC9D543321BEFA3A4310F9BE2EED5C93FD54E03D95146B9509713C5FC8B63C26
SHA-512:	E1F322334BE9F4CECAE1F316A20E14D4D4F5C76D7469E1DA279FEFDCBB7BF523E0558A895C1A45F9185AA9596C7C86B4EAB43520FF07A94E5DC88A22C69BE9D1
Malicious:	false
Preview:	9LNH8MWO2QzMYAbiTiUvJEuHANQyhAJwp8SQny6HXDVRumeOFNPj06L5bGHv5hq2GCgasL5flNYGtdWYsCtUuk6twXyhqLL0WdKrFEg3Ru7niFM8usC3xWHgGwnUXXzaBhtQSoSofzCAnTKrL0x7ISCAVolSbMg44glAW6pFaYY8TH2wm5Jgk1Rtfs4nC9MTSIFGrKVPKrht3DrOwyqfCATDO2enBCCaLFpKBvFbk4V3TizbBq1OSrQSzB1zprNIpGhyXgMAtP5HoZuqCCmVKyIeyXV93Qv2rNNNAADed1eDwInZRLwmF2708DAALMGcdCabMhqC9I1TTFspu5sseJxyPWO6

C:\Users\Public\Desktop\spoolsv.exe

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	6.390100581235947
Encrypted:	false
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
MD5:	09218598F4F0E650CF679A535B925359
SHA1:	021BA4BC51DBB9E2F3E3E4CC090B924F075E4C23
SHA-256:	A5D763A75A1E676476C9FC43B354C94F9E10180352E1CB8B7D1A60A69BBD195B
SHA-512:	B180908FEE4D5F05EE992B9CD76CD8E93139EDE19979A6ACE3B155F7CA811252A762B0C08230E54C08E27C1DC90448A42600E6EAEFB5199E0DF322E05530A485
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb....................6.......I... ...`....@.. ....................................@..................................H..K.................................................................................... ............... ..H............text...$)... ..................... ..`.sdata.../...`...0..................@....rsrc................^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\spoolsv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Memory Compression.exe.log

Download File

Process:	C:\Program Files (x86)\Windows Media Player\Memory Compression.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\O782uurN5d.exe.log

Download File

Process:	C:\Users\user\Desktop\O782uurN5d.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Download File

Process:	C:\Program Files (x86)\Windows Multimedia Platform\System.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hKONDisxvRbjdh.exe.log

Download File

Process:	C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.390100581235947
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	O782uurN5d.exe
File size:	943'104 bytes
MD5:	09218598f4f0e650cf679a535b925359
SHA1:	021ba4bc51dbb9e2f3e3e4cc090b924f075e4c23
SHA256:	a5d763a75a1e676476c9fc43b354c94f9e10180352e1cb8b7d1a60a69bbd195b
SHA512:	b180908fee4d5f05ee992b9cd76cd8e93139ede19979a6ace3b155f7ca811252a762b0c08230e54c08e27c1dc90448a42600e6eaefb5199e0df322e05530a485
SSDEEP:	12288:cwPhj+vvoKd012DE28tXXAqZQBHJRN1jmbPl+J8X8NE6f/D7SDnMNFsqH7/:c6Kd012iiBpRN1SjdX8N1/oE20
TLSH:	181529027E64CE01F0092633C2FF464857B4AD5166AAE32B7DBA376E15123A73C1D9DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.................*...6.......I... ...`....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4e491e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe48d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe2924	0xe2a00	225fa6f75bab8434b991a09c88fc2057	False	0.5578558070187535	data	6.429483441987559	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xe6000	0x2fdf	0x3000	e6e491fbaf906945fbf45c90eee5684a	False	0.3102213541666667	data	3.242346268210948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xea000	0x218	0x400	fe30126a2ac95e736556a2595a08297f	False	0.263671875	data	1.8390800949553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	b3e4ef474b51367091dae5336a7a1e45	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xea058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 22:27:14.110336065 CET	1.1.1.1	192.168.2.4	0xe92a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 22:27:14.110336065 CET	1.1.1.1	192.168.2.4	0xe92a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:26:55
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\O782uurN5d.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\O782uurN5d.exe"
Imagebase:	0xcb0000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1702012225.0000000003628000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1710524182.0000000012F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1702012225.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows multimedia platform\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Multimedia Platform\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows multimedia platform\System.exe"
Imagebase:	0x8b0000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1776805213.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Multimedia Platform\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows multimedia platform\System.exe"
Imagebase:	0x640000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1776738270.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PrintHood\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:26:56
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\System.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:26:57
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:26:57
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:26:57
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:26:57
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:26:57
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Recent\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe"
Imagebase:	0xd40000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.1792348521.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows media player\Media Renderer\hKONDisxvRbjdh.exe"
Imagebase:	0x640000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.1792324485.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.1792324485.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Media Player\Memory Compression.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows media player\Memory Compression.exe"
Imagebase:	0x620000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1792034807.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1792034807.000000000299D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Windows Media Player\Memory Compression.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows media player\Memory Compression.exe"
Imagebase:	0x500000
File size:	943'104 bytes
MD5 hash:	09218598F4F0E650CF679A535B925359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1781845260.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:26:58
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdh" /sc ONLOGON /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:26:59
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hKONDisxvRbjdhh" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\hKONDisxvRbjdh.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B893545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B8935CD

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: 0b096b59d2e2abfaaab291ce144dd7c0c69ecd0c9d321f9ac4d23eb0a4cbd6f0
Instruction ID: 384266939011c598658e5c00ef1f3f354e60e034d2f835f39153b96e122b0ef7
Opcode Fuzzy Hash: 0b096b59d2e2abfaaab291ce144dd7c0c69ecd0c9d321f9ac4d23eb0a4cbd6f0
Instruction Fuzzy Hash: 37A19171A1994E8FEB58DB68D8697A9BBE1FF59350F4001BAD00DD32D6DFB825018B01

Function 00007FFD9B891638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction ID: 8e52fea84545a5386931e61bd9af77667d44993031a0ec92e6ff1dfeab3e4fdf
Opcode Fuzzy Hash: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction Fuzzy Hash: 0381E031B1DA4D4BEF58EF5C88615A97BE2EFD8304B05457AE49DC32A6DE34AD028780

Function 00007FFD9B8A5220 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92045759576e5f80dbc2e20a5a92fbe4eec27f45cbb2be1a2b61dd6c241d739
Instruction ID: 6d51b63df632b7e9c15a2148b896c67a6d28fc3f8ebb225f9584cc7ced756d2e
Opcode Fuzzy Hash: f92045759576e5f80dbc2e20a5a92fbe4eec27f45cbb2be1a2b61dd6c241d739
Instruction Fuzzy Hash: 88616F70E0991D8FDFA4EBA8D8697EDB7F1FF59310F50006AD00DE72A1DA7569818B40

Function 00007FFD9B891C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction ID: 913205c14b098881718bf422b83be390996c16323d7eee1547c4aab22651798d
Opcode Fuzzy Hash: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction Fuzzy Hash: 0951E131B0DB8E4FDB59DF1888605AA7BE2FF98304B15467ED45AC7292DE34EC028781

Function 00007FFD9B893135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5b7336e3279630b2beae7b1e3833fd7b658f032657031f9b052f16a8e04864
Instruction ID: 3b83c246816fb6501493b3b18c8f7d3138e24ab8174f30263e1a81e76c6204cb
Opcode Fuzzy Hash: 9f5b7336e3279630b2beae7b1e3833fd7b658f032657031f9b052f16a8e04864
Instruction Fuzzy Hash: 15513C70E0A61E8FEF64DBD4C8686EDBBB1FF59301F51017AD009E72A5DA386A44CB40

Function 00007FFD9B893268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b03c3e138f296b796df44e1b33d4b5301b89263f44f1a98253cc2780f1f6f0
Instruction ID: 520f546549efaeb44c895ef47984721238de99644fc427d8ebd6b2e0263a3910
Opcode Fuzzy Hash: 43b03c3e138f296b796df44e1b33d4b5301b89263f44f1a98253cc2780f1f6f0
Instruction Fuzzy Hash: F721E671A0951E8FEF64EBD8C8A4AECBBF1FB58301F110129D009E72A5CA746945CB40

Function 00007FFD9B893330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction ID: 27e6151a41fda9bb9fcd90152a77b54bac65a2d718b951f31d52b13ef6e12b8a
Opcode Fuzzy Hash: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction Fuzzy Hash: 9F21E43094E68E8FEB42EBB488685E97FF0FF5B300B0544EAD449CB1B2DA389546D711

Function 00007FFD9B89084D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction ID: bbdc18fbc611f0aed4a1b53b0145f49b9b583d665ee813336df81fa58e5f4039
Opcode Fuzzy Hash: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction Fuzzy Hash: 13115721F1E54E9FEB61ABB8CC694E83FE0FF59700F0645B6C088D70A3ED24A145C280

Function 00007FFD9B8933D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction ID: fc850d7721bdad584f67d998d430edee3b3aa96a23cbd4d1fb9bd6650efb98b1
Opcode Fuzzy Hash: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction Fuzzy Hash: 5F213E30A4A54E8FEF65EBA488686BD7BA0FF58304F11047AD419C71A1DF34A640D740

Function 00007FFD9B890A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04740b5ca30c996f18e47a387097083d84a91e4d0d4ab455993ffc5cb31f14a
Instruction ID: c2649a04cec169789785c3eb6cda5fa178489b1816c811524b24ac1969430e5e
Opcode Fuzzy Hash: a04740b5ca30c996f18e47a387097083d84a91e4d0d4ab455993ffc5cb31f14a
Instruction Fuzzy Hash: BE11C431F2A50E4FEB94EBA8C8595BD7BE1FF58740F4145B6D41CC70A6EE34A6448780

Function 00007FFD9B890F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5d1b13c028064a6ee8b1ee707ccef49188d8d0d043029888c40dc7fbfedb1a
Instruction ID: b1e4ce542d52ee2394b7b976be3bb525f8d014f31237b5ccdf59bcb8e8ec20af
Opcode Fuzzy Hash: 3a5d1b13c028064a6ee8b1ee707ccef49188d8d0d043029888c40dc7fbfedb1a
Instruction Fuzzy Hash: AA213031E1A51D8BEF64EB94C864AED77B1FF48300F114179D01EA72A6DE386A45CB40

Function 00007FFD9B8911BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction ID: 3069b1167349e3ffa3decc0551b2330ad2a5df52f927b2bf0167674ee51513f8
Opcode Fuzzy Hash: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction Fuzzy Hash: 1811B230A0E64E5EEFA5EBA4C8B96B97FE0FF19301F0104BED41EC61E2DA246540C700

Function 00007FFD9B8921D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05d77a7885887b5ab74fcf4e118bce5dcc97a5cc1cee01baed1e44f46261c7a
Instruction ID: 68e73968ff54ddf4ad7373af7ff0ed4f116891754ed61d6ae81a57e527466c5c
Opcode Fuzzy Hash: a05d77a7885887b5ab74fcf4e118bce5dcc97a5cc1cee01baed1e44f46261c7a
Instruction Fuzzy Hash: 2E019631A4E54E5FEB65EBF488595A87BE0FF49300F0245B6D408C70B6DE34E680C701

Function 00007FFD9B8934C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction ID: 9edc617100cf824ebea096da64d6364ff4c50211bff0d13d21436648ae3ea67c
Opcode Fuzzy Hash: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction Fuzzy Hash: 97113070A0A64E8FDF59EF64C8695BD7BE0FF18300F0105BED419C65A2DA35A5408700

Function 00007FFD9B892E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction ID: 5eeccc5e80b27d5d32f3f267c6116e2d1f95fd7a104a0656f9f1680bf4fafb18
Opcode Fuzzy Hash: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction Fuzzy Hash: 06017134A1E64E8FEB65EFA488A85AD7FE0FF59300F0645B6D408C61A7EA34E5448701

Function 00007FFD9B8905D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction ID: 2f3cf223af50d27965caf1646fa6c39f3c785e1726bc4a2c0e58a7b41c01e43d
Opcode Fuzzy Hash: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction Fuzzy Hash: E3019E30A0A50E9FEF58EF64C0646B97BA1FF68308F51007ED42EC21A5CA35A651CB40

Function 00007FFD9B89282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction ID: ddd48bbc08e9280d618bb97486510841d31c4d3c39e85d3cbda40ab5a7894c56
Opcode Fuzzy Hash: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction Fuzzy Hash: CF018431E1A54E8FEB65EFA488585B97BE0FF5D300F4245B6D418D70A6EE38E2448740

Function 00007FFD9B892EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction ID: 4b290a3f64fd0cc6c6286b56b73bab73bde9bf86b440cac76080803199da6d08
Opcode Fuzzy Hash: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction Fuzzy Hash: ED018430A1A64E4FEB66EBB488695A97BE0EF4A300F4605F7D40CC70B6DA38A544C741

Function 00007FFD9B890610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction ID: 93261652a83ec8dfc56ed557e058f0f0d1c0a807d039954c38fb88d96017c8c5
Opcode Fuzzy Hash: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction Fuzzy Hash: B501AD30A1A50E9AEF5CEFA4C4686F97BE0FF08304F10087ED41ED21E5DE35A280CA00

Function 00007FFD9B890608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction ID: c662e0210e1e385f5758dd4ae9e0c38a0bcef9b8930444ea2099b94b738a32e8
Opcode Fuzzy Hash: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction Fuzzy Hash: 66016D34A1550EEAEF6DEFA4C4686B97AA0FF1C305F51087EE41ED21E5DE35A250CA01

Function 00007FFD9B8911D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction ID: 123c5e55ee567bd1ca6cae6a0586a05b086ac298b9e54cee52584c471bce5717
Opcode Fuzzy Hash: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction Fuzzy Hash: 66F0A430E1E64E5AEFA5FBA488682FA7BE4FF59205F01143ED45EC21E1EE245650C601

Function 00007FFD9B891C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction ID: 8d0629ddd278a66193e1c96c613d7b29f3d044844af300bbb7f11948efaf46a2
Opcode Fuzzy Hash: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction Fuzzy Hash: E801D130A0E68E8FEFA5EF64C4652B93FA1FF29304F4100BED81CC61A2CA759550C740

Function 00007FFD9B8905D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction ID: 07ab316247c1825f9abaa0a52fdd35fda681a87971f4ab476604257964a5760d
Opcode Fuzzy Hash: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction Fuzzy Hash: A6F0C230A0E60E9FEF69EF6494256FA3BA4EF19308F41007AE81DC20A1CA35A650C740

Function 00007FFD9B892749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction ID: 72115abff91219e83b5ba598e103c28bd259c61597be7c2024908e1df2547d38
Opcode Fuzzy Hash: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction Fuzzy Hash: CBF0963090E38E9FDB6A9F6488642E93F70FF46305F4605FAD419C60E6DB389554CB41

Function 00007FFD9B8927BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction ID: 44f0944621b99982cecff9a5936c24ae2f981acc692a29b9bb1c4e017fa9da7b
Opcode Fuzzy Hash: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction Fuzzy Hash: 58F09030A1E68E8FEB699FA488251E93FA0FF0A304F4504BED409C61E6DB39A554C701

Function 00007FFD9B8923D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction ID: 6ec474c57278b6694ac8c20fdd19f8eb162d2b00ed8b7b5b384c279d7182f93d
Opcode Fuzzy Hash: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction Fuzzy Hash: AFF0DA70A1961E8EEBA4EF90C8557A8B6A1FB58310F1142B9C00ED62A1CF782A848F40

Function 00007FFD9B897F0E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1714300258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_O782uurN5d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1c21ee969bf7513e9fea677117c229515f54d5bee0ee63b5a486c45c856de9
Instruction ID: 9b7ba77ad7c420d7dff2f5c88ca81bcdfaeb904e6776e7d6ba025986d3e17ec8
Opcode Fuzzy Hash: ac1c21ee969bf7513e9fea677117c229515f54d5bee0ee63b5a486c45c856de9
Instruction Fuzzy Hash: 8DE04EB4E4952E9FDFA4DF488860AA9B7B1FB49314F5000E9924DE3250CB346A81CF19

Analysis Process: System.exePID: 7448, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B893545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B8935CD

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: ff7bb07a2615a2399374e3a102272f65c39c72a38ba8fb54331d566f305d3d8f
Instruction ID: c22f3ae0766e80db4033af9f530b19a3563097491868231608676a98a689755f
Opcode Fuzzy Hash: ff7bb07a2615a2399374e3a102272f65c39c72a38ba8fb54331d566f305d3d8f
Instruction Fuzzy Hash: 6EA1AE71A1994E8FEB98DB68D8657ADBBE1FF59350F8001BAD00DD32D6DF7928018B01

Function 00007FFD9B8A125B Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8A165B
", xrefs: 00007FFD9B8A1292
., xrefs: 00007FFD9B8A19BE

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID: "$.$/
API String ID: 0-983106565
Opcode ID: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction ID: 51c41b3936cc0937409d4fef7c3a33c6e19690bf4e0936b9550884f7fa3e0496
Opcode Fuzzy Hash: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction Fuzzy Hash: 5731E770E0522DCFEB64EF94C894BEDBBB1AB59311F1500BAD04DA7291CA785A84CF10

Function 00007FFD9B8A141D Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8A165B
%, xrefs: 00007FFD9B8A16A3

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: e1f446ee9a0443b8dc3a54bdf706b67649dc87734a3701507ffd30f97b700815
Instruction ID: 0a0ff433275ba7fc31295de548ee657b6faedbbf5302298c46a523502f6738ff
Opcode Fuzzy Hash: e1f446ee9a0443b8dc3a54bdf706b67649dc87734a3701507ffd30f97b700815
Instruction Fuzzy Hash: B5F0893590860DCBEF28EF80C990AEDB7B1EB15310F151139C009DB2E0CB785684CF44

Function 00007FFD9B8A39FA Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B8A3A01

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID: M_^
API String ID: 0-2269846659
Opcode ID: 7ad818d86214c77cea5d19082c698cf92cd8336dd5d6965f191c80631531e935
Instruction ID: 635363d83c97ea4e7f3830675979763dec54f5b3af383053ffd459484de0ea8a
Opcode Fuzzy Hash: 7ad818d86214c77cea5d19082c698cf92cd8336dd5d6965f191c80631531e935
Instruction Fuzzy Hash: A9413D23B0E9AE5FE715BBACA8690FE7BE0EF56321F0402B7D548CB093DD24A1458750

Function 00007FFD9B89FDAB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B89FDB8

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89f000_System.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 68fbbf3c4cd7e423caeab3f7764d08196d0eb4c1c71685b9c4362c4f67cc11f5
Instruction ID: db107d1712958515c8f9ab563041e01def65c44f1c16c288b3b0722820089120
Opcode Fuzzy Hash: 68fbbf3c4cd7e423caeab3f7764d08196d0eb4c1c71685b9c4362c4f67cc11f5
Instruction Fuzzy Hash: D241CB71A15A1D8FEBA8DB188C65BA9B7B1FF58301F5001EAD44DE32D5DF346A818F40

Function 00007FFD9B89C7F3 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

|M_^, xrefs: 00007FFD9B89C801

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID: |M_^
API String ID: 0-3374310339
Opcode ID: 0e15451ceb59180ffa395d839ce4a7f248f0f062dcb03b8a347d8734d176ad78
Instruction ID: 9515762de944b785b45c47051ec9d01aa64394b4d6852c2a9d661cc50d88693b
Opcode Fuzzy Hash: 0e15451ceb59180ffa395d839ce4a7f248f0f062dcb03b8a347d8734d176ad78
Instruction Fuzzy Hash: 2A31C722B0D66A5AEB1A7BA8B82D4F83B50EF0A324F0505B7D01DCA0E7DE6925419A51

Function 00007FFD9B8A32B8 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da1871628947bea1f6897bc2b252fd553b579e7861102b37b41d7e2157c22eb
Instruction ID: 490ebfcd2532b18367a76834afd6697125f8b21f275c752784cbfdf4d79cb93e
Opcode Fuzzy Hash: 8da1871628947bea1f6897bc2b252fd553b579e7861102b37b41d7e2157c22eb
Instruction Fuzzy Hash: 1421A561A0F6CA4FE7529B7888695A97FF0FF16300B0905FBD498C71A7D924A508C352

Function 00007FFD9B8A32C8 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76fc091ee0eadc437a1ec3fd5b47934fb86a2d37ee954e58022b23acb5686a
Instruction ID: 03c725999d7acbf3c5c4f8443c28db7ebef4135241e87b433ae1606754626caf
Opcode Fuzzy Hash: 8b76fc091ee0eadc437a1ec3fd5b47934fb86a2d37ee954e58022b23acb5686a
Instruction Fuzzy Hash: D311D361A0F3CA4FE713977488795A97FB0EF16204F0901FBD498CB1E3E9186608D362

Function 00007FFD9B89D899 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa2dae49b9a9ee792e3da4343b119ec98e008c29af09764a5fc8631ed7c1cd4
Instruction ID: 178544cf5cf11c477a5d987b72a3499a4b6fff9afd75bd356db6ae6d431cceb7
Opcode Fuzzy Hash: aaa2dae49b9a9ee792e3da4343b119ec98e008c29af09764a5fc8631ed7c1cd4
Instruction Fuzzy Hash: AFE12A71E1965D8FEB6CDB98C8A4BB8BBB1FF58300F4441BAD00DD32A6DA346941CB45

Function 00007FFD9B8A3B25 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0469946f77b36d20f39d2b081607a5e7eebd1c20848d864c6862a87f1a77183e
Instruction ID: ccab15e32ce2c67b0161ac0b4bddca32e0ffe5f574e519ccc845eb94503947d1
Opcode Fuzzy Hash: 0469946f77b36d20f39d2b081607a5e7eebd1c20848d864c6862a87f1a77183e
Instruction Fuzzy Hash: EDD1A770E1991D8EEBA4EB98C8657EDB7B1FF58301F5141B9D00DE32A1DB786A848F10

Function 00007FFD9B891638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction ID: 8e52fea84545a5386931e61bd9af77667d44993031a0ec92e6ff1dfeab3e4fdf
Opcode Fuzzy Hash: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction Fuzzy Hash: 0381E031B1DA4D4BEF58EF5C88615A97BE2EFD8304B05457AE49DC32A6DE34AD028780

Function 00007FFD9B8A2900 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff438f464fcc15500945fa6cca5ea893c9b6f1de8b15b2dac322d695a124f9d
Instruction ID: bd49b0d6db268e0861a65e608faeb3256cef600cf939a2fba7f16ce9d257f111
Opcode Fuzzy Hash: 6ff438f464fcc15500945fa6cca5ea893c9b6f1de8b15b2dac322d695a124f9d
Instruction Fuzzy Hash: 7991B670E1951D8FDBA4EFA8D8657ACBBB1FF58300F5141AAD00DE3292DE356A818F40

Function 00007FFD9B891C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction ID: 913205c14b098881718bf422b83be390996c16323d7eee1547c4aab22651798d
Opcode Fuzzy Hash: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction Fuzzy Hash: 0951E131B0DB8E4FDB59DF1888605AA7BE2FF98304B15467ED45AC7292DE34EC028781

Function 00007FFD9B89BFEA Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4763828da6d6106423ce13a45481b820da6e95337e0deca8520c0c878b1fb45c
Instruction ID: 619f0a08338df21bc313f0a4466b57d066d71b83b73b286e51ec609015faf82b
Opcode Fuzzy Hash: 4763828da6d6106423ce13a45481b820da6e95337e0deca8520c0c878b1fb45c
Instruction Fuzzy Hash: DD51FC74E0951E8FEF64EBA8C4696EDBBF1EF58300F51017AD01DE72A2DE3969418B40

Function 00007FFD9B893135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb983762faa34328e628c13893406bc76f8522bc963301526bfe225778ca0a2
Instruction ID: 8708994671f78fbaf89578b783bd283482a8873259558c317a57bb276381c9d9
Opcode Fuzzy Hash: ecb983762faa34328e628c13893406bc76f8522bc963301526bfe225778ca0a2
Instruction Fuzzy Hash: 72512A70E0A61E8FEF64DBD8C8646EDBBB1FF59301F51017AD009E72A5DA386A44CB41

Function 00007FFD9B8A2AAF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed69b5db4077257c8f034f9edeaa8a21489159a59902f370e4b3e5a50d7a598
Instruction ID: 6686e46ef7b133b5fd877cfdb02b3bf24c86c72600dd7d17e40bcbf60c1a35e6
Opcode Fuzzy Hash: 4ed69b5db4077257c8f034f9edeaa8a21489159a59902f370e4b3e5a50d7a598
Instruction Fuzzy Hash: 1D41A570E0951D8FDFA4EF98C8687ECBBB1FB58304F5141AAD00DE32A1DA356A818F10

Function 00007FFD9B89F58F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89f000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9425655f940fa022625f017c43865df8f09a67b4e0bb1ffffd3c7fde8a6a3461
Instruction ID: bb27789650938dc5ea9f1e90c3b31b00812b130873afa5e4c291bf131d1de8df
Opcode Fuzzy Hash: 9425655f940fa022625f017c43865df8f09a67b4e0bb1ffffd3c7fde8a6a3461
Instruction Fuzzy Hash: F431D871A15A1D8FDBA8DB188C65BAAB7B1FF58301F5001EAD04DE3296DF346A818F40

Function 00007FFD9B89AD48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f731f0573819c7c5c358f0a94c40d49802c9da83876891c055adec28b77a483
Instruction ID: 19cafccbd88920ce641369baf9b2c086bcee1adf869ce334cbb856798298175b
Opcode Fuzzy Hash: 6f731f0573819c7c5c358f0a94c40d49802c9da83876891c055adec28b77a483
Instruction Fuzzy Hash: 7331F875E0F94F6FEB55ABB888291E97FE0FF58751F058576D058C20E6EE34A5008740

Function 00007FFD9B89C0B6 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48a0fe979c93a185c0a0d57d60f793c316b86b824ad4d28c6112cf14e4498aa
Instruction ID: dd51d46292a298cb4798c8f8faf00433977e5bb74f02f8dcac08e965ed3c8e56
Opcode Fuzzy Hash: e48a0fe979c93a185c0a0d57d60f793c316b86b824ad4d28c6112cf14e4498aa
Instruction Fuzzy Hash: 5331D874E1991D8FEFA4EB9888A5AECBBB1FF59300F510039D01DE72A2CE3569418B00

Function 00007FFD9B8A7545 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691712667fecb15a1c54ed734e74c55714ea3a0fe3503b8c65faf9f3b8103d64
Instruction ID: 0a965ce82e54d055e59c04b8d356aae7b4578fd998e51fd2a69e8cf32bcb5a15
Opcode Fuzzy Hash: 691712667fecb15a1c54ed734e74c55714ea3a0fe3503b8c65faf9f3b8103d64
Instruction Fuzzy Hash: FA210F34A0AA0E8FEB75ABA4C4647FE77E0EF4D314F11047AC41AC21E5EE38A6449661

Function 00007FFD9B8A6CE5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755fb966bdff3e9d91ef942f0259f9bb52b06819b8504b0c6e882d05a60609f0
Instruction ID: ad4976366d62d4ce2ff044d212bc514c05611b796c05aa280e7ee06f94354fcf
Opcode Fuzzy Hash: 755fb966bdff3e9d91ef942f0259f9bb52b06819b8504b0c6e882d05a60609f0
Instruction Fuzzy Hash: C031B170A0AA4E8FEFA9EF68C4652BD3BE0FF28305F01057AD41DC21A9DE35A640C750

Function 00007FFD9B8A6E1D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a75bb27ae7906f2c981fadd9b46f822897d5919716ee4369ee58f5a62f844c
Instruction ID: 710892abf4fb9e8685ce1687cb23e9c27a32021b5adc9178607f292db8548a2d
Opcode Fuzzy Hash: 12a75bb27ae7906f2c981fadd9b46f822897d5919716ee4369ee58f5a62f844c
Instruction Fuzzy Hash: 4921F371A0F64E8BEB689B64C4761B93BA0FF19340F1600BAD41DC30AADE2665118751

Function 00007FFD9B8A7351 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ce9c8e4c8c3ec4fba76d5b446b23a7e59f382d32cbebba10fdc7e66c854369
Instruction ID: 55cc42677be8e31be581da1710f6db81795faadce53a3679ada2c2e7649067bc
Opcode Fuzzy Hash: 87ce9c8e4c8c3ec4fba76d5b446b23a7e59f382d32cbebba10fdc7e66c854369
Instruction Fuzzy Hash: 71219035F0A54E8FEB61FBA8C8685FE7BE4FF19301F420476D818D3061DA38A2409760

Function 00007FFD9B893268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d172e602be5040789176a117c8a048deaf70f490c880095f6fae8bdbd2fcc86
Instruction ID: 97f9a0ddc08a0d2c4dd142d869ef730100a3037fee0f9e579e425df8780e9483
Opcode Fuzzy Hash: 4d172e602be5040789176a117c8a048deaf70f490c880095f6fae8bdbd2fcc86
Instruction Fuzzy Hash: 6D21C671A0951E8FEF68DBD8C4A4AECBBF1FB58301F114169D00AE72A5DA346941CB50

Function 00007FFD9B893330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction ID: 27e6151a41fda9bb9fcd90152a77b54bac65a2d718b951f31d52b13ef6e12b8a
Opcode Fuzzy Hash: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction Fuzzy Hash: 9F21E43094E68E8FEB42EBB488685E97FF0FF5B300B0544EAD449CB1B2DA389546D711

Function 00007FFD9B89084D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction ID: bbdc18fbc611f0aed4a1b53b0145f49b9b583d665ee813336df81fa58e5f4039
Opcode Fuzzy Hash: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction Fuzzy Hash: 13115721F1E54E9FEB61ABB8CC694E83FE0FF59700F0645B6C088D70A3ED24A145C280

Function 00007FFD9B8933D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction ID: fc850d7721bdad584f67d998d430edee3b3aa96a23cbd4d1fb9bd6650efb98b1
Opcode Fuzzy Hash: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction Fuzzy Hash: 5F213E30A4A54E8FEF65EBA488686BD7BA0FF58304F11047AD419C71A1DF34A640D740

Function 00007FFD9B8A7AFD Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c58167fe94f14a012d186ce4efe54e49952c9a50d50346f9e7705e9ec6aa62
Instruction ID: db93f4ecf1f6c0d3cce02e1f3d290d005e56d589a05497841a55fedbc50abf19
Opcode Fuzzy Hash: 02c58167fe94f14a012d186ce4efe54e49952c9a50d50346f9e7705e9ec6aa62
Instruction Fuzzy Hash: 0521A174A4A64E9FEB69AF64C8655FE37A0FF09304F0204BAD41EC20E6DE38A650D651

Function 00007FFD9B890A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9914d05926f3b51d1e90d7a361734c309bedef7ae792a8ce84294136d408aa03
Instruction ID: 29e70b08e686168d7aeb18ba84dd4c526b92440513dd91f06e967a24b27a0eb3
Opcode Fuzzy Hash: 9914d05926f3b51d1e90d7a361734c309bedef7ae792a8ce84294136d408aa03
Instruction Fuzzy Hash: B011E231F2A50E4FEB94EBA888585BD7BE1FF58740F4145B6D018C70A6EE34A6408780

Function 00007FFD9B890F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3883bf563295619e258c2f148b66c7788e536653454046c25085408d411763
Instruction ID: 12cb8af7a1aaae264702eb01d5b57d374d769ed97e3ff2fed300bb5164d22b55
Opcode Fuzzy Hash: ac3883bf563295619e258c2f148b66c7788e536653454046c25085408d411763
Instruction Fuzzy Hash: A9213031E1A51D8BEF64EB94C864AED77B1FF58300F114175D01EA72A6DE386A45CB40

Function 00007FFD9B8A4649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c77008d5ee2e765d579e091057a2521e0f24cba9f933fff03c80e4885cd728c
Instruction ID: 97c081e22c2fbecaec3acf705801d11f28fbddfec3f19cf5756b2f590cd0b00a
Opcode Fuzzy Hash: 5c77008d5ee2e765d579e091057a2521e0f24cba9f933fff03c80e4885cd728c
Instruction Fuzzy Hash: 6921AE30A0AA4E8FEFA9EF68C4692BD3BB0FF19301F0501BED419C61A2DA34A540C741

Function 00007FFD9B8A6C41 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8595e41fd826a52f078bedb3e0dcff141ff3f300e789e95ad83bbd5c55ef175c
Instruction ID: 2294fbe5f6bca889e40cc1cb796c9e1a72787c3be5df2b70dd4ae2dca4adc177
Opcode Fuzzy Hash: 8595e41fd826a52f078bedb3e0dcff141ff3f300e789e95ad83bbd5c55ef175c
Instruction Fuzzy Hash: DA11B470A09A4E8FDBA8EF6884692BD7BE0FF68301F0105BED41DC31A6DE356544C741

Function 00007FFD9B8A23F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67864e828978c424707b1b99a0e9e09d9f57cee2455412437bbd265fae2652a3
Instruction ID: 5d3cbd55c1fd58527346668302978c5db60310b62eb523090dde1d63f4df0b1c
Opcode Fuzzy Hash: 67864e828978c424707b1b99a0e9e09d9f57cee2455412437bbd265fae2652a3
Instruction Fuzzy Hash: F6114930A1A64D8FDB58DF68C4A55E93BA1FF58314F12026EE84EC3295CB34A650CB91

Function 00007FFD9B8A4C05 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a4d31458eda8e0e79d4574bd753248fce1cd99e625fbae3f05d96dd8ad8567
Instruction ID: 20e819d9be664a1ae5ed669186413bd8f6eec53d9fa1d6688b15096ecf218552
Opcode Fuzzy Hash: 13a4d31458eda8e0e79d4574bd753248fce1cd99e625fbae3f05d96dd8ad8567
Instruction Fuzzy Hash: B5110831A0E68D4FEF59DB6488752B83AA0FF18304F0900BED01DC21F2DE396540C611

Function 00007FFD9B8A46E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9db4e57fb52f5dd74077e79723d241a58bc3dd01d5026e3bfb34dfd36c5298
Instruction ID: db076bbd52880dee3c3a1142ebd480714a15b5e40038e7a34ef66639f8fe4a00
Opcode Fuzzy Hash: dd9db4e57fb52f5dd74077e79723d241a58bc3dd01d5026e3bfb34dfd36c5298
Instruction Fuzzy Hash: A411A230A09A8E8FEF98EF68C4692B97BE0FF59301F0505BED41DC21A2DA356540C751

Function 00007FFD9B8A4F79 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a4c8ffa68e96351ab2a695bd6953fe075ec45170fa22b916b815cd541115ea
Instruction ID: f7ed68cb80f969a217a0e4390f135ebc3aaf7395bd09a48b0685772c103de2c1
Opcode Fuzzy Hash: c3a4c8ffa68e96351ab2a695bd6953fe075ec45170fa22b916b815cd541115ea
Instruction Fuzzy Hash: CE11BE30A0A68E8FEF55EB6488696B97BF0FF19300F0505BFD419C61E2EA346544C751

Function 00007FFD9B8A6D85 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8934752245d6da24fc8a54a8e215b979ea71cd027f97aa9c959c3d6c09d00f
Instruction ID: d921729fc9129f7443037ce5f8a3a25726ac057fd8a6f38ed761f55e1ed40dc6
Opcode Fuzzy Hash: 3d8934752245d6da24fc8a54a8e215b979ea71cd027f97aa9c959c3d6c09d00f
Instruction Fuzzy Hash: 0B1104B1A0EA8D8BEB699F6488B51B83BE0FF19300F0600BED41DC64A6DE266554C351

Function 00007FFD9B8A27D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375fd6f54b967afdc824d054e179b8cb6615f61c2298d55f3d56faa13676aeba
Instruction ID: 8a6cf689caa964a6cfa3526860f299d453d89bf8ad9b892232fc467cf4705945
Opcode Fuzzy Hash: 375fd6f54b967afdc824d054e179b8cb6615f61c2298d55f3d56faa13676aeba
Instruction Fuzzy Hash: 7711C430A1E55E8FEB62EFB488585F97BE0FF0D300F0145B6E418C70A6EA34A284C751

Function 00007FFD9B8911BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction ID: 3069b1167349e3ffa3decc0551b2330ad2a5df52f927b2bf0167674ee51513f8
Opcode Fuzzy Hash: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction Fuzzy Hash: 1811B230A0E64E5EEFA5EBA4C8B96B97FE0FF19301F0104BED41EC61E2DA246540C700

Function 00007FFD9B89BB75 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e43e7cc0da0751990aa87f70c94b6b3d88ae5f7b28a7b925d57f6c1387faec3
Instruction ID: 0ba825cacf7b2f643e979c744ea53879d5faafae1b88f6507a4f233d84c922dd
Opcode Fuzzy Hash: 8e43e7cc0da0751990aa87f70c94b6b3d88ae5f7b28a7b925d57f6c1387faec3
Instruction Fuzzy Hash: B1117C70A0A64E8FDB99EFA4C8682B97BE0FF58305F4109BAD419D65E5DA34A640C700

Function 00007FFD9B8A6019 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451ae095fdaa0057dd37c83fa9426306e2fb92a1fdfaf0940a425ce79141627a
Instruction ID: 0fa5cc9cf4f644e12d585cbd5fffb3f4e151dbc7088c0d861d18fde93d6aeffb
Opcode Fuzzy Hash: 451ae095fdaa0057dd37c83fa9426306e2fb92a1fdfaf0940a425ce79141627a
Instruction Fuzzy Hash: 03117370E0E64E4FEBA1EB7888695A97BF0FF19300F0505B6D41CD71A6EE38A6848751

Function 00007FFD9B8A4EED Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd510f4f145a604230ff3909693bd764be59d71c21b1ce44b93d9f6fceecd22
Instruction ID: bbd6479d93c535a436776d267c9411c338e0ea8ed746ce1cd7da0284790afcd9
Opcode Fuzzy Hash: 8fd510f4f145a604230ff3909693bd764be59d71c21b1ce44b93d9f6fceecd22
Instruction Fuzzy Hash: 7D119130A0A58E8FEF58EF6488696BD77E0FF18304F0515BED42DC61E6DE24A6408751

Function 00007FFD9B8A4D2D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a743a5f721ab63eb1134553c3b35e6404efb52f93321b8a723f6f562a46b142
Instruction ID: 4f2ca7a5267fc83df494d9c10a1736eb790b97fbf36c67bd33aedebc961cb0be
Opcode Fuzzy Hash: 1a743a5f721ab63eb1134553c3b35e6404efb52f93321b8a723f6f562a46b142
Instruction Fuzzy Hash: B9116030A09A4E8FEF55DF6888696BD7BE0FF18300F0505BED419C61A6DB35A5408751

Function 00007FFD9B8921D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e391cb542ceb423a9f2f8267199acad151f9f7db043a97551aedcf2888a27a6
Instruction ID: e9cbfde4937c0e1284e572e32aaf72c9b731ff82ee6642f96df372af95ba4775
Opcode Fuzzy Hash: 5e391cb542ceb423a9f2f8267199acad151f9f7db043a97551aedcf2888a27a6
Instruction Fuzzy Hash: B3019631A5E54E5FEB65EBF488555A97BE0EF59300F0255B6D408C70B6DE34E680C701

Function 00007FFD9B8A2604 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b261ded0cbffc82b0f448b49c63898f1b707b44089c774d2427dd24c1c1f6cb5
Instruction ID: 009f6df796e049cc84910133e2b447cebd52db1b25009649143794b9c127edf1
Opcode Fuzzy Hash: b261ded0cbffc82b0f448b49c63898f1b707b44089c774d2427dd24c1c1f6cb5
Instruction Fuzzy Hash: 2211C230A4A64E4EDB69DFB4C4655F93BA0EF19304F1204BED409C70E2DA29A551C751

Function 00007FFD9B89C880 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b224b27b18a7e49e50328fbe4711d2ba228cc40646b114bb1a4f0958646907
Instruction ID: 21145f7becbe670fc60a5edeb15b2b15a3e67e00ebd96816c0b536c6faf60842
Opcode Fuzzy Hash: 33b224b27b18a7e49e50328fbe4711d2ba228cc40646b114bb1a4f0958646907
Instruction Fuzzy Hash: 1A118F30A0A64E9FDB5AEB64C8685B97FB0FF1A304F0604BBD419D70A6DA355640CB10

Function 00007FFD9B8934C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction ID: 9edc617100cf824ebea096da64d6364ff4c50211bff0d13d21436648ae3ea67c
Opcode Fuzzy Hash: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction Fuzzy Hash: 97113070A0A64E8FDF59EF64C8695BD7BE0FF18300F0105BED419C65A2DA35A5408700

Function 00007FFD9B892E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction ID: 5eeccc5e80b27d5d32f3f267c6116e2d1f95fd7a104a0656f9f1680bf4fafb18
Opcode Fuzzy Hash: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction Fuzzy Hash: 06017134A1E64E8FEB65EFA488A85AD7FE0FF59300F0645B6D408C61A7EA34E5448701

Function 00007FFD9B8905D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction ID: 2f3cf223af50d27965caf1646fa6c39f3c785e1726bc4a2c0e58a7b41c01e43d
Opcode Fuzzy Hash: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction Fuzzy Hash: E3019E30A0A50E9FEF58EF64C0646B97BA1FF68308F51007ED42EC21A5CA35A651CB40

Function 00007FFD9B89BF6A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9434df1baedcfe8100b1b1b5d1f774cd046e56bf1407c8dca60733043a4d058
Instruction ID: 5ea4bbac4374d600751ad9fc22b94c5cc2b9d2dfaf512c4e398f87405f601e02
Opcode Fuzzy Hash: d9434df1baedcfe8100b1b1b5d1f774cd046e56bf1407c8dca60733043a4d058
Instruction Fuzzy Hash: 5C014C30A0A91E9EEF99EF68C4686BD7BE0FF58304F11097AD81DC21A5DE35A650CB40

Function 00007FFD9B89282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction ID: ddd48bbc08e9280d618bb97486510841d31c4d3c39e85d3cbda40ab5a7894c56
Opcode Fuzzy Hash: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction Fuzzy Hash: CF018431E1A54E8FEB65EFA488585B97BE0FF5D300F4245B6D418D70A6EE38E2448740

Function 00007FFD9B8A2285 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6142c397ae4b69db349d6b5722175a36ab9b26df5c3f21910957e2fcaa3cbf0a
Instruction ID: 754cafc01b28bde81182a8b3934a1c538cbeb5a6c1b03853850a9be0b918c64b
Opcode Fuzzy Hash: 6142c397ae4b69db349d6b5722175a36ab9b26df5c3f21910957e2fcaa3cbf0a
Instruction Fuzzy Hash: 8301B530A0954E4FDB69EFA4C8795B9BBE0FF19300F0604BED419C60E6DA35A540C710

Function 00007FFD9B8A74D9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afbdaf6be9c739dd4c0dfd16f355264fc9a73b23d78510a59486c6875007318
Instruction ID: 82656a3c119b76e559686710144a8eaa0f68303358ae8237a8a71070c587b65e
Opcode Fuzzy Hash: 7afbdaf6be9c739dd4c0dfd16f355264fc9a73b23d78510a59486c6875007318
Instruction Fuzzy Hash: 4F01B130A0E64E8FE762AB7888685A93BE0FF09300F0604F6D418C70B6EA28E5449311

Function 00007FFD9B8A7A89 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff6bc8eb8114fd29d68ef33e5967dbe4da9c4a1d80a8298b9fc5aa558a99608
Instruction ID: c4e99adc91293d41388fcd5484d312b9d86ce3b89d294826dcc65c11f1f684c0
Opcode Fuzzy Hash: fff6bc8eb8114fd29d68ef33e5967dbe4da9c4a1d80a8298b9fc5aa558a99608
Instruction Fuzzy Hash: A0019234A4A68D5FDB55EB64C8695B93BE0EF1A304F0604FED409C60E2DA35AA50D711

Function 00007FFD9B892EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction ID: 4b290a3f64fd0cc6c6286b56b73bab73bde9bf86b440cac76080803199da6d08
Opcode Fuzzy Hash: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction Fuzzy Hash: ED018430A1A64E4FEB66EBB488695A97BE0EF4A300F4605F7D40CC70B6DA38A544C741

Function 00007FFD9B89A919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3701bc656c8c2dacb599b8358a67e5954ae4bc309ee9864933755c580a2014d0
Instruction ID: 8a9c7d0ed625ce47e73d99f9d19fa09e7b5e00637e59f866d3a17e2e65c9274a
Opcode Fuzzy Hash: 3701bc656c8c2dacb599b8358a67e5954ae4bc309ee9864933755c580a2014d0
Instruction Fuzzy Hash: 36012134A5E64E5EEB62AB7488596A97BE0FF0A304F0749B2D41CC60B6DA38A544C711

Function 00007FFD9B890610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction ID: 93261652a83ec8dfc56ed557e058f0f0d1c0a807d039954c38fb88d96017c8c5
Opcode Fuzzy Hash: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction Fuzzy Hash: B501AD30A1A50E9AEF5CEFA4C4686F97BE0FF08304F10087ED41ED21E5DE35A280CA00

Function 00007FFD9B890608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction ID: c662e0210e1e385f5758dd4ae9e0c38a0bcef9b8930444ea2099b94b738a32e8
Opcode Fuzzy Hash: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction Fuzzy Hash: 66016D34A1550EEAEF6DEFA4C4686B97AA0FF1C305F51087EE41ED21E5DE35A250CA01

Function 00007FFD9B8911D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction ID: 123c5e55ee567bd1ca6cae6a0586a05b086ac298b9e54cee52584c471bce5717
Opcode Fuzzy Hash: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction Fuzzy Hash: 66F0A430E1E64E5AEFA5FBA488682FA7BE4FF59205F01143ED45EC21E1EE245650C601

Function 00007FFD9B8A537B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b10603285cda436c3b0ce713dfc240f81fdf1d099c3800897980ea61ff9eed
Instruction ID: 33b9a3e7afddc90c967d7ffccb3a56a4e7c3abc2d650bfb5161ca3dd1595c7d1
Opcode Fuzzy Hash: 88b10603285cda436c3b0ce713dfc240f81fdf1d099c3800897980ea61ff9eed
Instruction Fuzzy Hash: 70F03735E0891D8FDFA0EB9898647ECBBB1FF9C310F400066C00CE3261DE3429858B00

Function 00007FFD9B891C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction ID: 8d0629ddd278a66193e1c96c613d7b29f3d044844af300bbb7f11948efaf46a2
Opcode Fuzzy Hash: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction Fuzzy Hash: E801D130A0E68E8FEFA5EF64C4652B93FA1FF29304F4100BED81CC61A2CA759550C740

Function 00007FFD9B8905D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction ID: 07ab316247c1825f9abaa0a52fdd35fda681a87971f4ab476604257964a5760d
Opcode Fuzzy Hash: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction Fuzzy Hash: A6F0C230A0E60E9FEF69EF6494256FA3BA4EF19308F41007AE81DC20A1CA35A650C740

Function 00007FFD9B89A985 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c818b97ed73052f03b78feabb4c8b2ac0c9ebe9caba171f194dca95146258211
Instruction ID: 5b7ba57ebb4328f660269bba91a28d1c3af6286c556fb5186f0a6ae92e42768a
Opcode Fuzzy Hash: c818b97ed73052f03b78feabb4c8b2ac0c9ebe9caba171f194dca95146258211
Instruction Fuzzy Hash: DFF0AF7564E3868FD716DBA8ACE15993BB0EF4630870E45E3C468CE0A3FA2854058761

Function 00007FFD9B892749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction ID: 72115abff91219e83b5ba598e103c28bd259c61597be7c2024908e1df2547d38
Opcode Fuzzy Hash: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction Fuzzy Hash: CBF0963090E38E9FDB6A9F6488642E93F70FF46305F4605FAD419C60E6DB389554CB41

Function 00007FFD9B8927BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction ID: 44f0944621b99982cecff9a5936c24ae2f981acc692a29b9bb1c4e017fa9da7b
Opcode Fuzzy Hash: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction Fuzzy Hash: 58F09030A1E68E8FEB699FA488251E93FA0FF0A304F4504BED409C61E6DB39A554C701

Function 00007FFD9B89A998 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe73b315bbfc92ad487c5a73e08f1b0d0389eaa5050896176b0562f016727d
Instruction ID: 2fc5535455b5d1a7fdcc4c347deda85ac1a685b7284cf8d23ba6b283b0216570
Opcode Fuzzy Hash: debe73b315bbfc92ad487c5a73e08f1b0d0389eaa5050896176b0562f016727d
Instruction Fuzzy Hash: 1DF0823564920ACED715EBE8A8F15E933E0EF4431C70949F2D47CCA092FA6960058650

Function 00007FFD9B8923D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b890000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction ID: 6ec474c57278b6694ac8c20fdd19f8eb162d2b00ed8b7b5b384c279d7182f93d
Opcode Fuzzy Hash: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction Fuzzy Hash: AFF0DA70A1961E8EEBA4EF90C8557A8B6A1FB58310F1142B9C00ED62A1CF782A848F40

Function 00007FFD9B89B76E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b89a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30ef61a1748c0b572ac4af2d3ad1727ad3b3b4209b625fccfab0bbf28068502
Instruction ID: 2481be06fa3daa92bc65ec9ffaab8020212bd5a15599fd1305ac169dbaef4f6e
Opcode Fuzzy Hash: b30ef61a1748c0b572ac4af2d3ad1727ad3b3b4209b625fccfab0bbf28068502
Instruction Fuzzy Hash: 7FD09E30A1D51D4EEFA4EB54C450EE9B778EB18300F1042F5801D92156DE346AC18B80

Non-executed Functions

Function 00007FFD9B8A1148 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

*, xrefs: 00007FFD9B8A1106
/, xrefs: 00007FFD9B8A165B
[, xrefs: 00007FFD9B8A10F9
}, xrefs: 00007FFD9B8A11F1

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID: *$/$[$}
API String ID: 0-3119010630
Opcode ID: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction ID: d688cba83433332d156be628dacb78e2e2b4dcec3516a7e9f265c30872b644eb
Opcode Fuzzy Hash: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction Fuzzy Hash: 0531F970E0522E8FEB68DF94C8A4BFDBBB1BB58701F1101B9D04DA7291DA385A84DF50

Function 00007FFD9B8A10E5 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

*, xrefs: 00007FFD9B8A1106
/, xrefs: 00007FFD9B8A165B
&, xrefs: 00007FFD9B8A1953
[, xrefs: 00007FFD9B8A10F9

Memory Dump Source

Source File: 00000005.00000002.1778991523.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a1000_System.jbxd

Similarity

API ID:
String ID: &$*$/$[
API String ID: 0-928903987
Opcode ID: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction ID: 597e8b9d905a947f4d5571c5ec1a3238c51411344255717a3df519e7748233e6
Opcode Fuzzy Hash: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction Fuzzy Hash: DB110C70E0521DCFEB28DF90C8A4BADBBB1AF59711F1540BED04D9B290CA785A84CF25

Analysis Process: System.exePID: 7488, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A3545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

W_H, xrefs: 00007FFD9B8A35CD

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID: W_H
API String ID: 0-126398842
Opcode ID: e3479010b423f1003c546c4c85886ef21b0d37387d223bb78787e0bf89fb6d90
Instruction ID: 0d95024e562d2cc716b079f0a1aa6325e3b5b6927c3e095a328de797fd3b5f90
Opcode Fuzzy Hash: e3479010b423f1003c546c4c85886ef21b0d37387d223bb78787e0bf89fb6d90
Instruction Fuzzy Hash: EAA1B071A0994E8FEB98DB6CD8257B97BE1FF59350F40007AD00DD72D6DBB828018B41

Function 00007FFD9B8A1638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction ID: 95bad4a525547d566b579acd14bfd55cbf2bb0486542c41aa085e0b297c9fc2e
Opcode Fuzzy Hash: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction Fuzzy Hash: AE81E231B0DA8D4FDB58EF5888605A977E2FF99300B15467EE45DC3296DE34AD02C781

Function 00007FFD9B8A06C0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction ID: 678f40eec78644cc884d708389a4f538c5a5dade755a08ec372de3553df8625f
Opcode Fuzzy Hash: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction Fuzzy Hash: FA614A52B1FAC94FE32557AC7C290B87BA0EF56790B0943FBE09CC60F7EC15A6058295

Function 00007FFD9B8B5220 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4913c96a6ab2cc427b3ac779621cd56ce7d79086782ef60bcf4236c1cfdf4e6f
Instruction ID: 240b904ee9981c3fd4e00f8e8d8e13c90cf5b86a7b2650fd067c644dbedcc10b
Opcode Fuzzy Hash: 4913c96a6ab2cc427b3ac779621cd56ce7d79086782ef60bcf4236c1cfdf4e6f
Instruction Fuzzy Hash: DC613071E0991D8FEBA4EBA8D865BECB7F1FF5D310F50006AD00DE72A1DA3569818B40

Function 00007FFD9B8A1C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction ID: fc71a6217ae9346c455a59ab3d48e99e850cd2386b09c7f6063b7aa5a32d88ea
Opcode Fuzzy Hash: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction Fuzzy Hash: F751D031B09B8E4FDB58DF5888605AA77E2FF99304B15467ED45AC7292DE34E802C781

Function 00007FFD9B8A3135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9270e8e27a6a8e204addedc6ded10f96dd8cf02eb3ac3d71bb1c5913a4e2d229
Instruction ID: e74edca0c166c83f741177d3f6d4235a9dc4f83c8540520a3704659476a77dcb
Opcode Fuzzy Hash: 9270e8e27a6a8e204addedc6ded10f96dd8cf02eb3ac3d71bb1c5913a4e2d229
Instruction Fuzzy Hash: A1514B70E0A61E8FEB64DF98C4646ECBBF1EF58301F51017AD009E72A5DA386A44CB60

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction ID: 8888e3b32672b6648e9d3d8ace1c53b4a52a42818e3364744540097d7472e44c
Opcode Fuzzy Hash: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction Fuzzy Hash: 5021A952F1F58A97E72527BC9C7A4E8BB90FF01658B0942B7D0ACC90D3ED08A10AC2D4

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction ID: 7f7f3684fccdedc05d2b48f62abec894aff74ac3eb18f14460829f24c2d8d751
Opcode Fuzzy Hash: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction Fuzzy Hash: 2B213D30A0A94E8FEB65EBA488696BD77A0FF18304F11057AD42DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction ID: a394cca4f25e1a85d5d071d963e2598d3f4aeb27bafccd2d498370ac81d029bc
Opcode Fuzzy Hash: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction Fuzzy Hash: 1921D23094E68E8FE742ABB488685A97FF0FF4B300B0544EAD449CB1B2DA389546C721

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597c874235b19e081983633ac520b468968ffff8d644beeb3ffcf8e38bd08c10
Instruction ID: 5b169b61ce1698567debc36053cf9106f72b64e40da4299360ae3108ed68413a
Opcode Fuzzy Hash: 597c874235b19e081983633ac520b468968ffff8d644beeb3ffcf8e38bd08c10
Instruction Fuzzy Hash: 8A11B230E2A50E4FE790EBA888595BD77E1FF58700F4146B6D01CC70A6EE34B6448750

Function 00007FFD9B8A0F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a8736c7a7e372f615083980364a28efb43da830dbb2127b615f1f4a8b5306c
Instruction ID: 968846597addec9db2f394a7b242ef2f9857924bfe31219d19a1cefe3af07fe0
Opcode Fuzzy Hash: 78a8736c7a7e372f615083980364a28efb43da830dbb2127b615f1f4a8b5306c
Instruction Fuzzy Hash: 06213D31E1A51D8BEB64EB94C864AED73B5FF48300F1141B9D00DA72A6DE38AA458B50

Function 00007FFD9B8A11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction ID: 152186f0a42d0324c484139bcb78b387be3b5426517bb33c739677cd26d39b8a
Opcode Fuzzy Hash: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction Fuzzy Hash: FB11B230A0A64E4EEBA5EBA4C4796B97BE0FF5A305F0504BED41EC60E2DE289540C710

Function 00007FFD9B8A21D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77edafcc128626b674930c877c0ed174b100e2e511f9b0c898fcfe1d3cf6c78
Instruction ID: c34bc9bfce9a920ed3ceeaa875ab8422cb396b3a6e3b1bf59a3a86c21606c1a9
Opcode Fuzzy Hash: c77edafcc128626b674930c877c0ed174b100e2e511f9b0c898fcfe1d3cf6c78
Instruction Fuzzy Hash: 23019631A4E54E4FE761EFB488655A87BE0EF0A300F0245B6D408C70B6DE38E680C711

Function 00007FFD9B8A34C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction ID: ab3decae7baa057e2b09cace9a4a3caea48320b2e39efd4aedf80c7822c10a08
Opcode Fuzzy Hash: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction Fuzzy Hash: 6F113070A0A64E8FDB55EFA8C8696BD7BE0FF19300F0105BED419C65A2DA35A5448710

Function 00007FFD9B8A2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction ID: e259cecb3e157f5725ea30490a2c8fff1fccfc568b70f8b735babec105f93983
Opcode Fuzzy Hash: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction Fuzzy Hash: C4018430E1E64E8FE761EFA488A85A97BE0FF19300F0245B6D40CC71A7EB34E5948711

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction ID: 8425a18b5a6d5c1306b106213985d314b576ed0a2c6dc4ec9fac1af0c3ab60c6
Opcode Fuzzy Hash: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction Fuzzy Hash: EF019E30A0A50E8FEB58EF64C0646B977A1FF6A304F51007ED41EC21A5CA35A650CB50

Function 00007FFD9B8A282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction ID: 0d22346dbe54c15dc4e02549633f015a3d59e039d50a69f50c998e67fb143e5a
Opcode Fuzzy Hash: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction Fuzzy Hash: 4A018430E1A54E8FE761EFA489585A9BBE0FF1D300F0245B6E418C70A6EE38E244C750

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction ID: 45c9e22747b00fee4c917e2f86422403f429c64ded80a42e495f745d4bddd813
Opcode Fuzzy Hash: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction Fuzzy Hash: 45018430A1E64E4FE762EBB489695A97BE0EF4A300F4605F7D408CB0B6DA38A544C711

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction ID: 9746e323cb3abbc38f08c20a93b61245972003c7011afba51c976345fbb64d35
Opcode Fuzzy Hash: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction Fuzzy Hash: 5B018130A1950E8AEB68EFA4C5696B977E0FF1C305F11087EE41EC21E5DF35B690CA11

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction ID: efe334a1ac8c74e12d76f941783e76cbfaefe26f6a3bf4351876009d2ee50c4d
Opcode Fuzzy Hash: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction Fuzzy Hash: 86016D30A1550EDAEB69EFA4C5686B976A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8A11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction ID: 6d894c14f4014adacf4036812e0ecfcd0381f96fa6a0ddffe842f29ee19c1428
Opcode Fuzzy Hash: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction Fuzzy Hash: EEF0A430E1A54E4AEFA4ABA488782FA77E4FF5A305F01143AE41DC20E1DE645650C611

Function 00007FFD9B8A1C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction ID: 4914cbafb1686f0657e3103b5b7db6c2e22e7c5d47b419bc68c3020e320a9be6
Opcode Fuzzy Hash: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction Fuzzy Hash: F4018630A4A64E8FDB65EF64C4656B97BA1FF5A300F4510BED40CC61A1DA759650C740

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction ID: 63ea2133509e46c7c915ecfc7736c44890dadebef5da37a159c5ba3ad6eac56e
Opcode Fuzzy Hash: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction Fuzzy Hash: 5BF0C230A0A61E8FEB68EF6494256FA77A4EF1A308F41007AE80DC20A1CA39A650C740

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction ID: 4bf7424194c4b1d5c19344312717ece5802b04af6756122c54b2e6f6bc02c89a
Opcode Fuzzy Hash: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction Fuzzy Hash: 63F0F63090E38E8FDB2A9F6488642E93B70FF06304F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction ID: 953563ecbaf28355e591ec01b9335d833e2ec53f6048e945a8ef692b33253dfb
Opcode Fuzzy Hash: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction Fuzzy Hash: DBF0F63090E68D8FDB699FA088251A93BA0FF09304F0104BED409C10E5DB79A654C711

Function 00007FFD9B8A7F0E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779068803.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1c21ee969bf7513e9fea677117c229515f54d5bee0ee63b5a486c45c856de9
Instruction ID: 2e5c410d72fdcc919cd99f11b91df513d7da2f13c70a1713a174411eb21009fc
Opcode Fuzzy Hash: ac1c21ee969bf7513e9fea677117c229515f54d5bee0ee63b5a486c45c856de9
Instruction Fuzzy Hash: B3E04EB4E4962E9FDBB4DF488860AA9B7B1EB49314F5000E9824DE3250CB346A81CF19

Analysis Process: hKONDisxvRbjdh.exePID: 7920, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A3545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

W_H, xrefs: 00007FFD9B8A35CD

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: W_H
API String ID: 0-126398842
Opcode ID: 17bfdea6a07a571bb9a04c387422d453f6869547e285162ea558414918f3f957
Instruction ID: bcaeece7dea671cfad0ec93518b2a013aa0880bb23d1ed2591a5a82ea1bfde5a
Opcode Fuzzy Hash: 17bfdea6a07a571bb9a04c387422d453f6869547e285162ea558414918f3f957
Instruction Fuzzy Hash: 2EA1BF71E1994E8FEB98DBA8D8297AD7BE1FF59350F40007AD00DD32DADB7828018B41

Function 00007FFD9B8B125B Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B8B1292
/, xrefs: 00007FFD9B8B165B
., xrefs: 00007FFD9B8B19BE

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: "$.$/
API String ID: 0-983106565
Opcode ID: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction ID: 21daa2b5e7b34fe0ff0627d04ae0130c2ef280ebaa03f21ef16479aa26ea33a8
Opcode Fuzzy Hash: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction Fuzzy Hash: A231EB70E1522DCFEB64EFA4C8A47EDB7B1AB59311F1104BAD04D9B291CA386A84CF50

Function 00007FFD9B8B141D Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
%, xrefs: 00007FFD9B8B16A3

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: dfcb9c8c9462e0c49bcb69e7cac1d33d2736e6f06c33c0c99f3b747fec344d19
Instruction ID: 97be792981708cf33670ec31a39b110ad9826cb405810ad6f8d543b54797285e
Opcode Fuzzy Hash: dfcb9c8c9462e0c49bcb69e7cac1d33d2736e6f06c33c0c99f3b747fec344d19
Instruction Fuzzy Hash: 44F0303590861D8BEF28EF90C890AEDB7B1EB15310F15013AC4099F2A0DB786684CF84

Function 00007FFD9B8B39FA Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8B3A01

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-2257155764
Opcode ID: f702c38b8bd98fe47992c38d4a94b82abcf088729ee64e52d79de2ed5ae1d32e
Instruction ID: 6d43b0f6809db1d5c0f3b9a2f76defb543c915ccb5906dc9c03f01b5d7526e32
Opcode Fuzzy Hash: f702c38b8bd98fe47992c38d4a94b82abcf088729ee64e52d79de2ed5ae1d32e
Instruction Fuzzy Hash: 06412A22B0EA6A5EE716ABFCA8650F97BE0FF55361B1405B7C148C70B7D924A1458BC0

Function 00007FFD9B8AC7F3 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

|L_^, xrefs: 00007FFD9B8AC801

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: |L_^
API String ID: 0-3369961972
Opcode ID: d1fd549287316fcf5503f1b16195b65609bb8c42a8fe5fad885e1350b1fbe01b
Instruction ID: 73b84f2f8757122b07b6953618008fc1e4427549ba39b09a2a2e2bc5ed77da12
Opcode Fuzzy Hash: d1fd549287316fcf5503f1b16195b65609bb8c42a8fe5fad885e1350b1fbe01b
Instruction Fuzzy Hash: 1D31E722B0D66B9BEB5A7BACBC294FC7794FF19324F050177D11DCA0E3DE28214186A1

Function 00007FFD9B8AFDAB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B8AFDB8

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8af000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 2cea509e0fd721dd17c988c8133ec0a28544fa1948fd199e4126fb3f10751f0c
Instruction ID: 915ed113e27081dcece6cd6295371ef3447ea234c9830f6f61c7d95a99695fe9
Opcode Fuzzy Hash: 2cea509e0fd721dd17c988c8133ec0a28544fa1948fd199e4126fb3f10751f0c
Instruction Fuzzy Hash: E241BA71A15A1D8BEBA8DB188C65BAAB7B1FF58301F5001E9904DE26D1DF346A818F41

Function 00007FFD9B8B32B8 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37343b5b77cd7fc85ea545d8e22c47d873e5e9f6baf2208ccfe96171ab330fce
Instruction ID: a4df5a8ee988b3aba00962192f8ad29ea22610ec46a84c27b1652d804f4d23f1
Opcode Fuzzy Hash: 37343b5b77cd7fc85ea545d8e22c47d873e5e9f6baf2208ccfe96171ab330fce
Instruction Fuzzy Hash: B221B661E0E7DA4FE7529B7488695A97FF0FF16340B0905FBD058C71E7D928A604C782

Function 00007FFD9B8B32C8 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1386a915f5783f2693f11f56f85a021543882aec8aced9bc033b369dbcf6fd
Instruction ID: af11461afc116f362420a906636eb629995fa4a08de34ae8468aecf1d4c4e08a
Opcode Fuzzy Hash: 2e1386a915f5783f2693f11f56f85a021543882aec8aced9bc033b369dbcf6fd
Instruction Fuzzy Hash: 93118161A0F7DA4FE71297B488395A97FB0EF16244F0901FBD4A8CB1E3E9186604D792

Function 00007FFD9B8AD899 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ba9abd92e04961a76f9480c84d732d04ac9038111573c8f2f3c02300479912
Instruction ID: f2df6b062104ae3c628822b6d328406e73470f74445866d9a1cff79cfb987b5e
Opcode Fuzzy Hash: 01ba9abd92e04961a76f9480c84d732d04ac9038111573c8f2f3c02300479912
Instruction Fuzzy Hash: 4AE15C71E1965D8FEBA8DB98D8A4BB8B7B1FF58300F4441BAD00DD32E6DA346941CB11

Function 00007FFD9B8B3B25 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79220431ccaddb0ce9fc27a9c520e0d2e54c2d5ae344027e21f52f69ed689a79
Instruction ID: 1e5c18818bfbd492289c854d0ca374c471eb42a9de490778303170b18b431058
Opcode Fuzzy Hash: 79220431ccaddb0ce9fc27a9c520e0d2e54c2d5ae344027e21f52f69ed689a79
Instruction Fuzzy Hash: FBD1B970E1952D9EDBA4EBA8C8657ECB7B1FF59300F5141BAD00DE32A1DB346A848F41

Function 00007FFD9B8A1638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction ID: 95bad4a525547d566b579acd14bfd55cbf2bb0486542c41aa085e0b297c9fc2e
Opcode Fuzzy Hash: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction Fuzzy Hash: AE81E231B0DA8D4FDB58EF5888605A977E2FF99300B15467EE45DC3296DE34AD02C781

Function 00007FFD9B8A06C0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction ID: 678f40eec78644cc884d708389a4f538c5a5dade755a08ec372de3553df8625f
Opcode Fuzzy Hash: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction Fuzzy Hash: FA614A52B1FAC94FE32557AC7C290B87BA0EF56790B0943FBE09CC60F7EC15A6058295

Function 00007FFD9B8B2900 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e384e355a2af3a47895793c67de18380a7b0a8d21d9d6fcfb563ef751cd894a8
Instruction ID: 5b46afd7f1fcc699fb76e58a7a486ca786a7a097398f62bf28a466b4835145f2
Opcode Fuzzy Hash: e384e355a2af3a47895793c67de18380a7b0a8d21d9d6fcfb563ef751cd894a8
Instruction Fuzzy Hash: C991A670E1952D8EDBA4EFA8D8657ACB7B1FF58300F5141AAD00DE3292DF346A818F50

Function 00007FFD9B8B520D Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67110c9bc1064ca1021f9ba27a66658e90132ecb3893808d2f6606811305090f
Instruction ID: 137809ceccf0fc4b7cb56194d0a67fa910c221c20f1397d8649b8cb986adcc5d
Opcode Fuzzy Hash: 67110c9bc1064ca1021f9ba27a66658e90132ecb3893808d2f6606811305090f
Instruction Fuzzy Hash: A8614171E0991D8FEBA4EBA8D8657ECB7B1FF5D310F40017AD00DD72A2DA3469418B40

Function 00007FFD9B8A1C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction ID: fc71a6217ae9346c455a59ab3d48e99e850cd2386b09c7f6063b7aa5a32d88ea
Opcode Fuzzy Hash: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction Fuzzy Hash: F751D031B09B8E4FDB58DF5888605AA77E2FF99304B15467ED45AC7292DE34E802C781

Function 00007FFD9B8B5220 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017bd0c2dd4a8bb48485a09454504b8bf0fc68084961b9d9ceef4ba436b67a6e
Instruction ID: 4d902f1455d8e2d8b7705fd8154f3cf0f4d89b2594891eeece6e5fb5f24ddf66
Opcode Fuzzy Hash: 017bd0c2dd4a8bb48485a09454504b8bf0fc68084961b9d9ceef4ba436b67a6e
Instruction Fuzzy Hash: 85512F71E0991D8FEFA4EBA8D8A5BECB7F1FF59300F40006AD00DE7295DA7469458B40

Function 00007FFD9B8ABFEA Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3ff2c28f93ae2a4058f42f50aad8790e455fbaad39d681a5d08e8ee628efca
Instruction ID: fbdca8857f9a46eae83689f6794649f605924b6b3477124f7cd04cbfaf6fa0b2
Opcode Fuzzy Hash: 1a3ff2c28f93ae2a4058f42f50aad8790e455fbaad39d681a5d08e8ee628efca
Instruction Fuzzy Hash: FC51DE70E0951D8FEBA4EBA8C8696FDB7F5EF58300F51017AD01DE72A1DE386A418B50

Function 00007FFD9B8A3135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0c6cdd0b777a2823192c00d00be403246f6574f80c69f8746d18f8a30707a6
Instruction ID: 6ef14d7f14a26e983f10674a8aecd85d1914ec7daa9e00f83a6936fceaf06853
Opcode Fuzzy Hash: 8d0c6cdd0b777a2823192c00d00be403246f6574f80c69f8746d18f8a30707a6
Instruction Fuzzy Hash: 7B514C70E0A61E8FEB64DF94C4646ECBBB1FF58301F51017AD009E72A5DB386A44CB60

Function 00007FFD9B8B2AAF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction ID: 576629854399840d91b5721c219e452bf9bd83e1f423b1dcbb8ff9684d895497
Opcode Fuzzy Hash: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction Fuzzy Hash: 86418470E0951D8EDBA4EFA8C8697ECB7F1EB58301F5141AAD40DE32A1DE346A858F50

Function 00007FFD9B8AF58F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8af000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a399680fe2c7f962cec0e46ee7b07a85ca467917364769c756f9ebdb38e0d3
Instruction ID: faac1004544d202218d87d82d88066838c06caa9c5c1a9cf31c94b93b7282bc8
Opcode Fuzzy Hash: a8a399680fe2c7f962cec0e46ee7b07a85ca467917364769c756f9ebdb38e0d3
Instruction Fuzzy Hash: DF31C971A15A1D8FDBA8DB188C65BAAB3B1FF58301F5001EA904DE36D6DF3469818F40

Function 00007FFD9B8AAD48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc52b3babf4e95de51797a9844b6beac8c19e06c0dc8cdc7a2810f20997d850c
Instruction ID: 0402e698e25901366d431c1544b1ca44f4803767cb4ad7a6b69f96897724f90d
Opcode Fuzzy Hash: dc52b3babf4e95de51797a9844b6beac8c19e06c0dc8cdc7a2810f20997d850c
Instruction Fuzzy Hash: A031F821E0E94F6FE762ABB8C8281F97BE0FF18351F05857AD098D24A6EE34B5048350

Function 00007FFD9B8AC0B6 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351a1f5acde99adcdc321a718aa35185211a8ef1ac94d48f655252595a8279e1
Instruction ID: b9eb10cc7f806cc4ef65a75239a2a8de58a040b4162e30f76583aab40f6c9b96
Opcode Fuzzy Hash: 351a1f5acde99adcdc321a718aa35185211a8ef1ac94d48f655252595a8279e1
Instruction Fuzzy Hash: 6231BA70F1991D9FEBA4EB9888A5AFCBBB5FF58340F511039D00DE7292DE3869418B10

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction ID: 8888e3b32672b6648e9d3d8ace1c53b4a52a42818e3364744540097d7472e44c
Opcode Fuzzy Hash: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction Fuzzy Hash: 5021A952F1F58A97E72527BC9C7A4E8BB90FF01658B0942B7D0ACC90D3ED08A10AC2D4

Function 00007FFD9B8B7545 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd72b4d52bbc8ab0cb7d8892c2e71c0cc56f9db72d7368c0e9581516e43f7e0a
Instruction ID: 15906fcbe234b8c9da5bb6b8a1e255c647e923e65bde5ba8d852722b3d872ad2
Opcode Fuzzy Hash: fd72b4d52bbc8ab0cb7d8892c2e71c0cc56f9db72d7368c0e9581516e43f7e0a
Instruction Fuzzy Hash: B921FD34A0EB1E8FEB75ABB4C464AFD77E0EF09314F11047AC41AC21E5EE28A5448A81

Function 00007FFD9B8B6E1D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb1e1bdba25634e9173b1312747bc6fc2fe6695b7a99058561a281d240b42c3
Instruction ID: 6c4ec79bf0a02e891a00fc68deda7b444c3fd4e569f8699c3c7510317b953292
Opcode Fuzzy Hash: 8bb1e1bdba25634e9173b1312747bc6fc2fe6695b7a99058561a281d240b42c3
Instruction Fuzzy Hash: 0B21F3B0A0E64E4BEB689F74C8762B97BA0FF19300F1600BED41DC20E2DE35A5448B81

Function 00007FFD9B8B7351 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e27b0ddf7242e8a48b409787d0430dcbd2f6337249613a55f2c3365601fe31
Instruction ID: ca3547ccb2063400fe98f40607b256d6e885b5e1008a1e2e358608ed56ecb1e6
Opcode Fuzzy Hash: 50e27b0ddf7242e8a48b409787d0430dcbd2f6337249613a55f2c3365601fe31
Instruction Fuzzy Hash: 3A213035F0E65E8EEB61EBB888585FD7BE4FF1D301F410576D819D31A5DA38A2408B90

Function 00007FFD9B8A3268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ef9001392969b2ae7acd399b4de49180a2339c70c76b21961289fd6a55f993
Instruction ID: 2259b6fc759af187716bd5c7eec668d9a074e9c2a277c05d08710ee67e764363
Opcode Fuzzy Hash: 29ef9001392969b2ae7acd399b4de49180a2339c70c76b21961289fd6a55f993
Instruction Fuzzy Hash: 0621F670E0951E8FEB64EF98C8A4AECB7F1FF58302F150139D009E72A5DA386945CB20

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction ID: 7f7f3684fccdedc05d2b48f62abec894aff74ac3eb18f14460829f24c2d8d751
Opcode Fuzzy Hash: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction Fuzzy Hash: 2B213D30A0A94E8FEB65EBA488696BD77A0FF18304F11057AD42DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction ID: a394cca4f25e1a85d5d071d963e2598d3f4aeb27bafccd2d498370ac81d029bc
Opcode Fuzzy Hash: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction Fuzzy Hash: 1921D23094E68E8FE742ABB488685A97FF0FF4B300B0544EAD449CB1B2DA389546C721

Function 00007FFD9B8B7AFD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07e26d494e17eb09749e323a7f50f7c3e314b9d4d5b3e82233528d0458a88d3
Instruction ID: 8781470b2cf1e002f92a94aed7e77d4828903d28767e9351dc0fdc3e59c529b1
Opcode Fuzzy Hash: b07e26d494e17eb09749e323a7f50f7c3e314b9d4d5b3e82233528d0458a88d3
Instruction Fuzzy Hash: C6219234A4A64E8FDB69AF74C8655FE3BA0FF09304F0214BAD41DC20E6DE34A650CA81

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02d49d35b25c56e621fe2a29bb80bf68a1fcf4bafc83f379b56195090ecc2f7
Instruction ID: 1dac52f5dee10289c272c5760962e6844bf5ad3c72871a2d72cf068d89f527f0
Opcode Fuzzy Hash: f02d49d35b25c56e621fe2a29bb80bf68a1fcf4bafc83f379b56195090ecc2f7
Instruction Fuzzy Hash: 5811B230E2A50E4FE790EBA888695BD77E1FF58700F4146B6D01CC70A6EE34B6448750

Function 00007FFD9B8A0F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3b9ae0413783103f26370ac0a8129400baf1616003827cad1a5c8c92affe92
Instruction ID: 48bf613ac9981c206566afad3976c2b9a0604179fa37efde46d0fcb919fdcba7
Opcode Fuzzy Hash: 0e3b9ae0413783103f26370ac0a8129400baf1616003827cad1a5c8c92affe92
Instruction Fuzzy Hash: C6213D31E1A51D8BEB64EBA4C864AED73B5FF48300F1141B9D00DA72A6DE38AA45CB50

Function 00007FFD9B8B4649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f84cd82c0cf53dfbaae6bddc047746eb8fa673dc146638e289e583e899a706
Instruction ID: 6fd7adeb60d9350af5373dedafa2f2eddccf4badfcac17a24e74a5bb02014e6f
Opcode Fuzzy Hash: e6f84cd82c0cf53dfbaae6bddc047746eb8fa673dc146638e289e583e899a706
Instruction Fuzzy Hash: 0F21C330A0AA5E8FEB59DF64C46A1BD3BB0FF19301F0501BFD419C71A2DA346540CB81

Function 00007FFD9B8B6C41 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb2b5bc781c19af52b78a0c51cf32a513a9cba4ee102909deec071bfaf82e8c
Instruction ID: 6c5481afdc1717589a76c3641f38bbb9a11509c5a7dfe1c1468b09b384bdfb82
Opcode Fuzzy Hash: dcb2b5bc781c19af52b78a0c51cf32a513a9cba4ee102909deec071bfaf82e8c
Instruction Fuzzy Hash: 0111A570A0964E8FDB98DF6884751BD7BA0FF68301F01057ED41DC21A6DA35A544CB80

Function 00007FFD9B8B23F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c81e7412d912376e4fe1e659f12f68bc891515f41ab14b9704b21a312c0380a
Instruction ID: f0758aa8cf12a00fd2ca3fc4f783a0c5077de1fd45a4f40e35b237dc1d6b16ee
Opcode Fuzzy Hash: 7c81e7412d912376e4fe1e659f12f68bc891515f41ab14b9704b21a312c0380a
Instruction Fuzzy Hash: 08116730A1964D8FDB58DF68C4A55E93BA1FF58304F02027EE84AC2695CA34A650CB80

Function 00007FFD9B8B4C05 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d4176c95925f9b875636bc67cfa6ba97fb2a4eb87b8c8c92d836d075273f49
Instruction ID: 24ef7be101b6cc2226d221235853a1513a161a9eca4e653cec69edcf4446726b
Opcode Fuzzy Hash: 85d4176c95925f9b875636bc67cfa6ba97fb2a4eb87b8c8c92d836d075273f49
Instruction Fuzzy Hash: 1111E631A0EA8D4BEB59DBB488761B83BA0EF18704F0901BED01DC21E2DE356540CA41

Function 00007FFD9B8B46E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6671f2825af8f4da0a3817cba06d0526dc21a173df80ed6f83686de412a0f34
Instruction ID: 8df6caef02a9287c158d974a5d89be803cde2e00703aabfd1c3246469cfc2449
Opcode Fuzzy Hash: f6671f2825af8f4da0a3817cba06d0526dc21a173df80ed6f83686de412a0f34
Instruction Fuzzy Hash: CA11A230A0964E8FEB58EF68C46A2BD7BE0FF59301F0505BED41DC21A2DB356540CB80

Function 00007FFD9B8B4F79 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b990e3926a231dcdcc186a98136143f211d9f78165a288130e0e8aee0985082
Instruction ID: ab32eaa72f1f2be086523d0276cfe28acb1f28892c48d5b1077b77cee7524c69
Opcode Fuzzy Hash: 9b990e3926a231dcdcc186a98136143f211d9f78165a288130e0e8aee0985082
Instruction Fuzzy Hash: 8D118130A0A69E4FEB55EB64886A6B97BF0FF19300F0505BFD419C72A2DA356544CB81

Function 00007FFD9B8B6D85 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aa29a8a97e622c12ce22b0891eccd8a7b27133e27c5db21d5b3eb231388c81
Instruction ID: d47e534a24283bbfa72fde8fb7da735ebab6c4d389c55d85ddd1bb11fceb1aae
Opcode Fuzzy Hash: 26aa29a8a97e622c12ce22b0891eccd8a7b27133e27c5db21d5b3eb231388c81
Instruction Fuzzy Hash: 40110871A0EA4D4BEB699F6488751B8BBE0FF19300F0904BED41DC60F2DE26A504C741

Function 00007FFD9B8B27D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bc77b163352188940b891862636afcf7c726fa7dff9887783ac10b6ecc7918
Instruction ID: f8dba8c69a05ecbd0af74f560f073e3fe81bbae6e94adcccecd8800ec5e1034a
Opcode Fuzzy Hash: 09bc77b163352188940b891862636afcf7c726fa7dff9887783ac10b6ecc7918
Instruction Fuzzy Hash: BC11A530A1A56E8EE752EBB488585F97FE0FF0D301F0145B6D418C70A6EA349244CB81

Function 00007FFD9B8B6CFA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e605836f0633ffa6693a8798d144c2c179bc655f06ebda2970c8c439f80cd08e
Instruction ID: de99a731f332a372c135db5691d182eadd08bc59aa88f78cd2299e05a70171ab
Opcode Fuzzy Hash: e605836f0633ffa6693a8798d144c2c179bc655f06ebda2970c8c439f80cd08e
Instruction Fuzzy Hash: 0D11B270A09A1E8EEBA8EF68C4656BD7BE0FF18301F04057ED41DC21A5DE35A640CB80

Function 00007FFD9B8AC880 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5e625a13cf2f27bd5f5344af31f46d28d3c441a588808f7f3ccfcdbc4373e4
Instruction ID: 93b282f3eb4a0cfcc708c08fec9ea9b2506de6350c6b056add4ab893a33cfb58
Opcode Fuzzy Hash: cd5e625a13cf2f27bd5f5344af31f46d28d3c441a588808f7f3ccfcdbc4373e4
Instruction Fuzzy Hash: 08116D30A0A64E9EEB5AEF6888685F97BA0FF09304F0105BBD419C61A6DA38A540CB50

Function 00007FFD9B8A11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction ID: 152186f0a42d0324c484139bcb78b387be3b5426517bb33c739677cd26d39b8a
Opcode Fuzzy Hash: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction Fuzzy Hash: FB11B230A0A64E4EEBA5EBA4C4796B97BE0FF5A305F0504BED41EC60E2DE289540C710

Function 00007FFD9B8ABB75 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3706b059c914c39e7f5ad91360aebd115af6e3f020031cf7118baadae2c51b
Instruction ID: 428f3cd07c0564c562c9a609b3476f9a3120dc780f2021563300436c240afe34
Opcode Fuzzy Hash: ec3706b059c914c39e7f5ad91360aebd115af6e3f020031cf7118baadae2c51b
Instruction Fuzzy Hash: F6117C30A0A64E8FEB99EFA4C8682B97BA0FF18305F4109BED419C65E5DA34A641C710

Function 00007FFD9B8B6019 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41abc1457157181a28da9da5c51225a03e411249421765a48475e8da9578f396
Instruction ID: b843da86f25e6fcede2b82ea349e5a0c8a59aa9a455868916cd1fca3957e7efe
Opcode Fuzzy Hash: 41abc1457157181a28da9da5c51225a03e411249421765a48475e8da9578f396
Instruction Fuzzy Hash: 9E11A770E0E65E4FEB51EBB488695A9BBF0FF19300F0505B6D41CC70A2EE34E6458B41

Function 00007FFD9B8B4EED Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3679557ad2e60a8fcc02afca5597a97d6701ba6ecd0dfe2d3778fecb90fcf2b9
Instruction ID: eb8cf08492e7bd5bc3bd08d210785afaa5e13d7c90d79d97c36dd3266b3cfa53
Opcode Fuzzy Hash: 3679557ad2e60a8fcc02afca5597a97d6701ba6ecd0dfe2d3778fecb90fcf2b9
Instruction Fuzzy Hash: 08119430A0955E4FEB54DF64886A6B977E0FF18304F0505BED41DC71E6DE24A6408B81

Function 00007FFD9B8B4D2D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8567f3b0cadd918c875217b575834f6f72910e467b7d0b0a0cf6116c8724a3cf
Instruction ID: 24a9c5627c1865da7f9616fbbe34daec7627489979359998dcaac0fc16d15150
Opcode Fuzzy Hash: 8567f3b0cadd918c875217b575834f6f72910e467b7d0b0a0cf6116c8724a3cf
Instruction Fuzzy Hash: 00116030A4965E4FFB55DFA8886A6B97BE0FF18300F0905BED419C61A6DA35A5408B41

Function 00007FFD9B8A21D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124c086bcc3f8429479d54dfe1c1f20c6efa4564d11e5c295cee07bae6ed2bcf
Instruction ID: 12538355ed02bcffb3d87540217941f21087fbcc2203a022e33630861531fe40
Opcode Fuzzy Hash: 124c086bcc3f8429479d54dfe1c1f20c6efa4564d11e5c295cee07bae6ed2bcf
Instruction Fuzzy Hash: 22019631A4E54E4FE761EFB488695A87BE0EF0A300F0245B6D408C70A6DE38E680C711

Function 00007FFD9B8B2604 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b3e1988ac7c90dcedb12372c38eea01ac8759f00f2e6090994060a2091289
Instruction ID: 2a1f306a066cb991dfc046057e4dc47d70bc00bbd927a868b9c451f52a96623f
Opcode Fuzzy Hash: 572b3e1988ac7c90dcedb12372c38eea01ac8759f00f2e6090994060a2091289
Instruction Fuzzy Hash: D4110230A4A25E4EDB69DFB4C4655F93BA0EF1A304F1200BED019C70E2DA29A642CB81

Function 00007FFD9B8A34C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction ID: ab3decae7baa057e2b09cace9a4a3caea48320b2e39efd4aedf80c7822c10a08
Opcode Fuzzy Hash: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction Fuzzy Hash: 6F113070A0A64E8FDB55EFA8C8696BD7BE0FF19300F0105BED419C65A2DA35A5448710

Function 00007FFD9B8A2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction ID: e259cecb3e157f5725ea30490a2c8fff1fccfc568b70f8b735babec105f93983
Opcode Fuzzy Hash: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction Fuzzy Hash: C4018430E1E64E8FE761EFA488A85A97BE0FF19300F0245B6D40CC71A7EB34E5948711

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction ID: 8425a18b5a6d5c1306b106213985d314b576ed0a2c6dc4ec9fac1af0c3ab60c6
Opcode Fuzzy Hash: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction Fuzzy Hash: EF019E30A0A50E8FEB58EF64C0646B977A1FF6A304F51007ED41EC21A5CA35A650CB50

Function 00007FFD9B8ABF6A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b9787201b19a3ea21009d8eaaa931412abe4884b5da01595b355af360b0293
Instruction ID: 2a8c4c463ec0589e8b9adad9e90a577751e3c6c6b093e98dde32bdc399240189
Opcode Fuzzy Hash: 18b9787201b19a3ea21009d8eaaa931412abe4884b5da01595b355af360b0293
Instruction Fuzzy Hash: 3D015E30A0A94E9FEB95EF68C8686BD7BE0FF18304F15097ED81DC21A5DE35A650CB50

Function 00007FFD9B8A282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction ID: 0d22346dbe54c15dc4e02549633f015a3d59e039d50a69f50c998e67fb143e5a
Opcode Fuzzy Hash: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction Fuzzy Hash: 4A018430E1A54E8FE761EFA489585A9BBE0FF1D300F0245B6E418C70A6EE38E244C750

Function 00007FFD9B8B2285 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372daebc37f5152b5be2e3d7fec66df4d1d24babb850548942f2f2e940e363f1
Instruction ID: 8cefab8cd2c30c94e91d0f8cdbea6917f4143e72cc55bd79f56ce8269054edde
Opcode Fuzzy Hash: 372daebc37f5152b5be2e3d7fec66df4d1d24babb850548942f2f2e940e363f1
Instruction Fuzzy Hash: F2017530A0A54E4FDB59EFB4C4695B9BBE0FF19304F0604BED419C60E6DA75A544CB41

Function 00007FFD9B8B74D9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6479288db9299ae9f2efbedcd03645fea3a8ecb301533ac7135ce9b4c5e20a74
Instruction ID: a7ec13b1288736a1d2c9a6173b9056a9cf818de9388d8053366c1f10c09259f9
Opcode Fuzzy Hash: 6479288db9299ae9f2efbedcd03645fea3a8ecb301533ac7135ce9b4c5e20a74
Instruction Fuzzy Hash: 9901B530A0E75E4FE752AB7488689A93BE0FF09300F0604F6D418C70B6EA28E5448741

Function 00007FFD9B8B7A89 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663c7c9c90e6ffe5916785a33cfdc7198ea752174d74144ff698ba2c036c5a70
Instruction ID: 1b9c9dbd18f16583b14c6743d3a58b8c1c3b50d071bb855543a41f447694d268
Opcode Fuzzy Hash: 663c7c9c90e6ffe5916785a33cfdc7198ea752174d74144ff698ba2c036c5a70
Instruction Fuzzy Hash: B201D630A0A78D4FD795EB74C8685B93BE0EF0A304F0604FEC009C60E2DA349644C741

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction ID: 45c9e22747b00fee4c917e2f86422403f429c64ded80a42e495f745d4bddd813
Opcode Fuzzy Hash: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction Fuzzy Hash: 45018430A1E64E4FE762EBB489695A97BE0EF4A300F4605F7D408CB0B6DA38A544C711

Function 00007FFD9B8AA919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a89d8610e02d5d42719ba838498590c9c7f11654b9405f74b92ac696c0970f
Instruction ID: d891c4963b364d97f6f45202739778754d131aac61f4c17408864c820c360d2d
Opcode Fuzzy Hash: c7a89d8610e02d5d42719ba838498590c9c7f11654b9405f74b92ac696c0970f
Instruction Fuzzy Hash: E2014430A5E64E5FE762AB7488996A97BF0EF0A304F0749F2D41CC74B6DE38A544C721

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction ID: 9746e323cb3abbc38f08c20a93b61245972003c7011afba51c976345fbb64d35
Opcode Fuzzy Hash: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction Fuzzy Hash: 5B018130A1950E8AEB68EFA4C5696B977E0FF1C305F11087EE41EC21E5DF35B690CA11

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction ID: efe334a1ac8c74e12d76f941783e76cbfaefe26f6a3bf4351876009d2ee50c4d
Opcode Fuzzy Hash: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction Fuzzy Hash: 86016D30A1550EDAEB69EFA4C5686B976A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8A11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction ID: 6d894c14f4014adacf4036812e0ecfcd0381f96fa6a0ddffe842f29ee19c1428
Opcode Fuzzy Hash: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction Fuzzy Hash: EEF0A430E1A54E4AEFA4ABA488782FA77E4FF5A305F01143AE41DC20E1DE645650C611

Function 00007FFD9B8A1C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction ID: 4914cbafb1686f0657e3103b5b7db6c2e22e7c5d47b419bc68c3020e320a9be6
Opcode Fuzzy Hash: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction Fuzzy Hash: F4018630A4A64E8FDB65EF64C4656B97BA1FF5A300F4510BED40CC61A1DA759650C740

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction ID: 63ea2133509e46c7c915ecfc7736c44890dadebef5da37a159c5ba3ad6eac56e
Opcode Fuzzy Hash: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction Fuzzy Hash: 5BF0C230A0A61E8FEB68EF6494256FA77A4EF1A308F41007AE80DC20A1CA39A650C740

Function 00007FFD9B8AA985 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb0e7856b25cfa828a118f240eb132d36eecb8b651bc3ce0919a11be9097cb7
Instruction ID: dc5a3d67deb4dade821f0878967d19d9b76f6757cbe323212867351a24536efc
Opcode Fuzzy Hash: 5eb0e7856b25cfa828a118f240eb132d36eecb8b651bc3ce0919a11be9097cb7
Instruction Fuzzy Hash: 4AF0AF7564A3868FC316DBA8ACE15993770EF4630870E94E3C568CE4A3FB2854098761

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction ID: 4bf7424194c4b1d5c19344312717ece5802b04af6756122c54b2e6f6bc02c89a
Opcode Fuzzy Hash: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction Fuzzy Hash: 63F0F63090E38E8FDB2A9F6488642E93B70FF06304F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction ID: 953563ecbaf28355e591ec01b9335d833e2ec53f6048e945a8ef692b33253dfb
Opcode Fuzzy Hash: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction Fuzzy Hash: DBF0F63090E68D8FDB699FA088251A93BA0FF09304F0104BED409C10E5DB79A654C711

Function 00007FFD9B8AA998 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3a1652bd5a831a33afb0831da53712b42f52fd326763e753441b54e22effec
Instruction ID: 2673cebedf10db1091a531238ca10b229ed045cccf4a5dd8a48438f342bf16e7
Opcode Fuzzy Hash: 6d3a1652bd5a831a33afb0831da53712b42f52fd326763e753441b54e22effec
Instruction Fuzzy Hash: F0F0823564920A9AD715EBE8A8E14E933A0EF4431CB0998B2D57C8A592FB6960058660

Function 00007FFD9B8A23D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8a0000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction ID: 509a85c5269397367b441b4cee18e7690b724bf7d2dc7931e27e4cfab79dcf86
Opcode Fuzzy Hash: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction Fuzzy Hash: 81F0DA70A5961E8EEB74EF90C8557ACB2A1FB58314F1141B9C00ED62A1CF782A848F10

Function 00007FFD9B8AB76E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8aa000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aa0a98d025cdde975b3092b603220cbba7f51d6fbca84f773f688b7cbb5c99
Instruction ID: 82e9c2aa04c31e4cbcacdde9391c17658c9c3de5897b6e0507cca542329eae18
Opcode Fuzzy Hash: 96aa0a98d025cdde975b3092b603220cbba7f51d6fbca84f773f688b7cbb5c99
Instruction Fuzzy Hash: 3BD09230A1991E8EEBA4EB54C890EE9B378EB18300F1052F1800D9219ADE34AAC18B80

Non-executed Functions

Function 00007FFD9B8B1148 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
[, xrefs: 00007FFD9B8B10F9
}, xrefs: 00007FFD9B8B11F1
*, xrefs: 00007FFD9B8B1106

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: *$/$[$}
API String ID: 0-3119010630
Opcode ID: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction ID: 3133764fa9798f17e3cb1563f2cab07f74e9af9f7cf45979d4a8174e25b6b2d3
Opcode Fuzzy Hash: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction Fuzzy Hash: F7311D70D1522E8FEB68DF94C8A4BF9B7B1BB58301F1005B9D04D9B291DB385A84DF50

Function 00007FFD9B8B10E5 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
[, xrefs: 00007FFD9B8B10F9
&, xrefs: 00007FFD9B8B1953
*, xrefs: 00007FFD9B8B1106

Memory Dump Source

Source File: 0000001D.00000002.1794831323.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b8b1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: &$*$/$[
API String ID: 0-928903987
Opcode ID: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction ID: 732c9e7a5a07d1b5612880ac957dfca070ea016d5a058dd12cfaf51c51a14772
Opcode Fuzzy Hash: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction Fuzzy Hash: 56113070E0522DCFEB28DF90C4A07E9B7B1AF59311F15447DD0499B290CB781684CF54

Analysis Process: hKONDisxvRbjdh.exePID: 7944, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B893545 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B8935CD

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: b2cca6a8a36c5fc4af54330d7da53cc8fb27bbae7ec872991bd82dc89a9a450f
Instruction ID: 079326a29eeb1dbbefceee45e83da7d012464f95b0c8171ee7814b812627651b
Opcode Fuzzy Hash: b2cca6a8a36c5fc4af54330d7da53cc8fb27bbae7ec872991bd82dc89a9a450f
Instruction Fuzzy Hash: FAA1C071A1994E8FEB98DB68D8657ADBFE1FF59310F4101BAD00DD72DADB7828018B01

Function 00007FFD9B8A125B Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B8A1292
/, xrefs: 00007FFD9B8A165B
., xrefs: 00007FFD9B8A19BE

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: "$.$/
API String ID: 0-983106565
Opcode ID: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction ID: 51c41b3936cc0937409d4fef7c3a33c6e19690bf4e0936b9550884f7fa3e0496
Opcode Fuzzy Hash: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction Fuzzy Hash: 5731E770E0522DCFEB64EF94C894BEDBBB1AB59311F1500BAD04DA7291CA785A84CF10

Function 00007FFD9B8A141D Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B8A16A3
/, xrefs: 00007FFD9B8A165B

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: e1f446ee9a0443b8dc3a54bdf706b67649dc87734a3701507ffd30f97b700815
Instruction ID: 0a0ff433275ba7fc31295de548ee657b6faedbbf5302298c46a523502f6738ff
Opcode Fuzzy Hash: e1f446ee9a0443b8dc3a54bdf706b67649dc87734a3701507ffd30f97b700815
Instruction Fuzzy Hash: B5F0893590860DCBEF28EF80C990AEDB7B1EB15310F151139C009DB2E0CB785684CF44

Function 00007FFD9B8A57D3 Relevance: 1.9, Strings: 1, Instructions: 657COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A5801

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-3811526842
Opcode ID: 2b4cebf2523cb78286495cd01929f7a2f93883ff5d8cb96a4c6dadd6bc54e16a
Instruction ID: 4c78359c2db7db2cc3cb1d2f4509a98bdf200273c1300907ac96811e308bdfcc
Opcode Fuzzy Hash: 2b4cebf2523cb78286495cd01929f7a2f93883ff5d8cb96a4c6dadd6bc54e16a
Instruction Fuzzy Hash: 88F13832B0DA4E0FDB99DB6CA8A55F537D1EF9831470501BBD04DC71E7EE28A9868380

Function 00007FFD9B8A39FA Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B8A3A01

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: M_^
API String ID: 0-2269846659
Opcode ID: 7ad818d86214c77cea5d19082c698cf92cd8336dd5d6965f191c80631531e935
Instruction ID: 635363d83c97ea4e7f3830675979763dec54f5b3af383053ffd459484de0ea8a
Opcode Fuzzy Hash: 7ad818d86214c77cea5d19082c698cf92cd8336dd5d6965f191c80631531e935
Instruction Fuzzy Hash: A9413D23B0E9AE5FE715BBACA8690FE7BE0EF56321F0402B7D548CB093DD24A1458750

Function 00007FFD9B89FDAB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B89FDB8

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89f000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 68fbbf3c4cd7e423caeab3f7764d08196d0eb4c1c71685b9c4362c4f67cc11f5
Instruction ID: db107d1712958515c8f9ab563041e01def65c44f1c16c288b3b0722820089120
Opcode Fuzzy Hash: 68fbbf3c4cd7e423caeab3f7764d08196d0eb4c1c71685b9c4362c4f67cc11f5
Instruction Fuzzy Hash: D241CB71A15A1D8FEBA8DB188C65BA9B7B1FF58301F5001EAD44DE32D5DF346A818F40

Function 00007FFD9B89C7F3 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

|M_^, xrefs: 00007FFD9B89C801

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: |M_^
API String ID: 0-3374310339
Opcode ID: 0e15451ceb59180ffa395d839ce4a7f248f0f062dcb03b8a347d8734d176ad78
Instruction ID: 9515762de944b785b45c47051ec9d01aa64394b4d6852c2a9d661cc50d88693b
Opcode Fuzzy Hash: 0e15451ceb59180ffa395d839ce4a7f248f0f062dcb03b8a347d8734d176ad78
Instruction Fuzzy Hash: 2A31C722B0D66A5AEB1A7BA8B82D4F83B50EF0A324F0505B7D01DCA0E7DE6925419A51

Function 00007FFD9B8A32B8 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da1871628947bea1f6897bc2b252fd553b579e7861102b37b41d7e2157c22eb
Instruction ID: 490ebfcd2532b18367a76834afd6697125f8b21f275c752784cbfdf4d79cb93e
Opcode Fuzzy Hash: 8da1871628947bea1f6897bc2b252fd553b579e7861102b37b41d7e2157c22eb
Instruction Fuzzy Hash: 1421A561A0F6CA4FE7529B7888695A97FF0FF16300B0905FBD498C71A7D924A508C352

Function 00007FFD9B8A32C8 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76fc091ee0eadc437a1ec3fd5b47934fb86a2d37ee954e58022b23acb5686a
Instruction ID: 03c725999d7acbf3c5c4f8443c28db7ebef4135241e87b433ae1606754626caf
Opcode Fuzzy Hash: 8b76fc091ee0eadc437a1ec3fd5b47934fb86a2d37ee954e58022b23acb5686a
Instruction Fuzzy Hash: D311D361A0F3CA4FE713977488795A97FB0EF16204F0901FBD498CB1E3E9186608D362

Function 00007FFD9B89D899 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa2dae49b9a9ee792e3da4343b119ec98e008c29af09764a5fc8631ed7c1cd4
Instruction ID: 178544cf5cf11c477a5d987b72a3499a4b6fff9afd75bd356db6ae6d431cceb7
Opcode Fuzzy Hash: aaa2dae49b9a9ee792e3da4343b119ec98e008c29af09764a5fc8631ed7c1cd4
Instruction Fuzzy Hash: AFE12A71E1965D8FEB6CDB98C8A4BB8BBB1FF58300F4441BAD00DD32A6DA346941CB45

Function 00007FFD9B8A3B25 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8371c95315838966aaa0e815da2f881bc81a05ed3adbaebb0891b2a11ac63f48
Instruction ID: 352e77a8d23516796ee47df5b2a31e0937f8e2e559fa9e37864905b9576dcde4
Opcode Fuzzy Hash: 8371c95315838966aaa0e815da2f881bc81a05ed3adbaebb0891b2a11ac63f48
Instruction Fuzzy Hash: BED1A770E1991D8EEBA4EB98C8657ECB7B1FF58301F5141B9D00DE32A1DB786A848F10

Function 00007FFD9B891638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction ID: 8e52fea84545a5386931e61bd9af77667d44993031a0ec92e6ff1dfeab3e4fdf
Opcode Fuzzy Hash: 5f42623a2cf8a0c43697694d198988aa89b4a9185ae430e336b88f65436994de
Instruction Fuzzy Hash: 0381E031B1DA4D4BEF58EF5C88615A97BE2EFD8304B05457AE49DC32A6DE34AD028780

Function 00007FFD9B8A2900 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b1cae17b69827fd17396122454fb3462a611b9129cfe93370f0a23c70b3266
Instruction ID: a615f0f0d59f1811ab633f9b37e35ffcae62432d1d64bf273c16af3fa0710d33
Opcode Fuzzy Hash: 88b1cae17b69827fd17396122454fb3462a611b9129cfe93370f0a23c70b3266
Instruction Fuzzy Hash: 3191B670E1951D8FDBA4EFA8D8657ACBBB1FF58300F5141AAD00DE3292DE356A818F40

Function 00007FFD9B891C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction ID: 913205c14b098881718bf422b83be390996c16323d7eee1547c4aab22651798d
Opcode Fuzzy Hash: 1e365eb2a63107e002bd57d1ce50b377aca782da9f3d87d5024d2b3e79504855
Instruction Fuzzy Hash: 0951E131B0DB8E4FDB59DF1888605AA7BE2FF98304B15467ED45AC7292DE34EC028781

Function 00007FFD9B89BFEA Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4763828da6d6106423ce13a45481b820da6e95337e0deca8520c0c878b1fb45c
Instruction ID: 619f0a08338df21bc313f0a4466b57d066d71b83b73b286e51ec609015faf82b
Opcode Fuzzy Hash: 4763828da6d6106423ce13a45481b820da6e95337e0deca8520c0c878b1fb45c
Instruction Fuzzy Hash: DD51FC74E0951E8FEF64EBA8C4696EDBBF1EF58300F51017AD01DE72A2DE3969418B40

Function 00007FFD9B893135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a967b6e3d993005a0c73f39ebb1718b933a964182fd6866112b29c8a28bf42
Instruction ID: 129f1b7f36951c9c6a2af18c199e17a1b9171f386cac8223789385dfbab0739c
Opcode Fuzzy Hash: c2a967b6e3d993005a0c73f39ebb1718b933a964182fd6866112b29c8a28bf42
Instruction Fuzzy Hash: 06512A70E0A61E8FEF64DBD8C8646EDBBB1FF59301F51017AD009E72A5DA386A44CB41

Function 00007FFD9B8A2AAF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed69b5db4077257c8f034f9edeaa8a21489159a59902f370e4b3e5a50d7a598
Instruction ID: 6686e46ef7b133b5fd877cfdb02b3bf24c86c72600dd7d17e40bcbf60c1a35e6
Opcode Fuzzy Hash: 4ed69b5db4077257c8f034f9edeaa8a21489159a59902f370e4b3e5a50d7a598
Instruction Fuzzy Hash: 1D41A570E0951D8FDFA4EF98C8687ECBBB1FB58304F5141AAD00DE32A1DA356A818F10

Function 00007FFD9B89F58F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89f000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9425655f940fa022625f017c43865df8f09a67b4e0bb1ffffd3c7fde8a6a3461
Instruction ID: bb27789650938dc5ea9f1e90c3b31b00812b130873afa5e4c291bf131d1de8df
Opcode Fuzzy Hash: 9425655f940fa022625f017c43865df8f09a67b4e0bb1ffffd3c7fde8a6a3461
Instruction Fuzzy Hash: F431D871A15A1D8FDBA8DB188C65BAAB7B1FF58301F5001EAD04DE3296DF346A818F40

Function 00007FFD9B89AD48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367346b3a0b9062b2e6c382928a5711b9fba66bcecf3b5e699e635b36f2b8c9a
Instruction ID: 2e876ece372c509c4675c25f504c7148fa49f2237ddab3f904beec35864f5c71
Opcode Fuzzy Hash: 367346b3a0b9062b2e6c382928a5711b9fba66bcecf3b5e699e635b36f2b8c9a
Instruction Fuzzy Hash: 5F31F875E0F94F6FEB55ABB888291E97FE0FF58751F058576D058C20E6EE34A5008740

Function 00007FFD9B89C0B6 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48a0fe979c93a185c0a0d57d60f793c316b86b824ad4d28c6112cf14e4498aa
Instruction ID: dd51d46292a298cb4798c8f8faf00433977e5bb74f02f8dcac08e965ed3c8e56
Opcode Fuzzy Hash: e48a0fe979c93a185c0a0d57d60f793c316b86b824ad4d28c6112cf14e4498aa
Instruction Fuzzy Hash: 5331D874E1991D8FEFA4EB9888A5AECBBB1FF59300F510039D01DE72A2CE3569418B00

Function 00007FFD9B8A7545 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691712667fecb15a1c54ed734e74c55714ea3a0fe3503b8c65faf9f3b8103d64
Instruction ID: 0a965ce82e54d055e59c04b8d356aae7b4578fd998e51fd2a69e8cf32bcb5a15
Opcode Fuzzy Hash: 691712667fecb15a1c54ed734e74c55714ea3a0fe3503b8c65faf9f3b8103d64
Instruction Fuzzy Hash: FA210F34A0AA0E8FEB75ABA4C4647FE77E0EF4D314F11047AC41AC21E5EE38A6449661

Function 00007FFD9B8A6CE5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755fb966bdff3e9d91ef942f0259f9bb52b06819b8504b0c6e882d05a60609f0
Instruction ID: ad4976366d62d4ce2ff044d212bc514c05611b796c05aa280e7ee06f94354fcf
Opcode Fuzzy Hash: 755fb966bdff3e9d91ef942f0259f9bb52b06819b8504b0c6e882d05a60609f0
Instruction Fuzzy Hash: C031B170A0AA4E8FEFA9EF68C4652BD3BE0FF28305F01057AD41DC21A9DE35A640C750

Function 00007FFD9B8A6E1D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a75bb27ae7906f2c981fadd9b46f822897d5919716ee4369ee58f5a62f844c
Instruction ID: 710892abf4fb9e8685ce1687cb23e9c27a32021b5adc9178607f292db8548a2d
Opcode Fuzzy Hash: 12a75bb27ae7906f2c981fadd9b46f822897d5919716ee4369ee58f5a62f844c
Instruction Fuzzy Hash: 4921F371A0F64E8BEB689B64C4761B93BA0FF19340F1600BAD41DC30AADE2665118751

Function 00007FFD9B8A7351 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ce9c8e4c8c3ec4fba76d5b446b23a7e59f382d32cbebba10fdc7e66c854369
Instruction ID: 55cc42677be8e31be581da1710f6db81795faadce53a3679ada2c2e7649067bc
Opcode Fuzzy Hash: 87ce9c8e4c8c3ec4fba76d5b446b23a7e59f382d32cbebba10fdc7e66c854369
Instruction Fuzzy Hash: 71219035F0A54E8FEB61FBA8C8685FE7BE4FF19301F420476D818D3061DA38A2409760

Function 00007FFD9B893268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebe36b8e84b029df7d42d7e5f0f3b639c374de4112eb6360d2ae60d8ba706a5
Instruction ID: 57d3a1728cc9481edb57a3b67b0c66c03a5a7870fb94d925558120bdb95588bf
Opcode Fuzzy Hash: 2ebe36b8e84b029df7d42d7e5f0f3b639c374de4112eb6360d2ae60d8ba706a5
Instruction Fuzzy Hash: 1621C671A0951E8FEF64DBD8C4A4AECBBF1FB58301F114169D009E72A5DA346941CB50

Function 00007FFD9B893330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction ID: 27e6151a41fda9bb9fcd90152a77b54bac65a2d718b951f31d52b13ef6e12b8a
Opcode Fuzzy Hash: ba66b3bc7ba03216a9043158848901a5c3fc66c1128fc56085aaaf5957cd7f09
Instruction Fuzzy Hash: 9F21E43094E68E8FEB42EBB488685E97FF0FF5B300B0544EAD449CB1B2DA389546D711

Function 00007FFD9B89084D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction ID: bbdc18fbc611f0aed4a1b53b0145f49b9b583d665ee813336df81fa58e5f4039
Opcode Fuzzy Hash: 031aedbc1cc58aa4255e21c6f3e53300f9806a03e74e4d0328886343b5df199b
Instruction Fuzzy Hash: 13115721F1E54E9FEB61ABB8CC694E83FE0FF59700F0645B6C088D70A3ED24A145C280

Function 00007FFD9B8933D1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction ID: fc850d7721bdad584f67d998d430edee3b3aa96a23cbd4d1fb9bd6650efb98b1
Opcode Fuzzy Hash: d95c388d0e6d06cff97dd5ed5cda16c4142000ea47e87c9844970b30d4272f3e
Instruction Fuzzy Hash: 5F213E30A4A54E8FEF65EBA488686BD7BA0FF58304F11047AD419C71A1DF34A640D740

Function 00007FFD9B8A7AFD Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c58167fe94f14a012d186ce4efe54e49952c9a50d50346f9e7705e9ec6aa62
Instruction ID: db93f4ecf1f6c0d3cce02e1f3d290d005e56d589a05497841a55fedbc50abf19
Opcode Fuzzy Hash: 02c58167fe94f14a012d186ce4efe54e49952c9a50d50346f9e7705e9ec6aa62
Instruction Fuzzy Hash: 0521A174A4A64E9FEB69AF64C8655FE37A0FF09304F0204BAD41EC20E6DE38A650D651

Function 00007FFD9B890A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df8e928b4d07bdec5f13ac408375e5c55d12619d5df51b0beb3f2d9faff4897
Instruction ID: 0ca234d5cb2562d295fd1d11f926c4de820eb8e206986c25d4c96f1f83b8481e
Opcode Fuzzy Hash: 9df8e928b4d07bdec5f13ac408375e5c55d12619d5df51b0beb3f2d9faff4897
Instruction Fuzzy Hash: 7511C431F2A50E4FEB94EBA8C8595BD7BE1FF58740F4145B6D41DC70A6EE34A6408780

Function 00007FFD9B8A4649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c77008d5ee2e765d579e091057a2521e0f24cba9f933fff03c80e4885cd728c
Instruction ID: 97c081e22c2fbecaec3acf705801d11f28fbddfec3f19cf5756b2f590cd0b00a
Opcode Fuzzy Hash: 5c77008d5ee2e765d579e091057a2521e0f24cba9f933fff03c80e4885cd728c
Instruction Fuzzy Hash: 6921AE30A0AA4E8FEFA9EF68C4692BD3BB0FF19301F0501BED419C61A2DA34A540C741

Function 00007FFD9B8A6C41 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8595e41fd826a52f078bedb3e0dcff141ff3f300e789e95ad83bbd5c55ef175c
Instruction ID: 2294fbe5f6bca889e40cc1cb796c9e1a72787c3be5df2b70dd4ae2dca4adc177
Opcode Fuzzy Hash: 8595e41fd826a52f078bedb3e0dcff141ff3f300e789e95ad83bbd5c55ef175c
Instruction Fuzzy Hash: DA11B470A09A4E8FDBA8EF6884692BD7BE0FF68301F0105BED41DC31A6DE356544C741

Function 00007FFD9B890F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d125c456289a5236ab136191c4c3f4e727b0c897941312e18eb740b0da40cb4f
Instruction ID: 6568c1dcf6c6225e6a1e46a15ae978dbeefed07e124084e5aa4b15b299188195
Opcode Fuzzy Hash: d125c456289a5236ab136191c4c3f4e727b0c897941312e18eb740b0da40cb4f
Instruction Fuzzy Hash: 69213031E1A51D8BEF64EB94C864AED77B1FF48300F114179D01EA72A6DE386A45CB40

Function 00007FFD9B8A23F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67864e828978c424707b1b99a0e9e09d9f57cee2455412437bbd265fae2652a3
Instruction ID: 5d3cbd55c1fd58527346668302978c5db60310b62eb523090dde1d63f4df0b1c
Opcode Fuzzy Hash: 67864e828978c424707b1b99a0e9e09d9f57cee2455412437bbd265fae2652a3
Instruction Fuzzy Hash: F6114930A1A64D8FDB58DF68C4A55E93BA1FF58314F12026EE84EC3295CB34A650CB91

Function 00007FFD9B8A4C05 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a4d31458eda8e0e79d4574bd753248fce1cd99e625fbae3f05d96dd8ad8567
Instruction ID: 20e819d9be664a1ae5ed669186413bd8f6eec53d9fa1d6688b15096ecf218552
Opcode Fuzzy Hash: 13a4d31458eda8e0e79d4574bd753248fce1cd99e625fbae3f05d96dd8ad8567
Instruction Fuzzy Hash: B5110831A0E68D4FEF59DB6488752B83AA0FF18304F0900BED01DC21F2DE396540C611

Function 00007FFD9B8A46E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9db4e57fb52f5dd74077e79723d241a58bc3dd01d5026e3bfb34dfd36c5298
Instruction ID: db076bbd52880dee3c3a1142ebd480714a15b5e40038e7a34ef66639f8fe4a00
Opcode Fuzzy Hash: dd9db4e57fb52f5dd74077e79723d241a58bc3dd01d5026e3bfb34dfd36c5298
Instruction Fuzzy Hash: A411A230A09A8E8FEF98EF68C4692B97BE0FF59301F0505BED41DC21A2DA356540C751

Function 00007FFD9B8A4F79 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a4c8ffa68e96351ab2a695bd6953fe075ec45170fa22b916b815cd541115ea
Instruction ID: f7ed68cb80f969a217a0e4390f135ebc3aaf7395bd09a48b0685772c103de2c1
Opcode Fuzzy Hash: c3a4c8ffa68e96351ab2a695bd6953fe075ec45170fa22b916b815cd541115ea
Instruction Fuzzy Hash: CE11BE30A0A68E8FEF55EB6488696B97BF0FF19300F0505BFD419C61E2EA346544C751

Function 00007FFD9B8A6D85 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8934752245d6da24fc8a54a8e215b979ea71cd027f97aa9c959c3d6c09d00f
Instruction ID: d921729fc9129f7443037ce5f8a3a25726ac057fd8a6f38ed761f55e1ed40dc6
Opcode Fuzzy Hash: 3d8934752245d6da24fc8a54a8e215b979ea71cd027f97aa9c959c3d6c09d00f
Instruction Fuzzy Hash: 0B1104B1A0EA8D8BEB699F6488B51B83BE0FF19300F0600BED41DC64A6DE266554C351

Function 00007FFD9B8A27D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375fd6f54b967afdc824d054e179b8cb6615f61c2298d55f3d56faa13676aeba
Instruction ID: 8a6cf689caa964a6cfa3526860f299d453d89bf8ad9b892232fc467cf4705945
Opcode Fuzzy Hash: 375fd6f54b967afdc824d054e179b8cb6615f61c2298d55f3d56faa13676aeba
Instruction Fuzzy Hash: 7711C430A1E55E8FEB62EFB488585F97BE0FF0D300F0145B6E418C70A6EA34A284C751

Function 00007FFD9B89BB75 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e43e7cc0da0751990aa87f70c94b6b3d88ae5f7b28a7b925d57f6c1387faec3
Instruction ID: 0ba825cacf7b2f643e979c744ea53879d5faafae1b88f6507a4f233d84c922dd
Opcode Fuzzy Hash: 8e43e7cc0da0751990aa87f70c94b6b3d88ae5f7b28a7b925d57f6c1387faec3
Instruction Fuzzy Hash: B1117C70A0A64E8FDB99EFA4C8682B97BE0FF58305F4109BAD419D65E5DA34A640C700

Function 00007FFD9B8911BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction ID: 3069b1167349e3ffa3decc0551b2330ad2a5df52f927b2bf0167674ee51513f8
Opcode Fuzzy Hash: f51168be6be6464412f586e5f6a9d8bba8d433363f473c67872cb80ec989e9bc
Instruction Fuzzy Hash: 1811B230A0E64E5EEFA5EBA4C8B96B97FE0FF19301F0104BED41EC61E2DA246540C700

Function 00007FFD9B8A6019 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451ae095fdaa0057dd37c83fa9426306e2fb92a1fdfaf0940a425ce79141627a
Instruction ID: 0fa5cc9cf4f644e12d585cbd5fffb3f4e151dbc7088c0d861d18fde93d6aeffb
Opcode Fuzzy Hash: 451ae095fdaa0057dd37c83fa9426306e2fb92a1fdfaf0940a425ce79141627a
Instruction Fuzzy Hash: 03117370E0E64E4FEBA1EB7888695A97BF0FF19300F0505B6D41CD71A6EE38A6848751

Function 00007FFD9B8A4EED Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd510f4f145a604230ff3909693bd764be59d71c21b1ce44b93d9f6fceecd22
Instruction ID: bbd6479d93c535a436776d267c9411c338e0ea8ed746ce1cd7da0284790afcd9
Opcode Fuzzy Hash: 8fd510f4f145a604230ff3909693bd764be59d71c21b1ce44b93d9f6fceecd22
Instruction Fuzzy Hash: 7D119130A0A58E8FEF58EF6488696BD77E0FF18304F0515BED42DC61E6DE24A6408751

Function 00007FFD9B8A4D2D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a743a5f721ab63eb1134553c3b35e6404efb52f93321b8a723f6f562a46b142
Instruction ID: 4f2ca7a5267fc83df494d9c10a1736eb790b97fbf36c67bd33aedebc961cb0be
Opcode Fuzzy Hash: 1a743a5f721ab63eb1134553c3b35e6404efb52f93321b8a723f6f562a46b142
Instruction Fuzzy Hash: B9116030A09A4E8FEF55DF6888696BD7BE0FF18300F0505BED419C61A6DB35A5408751

Function 00007FFD9B8A2604 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b261ded0cbffc82b0f448b49c63898f1b707b44089c774d2427dd24c1c1f6cb5
Instruction ID: 009f6df796e049cc84910133e2b447cebd52db1b25009649143794b9c127edf1
Opcode Fuzzy Hash: b261ded0cbffc82b0f448b49c63898f1b707b44089c774d2427dd24c1c1f6cb5
Instruction Fuzzy Hash: 2211C230A4A64E4EDB69DFB4C4655F93BA0EF19304F1204BED409C70E2DA29A551C751

Function 00007FFD9B89C880 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b224b27b18a7e49e50328fbe4711d2ba228cc40646b114bb1a4f0958646907
Instruction ID: 21145f7becbe670fc60a5edeb15b2b15a3e67e00ebd96816c0b536c6faf60842
Opcode Fuzzy Hash: 33b224b27b18a7e49e50328fbe4711d2ba228cc40646b114bb1a4f0958646907
Instruction Fuzzy Hash: 1A118F30A0A64E9FDB5AEB64C8685B97FB0FF1A304F0604BBD419D70A6DA355640CB10

Function 00007FFD9B8921D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e98241572f82efa5963aaf4c776a34df7c21aa47bf8b59e08ae52f4509cd43c
Instruction ID: 8746eee416215ba9ab1ce5138095dcbdd3aed50fff0d3feaf2be0a69a7f2e33d
Opcode Fuzzy Hash: 5e98241572f82efa5963aaf4c776a34df7c21aa47bf8b59e08ae52f4509cd43c
Instruction Fuzzy Hash: 8F018431A4E54E5FEB65ABB488655A87FE0EF49300F0245B6D418C60B6DA34E680C701

Function 00007FFD9B8934C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction ID: 9edc617100cf824ebea096da64d6364ff4c50211bff0d13d21436648ae3ea67c
Opcode Fuzzy Hash: 3118a88166e48b4dd13c3a8d824407f51c30d09ea8ac7dc507c7909f0446679d
Instruction Fuzzy Hash: 97113070A0A64E8FDF59EF64C8695BD7BE0FF18300F0105BED419C65A2DA35A5408700

Function 00007FFD9B892E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction ID: 5eeccc5e80b27d5d32f3f267c6116e2d1f95fd7a104a0656f9f1680bf4fafb18
Opcode Fuzzy Hash: a5544d51d5376dcd3c6819718e765bd4f51ec26d7a0e211e643310f7ba0df9c3
Instruction Fuzzy Hash: 06017134A1E64E8FEB65EFA488A85AD7FE0FF59300F0645B6D408C61A7EA34E5448701

Function 00007FFD9B89C3A9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b79d8d4c7302cae2a37006547d23585e6d0b5ed005501f29bceebfba171c2fe
Instruction ID: a9aeeed34c5e56bafba3228d2bba20d6ecb8758b499370afb2ebdc6df89ea312
Opcode Fuzzy Hash: 9b79d8d4c7302cae2a37006547d23585e6d0b5ed005501f29bceebfba171c2fe
Instruction Fuzzy Hash: C6117030A0E64D8FDB59DF6484692B93FA1FF59304F5240BFD409C71A6CA35A650CB41

Function 00007FFD9B8905D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction ID: 2f3cf223af50d27965caf1646fa6c39f3c785e1726bc4a2c0e58a7b41c01e43d
Opcode Fuzzy Hash: 9c71d05291ba78c3c53a29de4a9d5eaaf44a3c34d0c5ea3143b36abea1b6386a
Instruction Fuzzy Hash: E3019E30A0A50E9FEF58EF64C0646B97BA1FF68308F51007ED42EC21A5CA35A651CB40

Function 00007FFD9B89BF6A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9434df1baedcfe8100b1b1b5d1f774cd046e56bf1407c8dca60733043a4d058
Instruction ID: 5ea4bbac4374d600751ad9fc22b94c5cc2b9d2dfaf512c4e398f87405f601e02
Opcode Fuzzy Hash: d9434df1baedcfe8100b1b1b5d1f774cd046e56bf1407c8dca60733043a4d058
Instruction Fuzzy Hash: 5C014C30A0A91E9EEF99EF68C4686BD7BE0FF58304F11097AD81DC21A5DE35A650CB40

Function 00007FFD9B8A2285 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6142c397ae4b69db349d6b5722175a36ab9b26df5c3f21910957e2fcaa3cbf0a
Instruction ID: 754cafc01b28bde81182a8b3934a1c538cbeb5a6c1b03853850a9be0b918c64b
Opcode Fuzzy Hash: 6142c397ae4b69db349d6b5722175a36ab9b26df5c3f21910957e2fcaa3cbf0a
Instruction Fuzzy Hash: 8301B530A0954E4FDB69EFA4C8795B9BBE0FF19300F0604BED419C60E6DA35A540C710

Function 00007FFD9B89282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction ID: ddd48bbc08e9280d618bb97486510841d31c4d3c39e85d3cbda40ab5a7894c56
Opcode Fuzzy Hash: 783e12b3ffe991cb38558ac523c5ec94f2ffd8fe67b2ff0cdbbbd9901edb3a96
Instruction Fuzzy Hash: CF018431E1A54E8FEB65EFA488585B97BE0FF5D300F4245B6D418D70A6EE38E2448740

Function 00007FFD9B8A74D9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afbdaf6be9c739dd4c0dfd16f355264fc9a73b23d78510a59486c6875007318
Instruction ID: 82656a3c119b76e559686710144a8eaa0f68303358ae8237a8a71070c587b65e
Opcode Fuzzy Hash: 7afbdaf6be9c739dd4c0dfd16f355264fc9a73b23d78510a59486c6875007318
Instruction Fuzzy Hash: 4F01B130A0E64E8FE762AB7888685A93BE0FF09300F0604F6D418C70B6EA28E5449311

Function 00007FFD9B8A7A89 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff6bc8eb8114fd29d68ef33e5967dbe4da9c4a1d80a8298b9fc5aa558a99608
Instruction ID: c4e99adc91293d41388fcd5484d312b9d86ce3b89d294826dcc65c11f1f684c0
Opcode Fuzzy Hash: fff6bc8eb8114fd29d68ef33e5967dbe4da9c4a1d80a8298b9fc5aa558a99608
Instruction Fuzzy Hash: A0019234A4A68D5FDB55EB64C8695B93BE0EF1A304F0604FED409C60E2DA35AA50D711

Function 00007FFD9B89A919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3701bc656c8c2dacb599b8358a67e5954ae4bc309ee9864933755c580a2014d0
Instruction ID: 8a9c7d0ed625ce47e73d99f9d19fa09e7b5e00637e59f866d3a17e2e65c9274a
Opcode Fuzzy Hash: 3701bc656c8c2dacb599b8358a67e5954ae4bc309ee9864933755c580a2014d0
Instruction Fuzzy Hash: 36012134A5E64E5EEB62AB7488596A97BE0FF0A304F0749B2D41CC60B6DA38A544C711

Function 00007FFD9B892EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction ID: 4b290a3f64fd0cc6c6286b56b73bab73bde9bf86b440cac76080803199da6d08
Opcode Fuzzy Hash: ce5fabadf01132b0d8c95502b214c175e2dfe02a2111916a5e9b81c160bfb538
Instruction Fuzzy Hash: ED018430A1A64E4FEB66EBB488695A97BE0EF4A300F4605F7D40CC70B6DA38A544C741

Function 00007FFD9B890610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction ID: 93261652a83ec8dfc56ed557e058f0f0d1c0a807d039954c38fb88d96017c8c5
Opcode Fuzzy Hash: 67b7f57090f2f6f04d57cc2b2000b23899487e0f21b92598ac5e703af358e8be
Instruction Fuzzy Hash: B501AD30A1A50E9AEF5CEFA4C4686F97BE0FF08304F10087ED41ED21E5DE35A280CA00

Function 00007FFD9B890608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction ID: c662e0210e1e385f5758dd4ae9e0c38a0bcef9b8930444ea2099b94b738a32e8
Opcode Fuzzy Hash: 44cb04ca1b4f1433bf540401fad60540f1de591bc55b4ad2a39a318a4991ba47
Instruction Fuzzy Hash: 66016D34A1550EEAEF6DEFA4C4686B97AA0FF1C305F51087EE41ED21E5DE35A250CA01

Function 00007FFD9B8A537B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b10603285cda436c3b0ce713dfc240f81fdf1d099c3800897980ea61ff9eed
Instruction ID: 33b9a3e7afddc90c967d7ffccb3a56a4e7c3abc2d650bfb5161ca3dd1595c7d1
Opcode Fuzzy Hash: 88b10603285cda436c3b0ce713dfc240f81fdf1d099c3800897980ea61ff9eed
Instruction Fuzzy Hash: 70F03735E0891D8FDFA0EB9898647ECBBB1FF9C310F400066C00CE3261DE3429858B00

Function 00007FFD9B8911D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction ID: 123c5e55ee567bd1ca6cae6a0586a05b086ac298b9e54cee52584c471bce5717
Opcode Fuzzy Hash: 4254f5ae5567967610d9fe5cf9237d9ea50edd5d85187f934a03c6973c2c2bf6
Instruction Fuzzy Hash: 66F0A430E1E64E5AEFA5FBA488682FA7BE4FF59205F01143ED45EC21E1EE245650C601

Function 00007FFD9B891C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction ID: 8d0629ddd278a66193e1c96c613d7b29f3d044844af300bbb7f11948efaf46a2
Opcode Fuzzy Hash: 04b8ee6a66aa9cd0834a7362630bd343d144d4c4508f359843c4d06336cbb5a8
Instruction Fuzzy Hash: E801D130A0E68E8FEFA5EF64C4652B93FA1FF29304F4100BED81CC61A2CA759550C740

Function 00007FFD9B8905D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction ID: 07ab316247c1825f9abaa0a52fdd35fda681a87971f4ab476604257964a5760d
Opcode Fuzzy Hash: 78757711f9611fcc54ddb7bb90c4292e12298a73b4f745787205a3dd1686ddd7
Instruction Fuzzy Hash: A6F0C230A0E60E9FEF69EF6494256FA3BA4EF19308F41007AE81DC20A1CA35A650C740

Function 00007FFD9B89A985 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c818b97ed73052f03b78feabb4c8b2ac0c9ebe9caba171f194dca95146258211
Instruction ID: 5b7ba57ebb4328f660269bba91a28d1c3af6286c556fb5186f0a6ae92e42768a
Opcode Fuzzy Hash: c818b97ed73052f03b78feabb4c8b2ac0c9ebe9caba171f194dca95146258211
Instruction Fuzzy Hash: DFF0AF7564E3868FD716DBA8ACE15993BB0EF4630870E45E3C468CE0A3FA2854058761

Function 00007FFD9B892749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction ID: 72115abff91219e83b5ba598e103c28bd259c61597be7c2024908e1df2547d38
Opcode Fuzzy Hash: 79970749fa9222fd3353efcba9c54d05c8f2ac23997bac2f35cb118111091288
Instruction Fuzzy Hash: CBF0963090E38E9FDB6A9F6488642E93F70FF46305F4605FAD419C60E6DB389554CB41

Function 00007FFD9B8927BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b890000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction ID: 44f0944621b99982cecff9a5936c24ae2f981acc692a29b9bb1c4e017fa9da7b
Opcode Fuzzy Hash: 5768a891ef233a554dcfaf66c56953faf601467cf88f2083f6bfe515d23eeea3
Instruction Fuzzy Hash: 58F09030A1E68E8FEB699FA488251E93FA0FF0A304F4504BED409C61E6DB39A554C701

Function 00007FFD9B89A998 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe73b315bbfc92ad487c5a73e08f1b0d0389eaa5050896176b0562f016727d
Instruction ID: 2fc5535455b5d1a7fdcc4c347deda85ac1a685b7284cf8d23ba6b283b0216570
Opcode Fuzzy Hash: debe73b315bbfc92ad487c5a73e08f1b0d0389eaa5050896176b0562f016727d
Instruction Fuzzy Hash: 1DF0823564920ACED715EBE8A8F15E933E0EF4431C70949F2D47CCA092FA6960058650

Function 00007FFD9B89B76E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B89A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B89A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b89a000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30ef61a1748c0b572ac4af2d3ad1727ad3b3b4209b625fccfab0bbf28068502
Instruction ID: 2481be06fa3daa92bc65ec9ffaab8020212bd5a15599fd1305ac169dbaef4f6e
Opcode Fuzzy Hash: b30ef61a1748c0b572ac4af2d3ad1727ad3b3b4209b625fccfab0bbf28068502
Instruction Fuzzy Hash: 7FD09E30A1D51D4EEFA4EB54C450EE9B778EB18300F1042F5801D92156DE346AC18B80

Non-executed Functions

Function 00007FFD9B8A1148 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8A11F1
*, xrefs: 00007FFD9B8A1106
/, xrefs: 00007FFD9B8A165B
[, xrefs: 00007FFD9B8A10F9

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: *$/$[$}
API String ID: 0-3119010630
Opcode ID: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction ID: d688cba83433332d156be628dacb78e2e2b4dcec3516a7e9f265c30872b644eb
Opcode Fuzzy Hash: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction Fuzzy Hash: 0531F970E0522E8FEB68DF94C8A4BFDBBB1BB58701F1101B9D04DA7291DA385A84DF50

Function 00007FFD9B8A10E5 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

*, xrefs: 00007FFD9B8A1106
/, xrefs: 00007FFD9B8A165B
[, xrefs: 00007FFD9B8A10F9
&, xrefs: 00007FFD9B8A1953

Memory Dump Source

Source File: 0000001F.00000002.1794925789.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9b8a1000_hKONDisxvRbjdh.jbxd

Similarity

API ID:
String ID: &$*$/$[
API String ID: 0-928903987
Opcode ID: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction ID: 597e8b9d905a947f4d5571c5ec1a3238c51411344255717a3df519e7748233e6
Opcode Fuzzy Hash: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction Fuzzy Hash: DB110C70E0521DCFEB28DF90C8A4BADBBB1AF59711F1540BED04D9B290CA785A84CF25

Analysis Process: Memory Compression.exePID: 7960, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A3545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

W_H, xrefs: 00007FFD9B8A35CD

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID: W_H
API String ID: 0-126398842
Opcode ID: dbf0522d650051de6814503134e524760fe390dbc560866602b879cf63727794
Instruction ID: ab646ff9bfc56997d697b5b126b7d37fe7318654ae06a4184bd7b67fe8dfb8cf
Opcode Fuzzy Hash: dbf0522d650051de6814503134e524760fe390dbc560866602b879cf63727794
Instruction Fuzzy Hash: DAA1B071A0994E8FEB98DB6CD8257B97BE1FF59350F40007AD00DD72D6DBB824018B41

Function 00007FFD9B8A1638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction ID: 95bad4a525547d566b579acd14bfd55cbf2bb0486542c41aa085e0b297c9fc2e
Opcode Fuzzy Hash: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction Fuzzy Hash: AE81E231B0DA8D4FDB58EF5888605A977E2FF99300B15467EE45DC3296DE34AD02C781

Function 00007FFD9B8A06C0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction ID: 678f40eec78644cc884d708389a4f538c5a5dade755a08ec372de3553df8625f
Opcode Fuzzy Hash: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction Fuzzy Hash: FA614A52B1FAC94FE32557AC7C290B87BA0EF56790B0943FBE09CC60F7EC15A6058295

Function 00007FFD9B8B2900 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7390e4304a55dbb2553ccf113f3ae467623f8d5bb55ac6d50e8fe25c9bfe9b3d
Instruction ID: 26d498280ea05df4facdf5b31949b565cbe82e27e6685c16be3537929cd17ec3
Opcode Fuzzy Hash: 7390e4304a55dbb2553ccf113f3ae467623f8d5bb55ac6d50e8fe25c9bfe9b3d
Instruction Fuzzy Hash: 1D91A670E1952D8FDBA4EFA8D8657ACB7B1FF58300F5141AAD00DE3292DE346A818F50

Function 00007FFD9B8A1C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction ID: fc71a6217ae9346c455a59ab3d48e99e850cd2386b09c7f6063b7aa5a32d88ea
Opcode Fuzzy Hash: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction Fuzzy Hash: F751D031B09B8E4FDB58DF5888605AA77E2FF99304B15467ED45AC7292DE34E802C781

Function 00007FFD9B8A3135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf15017aa41dfc45c28b74be958a63278542f0b7d7800278507267152dae891
Instruction ID: 97ed87f61d4ff6878c16248cd8d17cb66e5c5032f1f28584e19b136babe86e81
Opcode Fuzzy Hash: 3cf15017aa41dfc45c28b74be958a63278542f0b7d7800278507267152dae891
Instruction Fuzzy Hash: F4514B70E0A61E8FEB64DF98C4646ECBBF1FF48301F51017AD009E72A5DA386A44CB60

Function 00007FFD9B8B2AAF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction ID: 576629854399840d91b5721c219e452bf9bd83e1f423b1dcbb8ff9684d895497
Opcode Fuzzy Hash: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction Fuzzy Hash: 86418470E0951D8EDBA4EFA8C8697ECB7F1EB58301F5141AAD40DE32A1DE346A858F50

Function 00007FFD9B8AAD48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68b77a03144fb1257b0b2914901e27556c01621981a54b3ad59d3693bde9079
Instruction ID: 90a7adb7258f340bb54534d866a35bda6a1a31367a74936316e2c287c7a3eca6
Opcode Fuzzy Hash: f68b77a03144fb1257b0b2914901e27556c01621981a54b3ad59d3693bde9079
Instruction Fuzzy Hash: 4B31FB21E0E94F6FE752ABB8C8281F97BE0FF18351F05857AD098D24A2EE34B5048350

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction ID: 8888e3b32672b6648e9d3d8ace1c53b4a52a42818e3364744540097d7472e44c
Opcode Fuzzy Hash: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction Fuzzy Hash: 5021A952F1F58A97E72527BC9C7A4E8BB90FF01658B0942B7D0ACC90D3ED08A10AC2D4

Function 00007FFD9B8A3268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110c48ed606b02bd777119dc3579796621304653f844a19e16cf773558194471
Instruction ID: 940fa05ba29cf371d40ec77f0d832fd4915383957c22b0ce8503517c0cfc9311
Opcode Fuzzy Hash: 110c48ed606b02bd777119dc3579796621304653f844a19e16cf773558194471
Instruction Fuzzy Hash: E021F570E0951E8FEB64EF98C4A4AECBBF1FF98301F150139D009E72A5DA386944CB20

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction ID: 7f7f3684fccdedc05d2b48f62abec894aff74ac3eb18f14460829f24c2d8d751
Opcode Fuzzy Hash: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction Fuzzy Hash: 2B213D30A0A94E8FEB65EBA488696BD77A0FF18304F11057AD42DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction ID: a394cca4f25e1a85d5d071d963e2598d3f4aeb27bafccd2d498370ac81d029bc
Opcode Fuzzy Hash: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction Fuzzy Hash: 1921D23094E68E8FE742ABB488685A97FF0FF4B300B0544EAD449CB1B2DA389546C721

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597c874235b19e081983633ac520b468968ffff8d644beeb3ffcf8e38bd08c10
Instruction ID: 5b169b61ce1698567debc36053cf9106f72b64e40da4299360ae3108ed68413a
Opcode Fuzzy Hash: 597c874235b19e081983633ac520b468968ffff8d644beeb3ffcf8e38bd08c10
Instruction Fuzzy Hash: 8A11B230E2A50E4FE790EBA888595BD77E1FF58700F4146B6D01CC70A6EE34B6448750

Function 00007FFD9B8A0F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a8736c7a7e372f615083980364a28efb43da830dbb2127b615f1f4a8b5306c
Instruction ID: 968846597addec9db2f394a7b242ef2f9857924bfe31219d19a1cefe3af07fe0
Opcode Fuzzy Hash: 78a8736c7a7e372f615083980364a28efb43da830dbb2127b615f1f4a8b5306c
Instruction Fuzzy Hash: 06213D31E1A51D8BEB64EB94C864AED73B5FF48300F1141B9D00DA72A6DE38AA458B50

Function 00007FFD9B8B23F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7340cbebc303f6bfcd0a60906926acb27ec165490371e6a58f088465148036
Instruction ID: 6602541062067dfc9d80b7f901f860e38b151281366bf33b23514cc102d74cc3
Opcode Fuzzy Hash: 0c7340cbebc303f6bfcd0a60906926acb27ec165490371e6a58f088465148036
Instruction Fuzzy Hash: 1D116730A1964D8FDB58DF68C4A55E93BA1FF58314F02027EE84AC26A5CA34A650CB80

Function 00007FFD9B8B27D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2071f3225e4b7dd8b3aa0cc1bf28d3d8b0c5d50f7470f1006166e83d3c03856
Instruction ID: f8dba8c69a05ecbd0af74f560f073e3fe81bbae6e94adcccecd8800ec5e1034a
Opcode Fuzzy Hash: e2071f3225e4b7dd8b3aa0cc1bf28d3d8b0c5d50f7470f1006166e83d3c03856
Instruction Fuzzy Hash: BC11A530A1A56E8EE752EBB488585F97FE0FF0D301F0145B6D418C70A6EA349244CB81

Function 00007FFD9B8ABB75 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cfc97620cf5d04a185e0e62df9266367d87937ace128d05f5de972472cc9dd
Instruction ID: 428f3cd07c0564c562c9a609b3476f9a3120dc780f2021563300436c240afe34
Opcode Fuzzy Hash: d0cfc97620cf5d04a185e0e62df9266367d87937ace128d05f5de972472cc9dd
Instruction Fuzzy Hash: F6117C30A0A64E8FEB99EFA4C8682B97BA0FF18305F4109BED419C65E5DA34A641C710

Function 00007FFD9B8A11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction ID: 152186f0a42d0324c484139bcb78b387be3b5426517bb33c739677cd26d39b8a
Opcode Fuzzy Hash: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction Fuzzy Hash: FB11B230A0A64E4EEBA5EBA4C4796B97BE0FF5A305F0504BED41EC60E2DE289540C710

Function 00007FFD9B8A21D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77edafcc128626b674930c877c0ed174b100e2e511f9b0c898fcfe1d3cf6c78
Instruction ID: c34bc9bfce9a920ed3ceeaa875ab8422cb396b3a6e3b1bf59a3a86c21606c1a9
Opcode Fuzzy Hash: c77edafcc128626b674930c877c0ed174b100e2e511f9b0c898fcfe1d3cf6c78
Instruction Fuzzy Hash: 23019631A4E54E4FE761EFB488655A87BE0EF0A300F0245B6D408C70B6DE38E680C711

Function 00007FFD9B8B2604 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dc1c7d99f2bea11585d5512bd300bec444a1f2f92e70e9475cbba4bac758fb
Instruction ID: e50ea5bd66907a8c24c3b044c7bae4602ede4bc3cb5183aa6f90c9cd81a11ddd
Opcode Fuzzy Hash: a5dc1c7d99f2bea11585d5512bd300bec444a1f2f92e70e9475cbba4bac758fb
Instruction Fuzzy Hash: EF110230A4A25E4EDB69DFB4C4655F93BA0EF1A304F1200BED019C70E2DA29A651CB80

Function 00007FFD9B8A34C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d70dcf1e0002fdc590203f3084a7f8ccbd71de5e2deeecbe7892b23c617129
Instruction ID: c8002bbe41659b5d41858e1a6ce16b4d1351e4ed96bfc3e743ae9ea4d4742dcb
Opcode Fuzzy Hash: 69d70dcf1e0002fdc590203f3084a7f8ccbd71de5e2deeecbe7892b23c617129
Instruction Fuzzy Hash: 0D115270A0A64E8FDB59EFA8C8696BD7BF0FF19300F0105BED419C75A2DB35A5448710

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction ID: 8425a18b5a6d5c1306b106213985d314b576ed0a2c6dc4ec9fac1af0c3ab60c6
Opcode Fuzzy Hash: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction Fuzzy Hash: EF019E30A0A50E8FEB58EF64C0646B977A1FF6A304F51007ED41EC21A5CA35A650CB50

Function 00007FFD9B8ABF6A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8041d07a39d810ba597858ff15a7d018a179bb54998bf4a1f82e2f929d0ad04e
Instruction ID: 2a8c4c463ec0589e8b9adad9e90a577751e3c6c6b093e98dde32bdc399240189
Opcode Fuzzy Hash: 8041d07a39d810ba597858ff15a7d018a179bb54998bf4a1f82e2f929d0ad04e
Instruction Fuzzy Hash: 3D015E30A0A94E9FEB95EF68C8686BD7BE0FF18304F15097ED81DC21A5DE35A650CB50

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2d4b3341ef5fddcc13e84fd0c6f6a0ad5a4cbe91aaf6dd9fb13476e357a2b7
Instruction ID: 0df453e2ca2f32a4e392d31d788915621edd4d05de3849e267d52565a0a6cf0f
Opcode Fuzzy Hash: 7d2d4b3341ef5fddcc13e84fd0c6f6a0ad5a4cbe91aaf6dd9fb13476e357a2b7
Instruction Fuzzy Hash: 92018430A1E64E8FE761EFB889695A97BE0FF19300F0245B6D40CC70A6EE38E644C711

Function 00007FFD9B8A2E5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction ID: e259cecb3e157f5725ea30490a2c8fff1fccfc568b70f8b735babec105f93983
Opcode Fuzzy Hash: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction Fuzzy Hash: C4018430E1E64E8FE761EFA488A85A97BE0FF19300F0245B6D40CC71A7EB34E5948711

Function 00007FFD9B8B2285 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8b2000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51453b0cd2c2c00d2486025feec05baf1d3045e2f0bbb28b6159653ea09b003
Instruction ID: 8cefab8cd2c30c94e91d0f8cdbea6917f4143e72cc55bd79f56ce8269054edde
Opcode Fuzzy Hash: f51453b0cd2c2c00d2486025feec05baf1d3045e2f0bbb28b6159653ea09b003
Instruction Fuzzy Hash: F2017530A0A54E4FDB59EFB4C4695B9BBE0FF19304F0604BED419C60E6DA75A544CB41

Function 00007FFD9B8AA919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2926fc8d607e534dfb98d9736d288f863420b0cf91aee27713127078077d2a9
Instruction ID: b80bed34efb7aa30de77f68fc3031fc5262c380f92c491eb65965b211d10d17e
Opcode Fuzzy Hash: f2926fc8d607e534dfb98d9736d288f863420b0cf91aee27713127078077d2a9
Instruction Fuzzy Hash: 02018830A5E64E5FD762AB7488596A93BF0EF0A300F0704F2D41CC60B6DE38A544C711

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3cc7568d33b981d44ddb9f0082cafa1ed1d81011f4dd97c414c2b71f1f7677
Instruction ID: c3be568c663e2aa48357986e83fc4fd7ee369716c3307e31bfe99721934efcd7
Opcode Fuzzy Hash: 0e3cc7568d33b981d44ddb9f0082cafa1ed1d81011f4dd97c414c2b71f1f7677
Instruction Fuzzy Hash: 56018430A1E64E4FE762EBB489695A97BE0EF0A300F0605B7D408CB0B6DA38A554C711

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d102d75fa08a4bec3d4f749586c0939c2748024f9b63f97f9dffc09f75462107
Instruction ID: fd314a57265a8da503639d9dd7ce2cd8362849558427fc799f7cbdddd8bed7e4
Opcode Fuzzy Hash: d102d75fa08a4bec3d4f749586c0939c2748024f9b63f97f9dffc09f75462107
Instruction Fuzzy Hash: 44016D30A1950E8AEB69EFA4C5686BA73E0FF19305F11047EE41EC21E6DF35A6A0C610

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction ID: efe334a1ac8c74e12d76f941783e76cbfaefe26f6a3bf4351876009d2ee50c4d
Opcode Fuzzy Hash: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction Fuzzy Hash: 86016D30A1550EDAEB69EFA4C5686B976A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8A11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction ID: 6d894c14f4014adacf4036812e0ecfcd0381f96fa6a0ddffe842f29ee19c1428
Opcode Fuzzy Hash: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction Fuzzy Hash: EEF0A430E1A54E4AEFA4ABA488782FA77E4FF5A305F01143AE41DC20E1DE645650C611

Function 00007FFD9B8A1C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction ID: 4914cbafb1686f0657e3103b5b7db6c2e22e7c5d47b419bc68c3020e320a9be6
Opcode Fuzzy Hash: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction Fuzzy Hash: F4018630A4A64E8FDB65EF64C4656B97BA1FF5A300F4510BED40CC61A1DA759650C740

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction ID: 63ea2133509e46c7c915ecfc7736c44890dadebef5da37a159c5ba3ad6eac56e
Opcode Fuzzy Hash: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction Fuzzy Hash: 5BF0C230A0A61E8FEB68EF6494256FA77A4EF1A308F41007AE80DC20A1CA39A650C740

Function 00007FFD9B8A2DE1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61b47bb90a6de1b0b6237fb76ab70b18b2d56b1ea6fea6dff1adf74854a275c
Instruction ID: 69acfe5360718fd85ecd11d5082d6750c7764f54fb819394bc4c590228d806b4
Opcode Fuzzy Hash: e61b47bb90a6de1b0b6237fb76ab70b18b2d56b1ea6fea6dff1adf74854a275c
Instruction Fuzzy Hash: 82F0BE31A0B24A8FEB699FA485662F93BA0EF05300F0545BED80DCA1F7DB389991C700

Function 00007FFD9B8AA985 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5986c5b5b417f3fc743ca5092335f31548340c22a5262b4599d222b1b93797
Instruction ID: c2f2a8071054b713dd33fda7e12aade9f23a5e0152c9940fbe2a1683d73f39f3
Opcode Fuzzy Hash: 0a5986c5b5b417f3fc743ca5092335f31548340c22a5262b4599d222b1b93797
Instruction Fuzzy Hash: 5BF0C27564E3868FC316DBA8ECE15D93770EF46308B0E94E3C568CE4A3FB28540A8761

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction ID: 4bf7424194c4b1d5c19344312717ece5802b04af6756122c54b2e6f6bc02c89a
Opcode Fuzzy Hash: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction Fuzzy Hash: 63F0F63090E38E8FDB2A9F6488642E93B70FF06304F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8AA998 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ede4ebd6f258b09d4369fcc983afad8ca26cebdcc6b2524098cd5397a49135
Instruction ID: 68bff03da873143ebdbc5630f48972c3b0bccf04a31255d14e5972e3c29f4775
Opcode Fuzzy Hash: 83ede4ebd6f258b09d4369fcc983afad8ca26cebdcc6b2524098cd5397a49135
Instruction Fuzzy Hash: EAF0823564920A9ED715EBE8A8E05E933A0EF8431CB0998F2D57C8A592FF6960058660

Function 00007FFD9B8A23D1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction ID: 509a85c5269397367b441b4cee18e7690b724bf7d2dc7931e27e4cfab79dcf86
Opcode Fuzzy Hash: a3a595e47ea79d3374fba1493c203210123446cb77be6a39dc34f069baa127a0
Instruction Fuzzy Hash: 81F0DA70A5961E8EEB74EF90C8557ACB2A1FB58314F1141B9C00ED62A1CF782A848F10

Function 00007FFD9B8AB76E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d2c5b4e20544b3d2e95d56d74543a3e84093441bdd2bb23694e518d1142fdf
Instruction ID: f986764061cac0376b916d7f45c6389c2d9258ea2967a0e916b1a27dab519b3d
Opcode Fuzzy Hash: e4d2c5b4e20544b3d2e95d56d74543a3e84093441bdd2bb23694e518d1142fdf
Instruction Fuzzy Hash: F4D09230A1D91E8EEBA4EB54C890EE9B378EB18300F1092F1800D9219ADE34AAC1CB40

Function 00007FFD9B8A94D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1794682315.00007FFD9B8A8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b8a8000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33d97531ae6baffb3d9a94e892bcc5a06c81dfa169eeaeb81582daf880cc92d
Instruction ID: bc88dcc058eb06abfc62da85977c6f2ae7ecffec2bdaa27abaa3d7f63e43e1fc
Opcode Fuzzy Hash: b33d97531ae6baffb3d9a94e892bcc5a06c81dfa169eeaeb81582daf880cc92d
Instruction Fuzzy Hash: A9D09EB0E4552E9FDBB0DB54C850B9973B1EF09311F1000E5814DD3250CB346E819F15

Analysis Process: Memory Compression.exePID: 7976, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A3545 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

W_H, xrefs: 00007FFD9B8A35CD

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID: W_H
API String ID: 0-126398842
Opcode ID: d73842dbd298d2de6e0a56693294eb213bb15ebb19b1c921a00a75eaad049845
Instruction ID: cfbcf737d9f999423dae35c730ac25955096b0106c22a9c9f1b50fe8541753fd
Opcode Fuzzy Hash: d73842dbd298d2de6e0a56693294eb213bb15ebb19b1c921a00a75eaad049845
Instruction Fuzzy Hash: FAA1D171A0994E8FEB98DBA8D8257AD7BE1FF5A350F80017AD00DD33D6DB7868018B41

Function 00007FFD9B8B125B Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
., xrefs: 00007FFD9B8B19BE
", xrefs: 00007FFD9B8B1292

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID: "$.$/
API String ID: 0-983106565
Opcode ID: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction ID: 21daa2b5e7b34fe0ff0627d04ae0130c2ef280ebaa03f21ef16479aa26ea33a8
Opcode Fuzzy Hash: 7cf052e9873f25b1177c294df4a9f89cdd47884ffb52b5c6f31f2c7a276bc04e
Instruction Fuzzy Hash: A231EB70E1522DCFEB64EFA4C8A47EDB7B1AB59311F1104BAD04D9B291CA386A84CF50

Function 00007FFD9B8B141D Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
%, xrefs: 00007FFD9B8B16A3

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: dfcb9c8c9462e0c49bcb69e7cac1d33d2736e6f06c33c0c99f3b747fec344d19
Instruction ID: 97be792981708cf33670ec31a39b110ad9826cb405810ad6f8d543b54797285e
Opcode Fuzzy Hash: dfcb9c8c9462e0c49bcb69e7cac1d33d2736e6f06c33c0c99f3b747fec344d19
Instruction Fuzzy Hash: 44F0303590861D8BEF28EF90C890AEDB7B1EB15310F15013AC4099F2A0DB786684CF84

Function 00007FFD9B8B39FA Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8B3A01

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-2257155764
Opcode ID: f702c38b8bd98fe47992c38d4a94b82abcf088729ee64e52d79de2ed5ae1d32e
Instruction ID: 6d43b0f6809db1d5c0f3b9a2f76defb543c915ccb5906dc9c03f01b5d7526e32
Opcode Fuzzy Hash: f702c38b8bd98fe47992c38d4a94b82abcf088729ee64e52d79de2ed5ae1d32e
Instruction Fuzzy Hash: 06412A22B0EA6A5EE716ABFCA8650F97BE0FF55361B1405B7C148C70B7D924A1458BC0

Function 00007FFD9B8AC7F3 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

|L_^, xrefs: 00007FFD9B8AC801

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID: |L_^
API String ID: 0-3369961972
Opcode ID: d1fd549287316fcf5503f1b16195b65609bb8c42a8fe5fad885e1350b1fbe01b
Instruction ID: 73b84f2f8757122b07b6953618008fc1e4427549ba39b09a2a2e2bc5ed77da12
Opcode Fuzzy Hash: d1fd549287316fcf5503f1b16195b65609bb8c42a8fe5fad885e1350b1fbe01b
Instruction Fuzzy Hash: 1D31E722B0D66B9BEB5A7BACBC294FC7794FF19324F050177D11DCA0E3DE28214186A1

Function 00007FFD9B8AFDAB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B8AFDB8

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8af000_Memory Compression.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 2cea509e0fd721dd17c988c8133ec0a28544fa1948fd199e4126fb3f10751f0c
Instruction ID: 915ed113e27081dcece6cd6295371ef3447ea234c9830f6f61c7d95a99695fe9
Opcode Fuzzy Hash: 2cea509e0fd721dd17c988c8133ec0a28544fa1948fd199e4126fb3f10751f0c
Instruction Fuzzy Hash: E241BA71A15A1D8BEBA8DB188C65BAAB7B1FF58301F5001E9904DE26D1DF346A818F41

Function 00007FFD9B8B32B8 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37343b5b77cd7fc85ea545d8e22c47d873e5e9f6baf2208ccfe96171ab330fce
Instruction ID: a4df5a8ee988b3aba00962192f8ad29ea22610ec46a84c27b1652d804f4d23f1
Opcode Fuzzy Hash: 37343b5b77cd7fc85ea545d8e22c47d873e5e9f6baf2208ccfe96171ab330fce
Instruction Fuzzy Hash: B221B661E0E7DA4FE7529B7488695A97FF0FF16340B0905FBD058C71E7D928A604C782

Function 00007FFD9B8B32C8 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1386a915f5783f2693f11f56f85a021543882aec8aced9bc033b369dbcf6fd
Instruction ID: af11461afc116f362420a906636eb629995fa4a08de34ae8468aecf1d4c4e08a
Opcode Fuzzy Hash: 2e1386a915f5783f2693f11f56f85a021543882aec8aced9bc033b369dbcf6fd
Instruction Fuzzy Hash: 93118161A0F7DA4FE71297B488395A97FB0EF16244F0901FBD4A8CB1E3E9186604D792

Function 00007FFD9B8AD899 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ba9abd92e04961a76f9480c84d732d04ac9038111573c8f2f3c02300479912
Instruction ID: f2df6b062104ae3c628822b6d328406e73470f74445866d9a1cff79cfb987b5e
Opcode Fuzzy Hash: 01ba9abd92e04961a76f9480c84d732d04ac9038111573c8f2f3c02300479912
Instruction Fuzzy Hash: 4AE15C71E1965D8FEBA8DB98D8A4BB8B7B1FF58300F4441BAD00DD32E6DA346941CB11

Function 00007FFD9B8B3B25 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acbba087e523aee8ce61ef5b000618e57058c12e9bd8d1a8fe40b9c38005955
Instruction ID: a6af50a6ad654ca3fda8dde38f683a3ee29ce427e3f1ee33e4f2a49ec013a318
Opcode Fuzzy Hash: 4acbba087e523aee8ce61ef5b000618e57058c12e9bd8d1a8fe40b9c38005955
Instruction Fuzzy Hash: 16D1BA70E1952D9EDBA4EBA8C8657ECB7B1FF59300F5141BAD00DE32A1DB346A848F41

Function 00007FFD9B8A1638 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction ID: 95bad4a525547d566b579acd14bfd55cbf2bb0486542c41aa085e0b297c9fc2e
Opcode Fuzzy Hash: 9715d00298074101e80de4ba1f069b769adf91c4f689754fdc354d1a79e9272a
Instruction Fuzzy Hash: AE81E231B0DA8D4FDB58EF5888605A977E2FF99300B15467EE45DC3296DE34AD02C781

Function 00007FFD9B8A06C0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction ID: 678f40eec78644cc884d708389a4f538c5a5dade755a08ec372de3553df8625f
Opcode Fuzzy Hash: 99f39e0c44fd27a62f7f330e67c86a37a819794f794e0f1da2a38b708f403327
Instruction Fuzzy Hash: FA614A52B1FAC94FE32557AC7C290B87BA0EF56790B0943FBE09CC60F7EC15A6058295

Function 00007FFD9B8B2900 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ac34d31d1266e714fe55859b1581b004e0192942725edc1c65c4eda62d626a
Instruction ID: 20597a1e84e257de6fed0e6090ff2e3e50ea08339ddc56070ce1e223b88942ff
Opcode Fuzzy Hash: 84ac34d31d1266e714fe55859b1581b004e0192942725edc1c65c4eda62d626a
Instruction Fuzzy Hash: 2091A670E1952D8EDBA4EFA8D8657ACB7B1FF58300F5141AAD00DE3292DE346A818F50

Function 00007FFD9B8A1C9D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction ID: fc71a6217ae9346c455a59ab3d48e99e850cd2386b09c7f6063b7aa5a32d88ea
Opcode Fuzzy Hash: 3624738febede64af4b89bfe1492b1b1f004bf8892522868917c1b382116a5fe
Instruction Fuzzy Hash: F751D031B09B8E4FDB58DF5888605AA77E2FF99304B15467ED45AC7292DE34E802C781

Function 00007FFD9B8ABFEA Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3ff2c28f93ae2a4058f42f50aad8790e455fbaad39d681a5d08e8ee628efca
Instruction ID: fbdca8857f9a46eae83689f6794649f605924b6b3477124f7cd04cbfaf6fa0b2
Opcode Fuzzy Hash: 1a3ff2c28f93ae2a4058f42f50aad8790e455fbaad39d681a5d08e8ee628efca
Instruction Fuzzy Hash: FC51DE70E0951D8FEBA4EBA8C8696FDB7F5EF58300F51017AD01DE72A1DE386A418B50

Function 00007FFD9B8A3135 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec30a10b448d7ffd2717b2b61fff11867a913a41fc25b768a45a6b185580c8d
Instruction ID: 3eef8180db301e7838357e8e69bb1afd620e0c66b6622fa9eb93d6644cd95493
Opcode Fuzzy Hash: 1ec30a10b448d7ffd2717b2b61fff11867a913a41fc25b768a45a6b185580c8d
Instruction Fuzzy Hash: AF515C70E0A61E8FEB64DF98C4646ECBBF1FF58301F51017AD009E72A5DA386A44CB60

Function 00007FFD9B8B2AAF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction ID: 576629854399840d91b5721c219e452bf9bd83e1f423b1dcbb8ff9684d895497
Opcode Fuzzy Hash: 26f459f3cfd0624f9db3ec20d1c346f2ab0a146a947e7820aefc8c3568524702
Instruction Fuzzy Hash: 86418470E0951D8EDBA4EFA8C8697ECB7F1EB58301F5141AAD40DE32A1DE346A858F50

Function 00007FFD9B8AF58F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8af000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a399680fe2c7f962cec0e46ee7b07a85ca467917364769c756f9ebdb38e0d3
Instruction ID: faac1004544d202218d87d82d88066838c06caa9c5c1a9cf31c94b93b7282bc8
Opcode Fuzzy Hash: a8a399680fe2c7f962cec0e46ee7b07a85ca467917364769c756f9ebdb38e0d3
Instruction Fuzzy Hash: DF31C971A15A1D8FDBA8DB188C65BAAB3B1FF58301F5001EA904DE36D6DF3469818F40

Function 00007FFD9B8AAD48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bed88ef49f4d9b2a9ae48c036197874d8498992c8b43d8a4a8e1250dd90e6fa
Instruction ID: 6af81c877ca126f140cad40098406ff4b9c23c8183db1b3d0cdff0a34c85e41e
Opcode Fuzzy Hash: 9bed88ef49f4d9b2a9ae48c036197874d8498992c8b43d8a4a8e1250dd90e6fa
Instruction Fuzzy Hash: 9631F821E0E94F6FE762ABB8C8281F97BE0FF18351F05857AD098D24A2EE34B5048350

Function 00007FFD9B8AC0B6 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351a1f5acde99adcdc321a718aa35185211a8ef1ac94d48f655252595a8279e1
Instruction ID: b9eb10cc7f806cc4ef65a75239a2a8de58a040b4162e30f76583aab40f6c9b96
Opcode Fuzzy Hash: 351a1f5acde99adcdc321a718aa35185211a8ef1ac94d48f655252595a8279e1
Instruction Fuzzy Hash: 6231BA70F1991D9FEBA4EB9888A5AFCBBB5FF58340F511039D00DE7292DE3869418B10

Function 00007FFD9B8A0805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction ID: 8888e3b32672b6648e9d3d8ace1c53b4a52a42818e3364744540097d7472e44c
Opcode Fuzzy Hash: a71150ad5de046c09c505f79fc069826398ce2e1d4d36b6f4421f68c4899d635
Instruction Fuzzy Hash: 5021A952F1F58A97E72527BC9C7A4E8BB90FF01658B0942B7D0ACC90D3ED08A10AC2D4

Function 00007FFD9B8B7545 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd72b4d52bbc8ab0cb7d8892c2e71c0cc56f9db72d7368c0e9581516e43f7e0a
Instruction ID: 15906fcbe234b8c9da5bb6b8a1e255c647e923e65bde5ba8d852722b3d872ad2
Opcode Fuzzy Hash: fd72b4d52bbc8ab0cb7d8892c2e71c0cc56f9db72d7368c0e9581516e43f7e0a
Instruction Fuzzy Hash: B921FD34A0EB1E8FEB75ABB4C464AFD77E0EF09314F11047AC41AC21E5EE28A5448A81

Function 00007FFD9B8B6E1D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb1e1bdba25634e9173b1312747bc6fc2fe6695b7a99058561a281d240b42c3
Instruction ID: 6c4ec79bf0a02e891a00fc68deda7b444c3fd4e569f8699c3c7510317b953292
Opcode Fuzzy Hash: 8bb1e1bdba25634e9173b1312747bc6fc2fe6695b7a99058561a281d240b42c3
Instruction Fuzzy Hash: 0B21F3B0A0E64E4BEB689F74C8762B97BA0FF19300F1600BED41DC20E2DE35A5448B81

Function 00007FFD9B8B7351 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e27b0ddf7242e8a48b409787d0430dcbd2f6337249613a55f2c3365601fe31
Instruction ID: ca3547ccb2063400fe98f40607b256d6e885b5e1008a1e2e358608ed56ecb1e6
Opcode Fuzzy Hash: 50e27b0ddf7242e8a48b409787d0430dcbd2f6337249613a55f2c3365601fe31
Instruction Fuzzy Hash: 3A213035F0E65E8EEB61EBB888585FD7BE4FF1D301F410576D819D31A5DA38A2408B90

Function 00007FFD9B8A33D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction ID: 7f7f3684fccdedc05d2b48f62abec894aff74ac3eb18f14460829f24c2d8d751
Opcode Fuzzy Hash: 1fbe1fc200f0886a3d6c3f549b1338228e99d5f323a6143a354422df6e0109d7
Instruction Fuzzy Hash: 2B213D30A0A94E8FEB65EBA488696BD77A0FF18304F11057AD42DC71A1DF35A640D750

Function 00007FFD9B8A3330 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction ID: a394cca4f25e1a85d5d071d963e2598d3f4aeb27bafccd2d498370ac81d029bc
Opcode Fuzzy Hash: 1b6b61fddc824c501817a25991b2895e43cb245667dc087d4adc2cf341c44fbe
Instruction Fuzzy Hash: 1921D23094E68E8FE742ABB488685A97FF0FF4B300B0544EAD449CB1B2DA389546C721

Function 00007FFD9B8B7AFD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07e26d494e17eb09749e323a7f50f7c3e314b9d4d5b3e82233528d0458a88d3
Instruction ID: 8781470b2cf1e002f92a94aed7e77d4828903d28767e9351dc0fdc3e59c529b1
Opcode Fuzzy Hash: b07e26d494e17eb09749e323a7f50f7c3e314b9d4d5b3e82233528d0458a88d3
Instruction Fuzzy Hash: C6219234A4A64E8FDB69AF74C8655FE3BA0FF09304F0214BAD41DC20E6DE34A650CA81

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2cfe880dcec426e42078b476a09e80a3a771557ca1761e7adfc36dabbc7051
Instruction ID: a3ab1d6cca534d17abb67944397f2aa633e149bfc723486b2a940ecb94852cd0
Opcode Fuzzy Hash: 0f2cfe880dcec426e42078b476a09e80a3a771557ca1761e7adfc36dabbc7051
Instruction Fuzzy Hash: EC11B230E2A50E4FE790EBA8C8595BD77E1FF58700F4146B6D01CC71A6EE34B6448750

Function 00007FFD9B8A0F28 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38626148f004e4d67f84a8e628d046dd7b4451726f4c7bc1c1333534f4c8d5a
Instruction ID: 6da4982366631d247c9dda0c07a0d37d5b4ac2637a641beeb7be0ee38a49b338
Opcode Fuzzy Hash: d38626148f004e4d67f84a8e628d046dd7b4451726f4c7bc1c1333534f4c8d5a
Instruction Fuzzy Hash: B0213D31E1A51E8BEB64EB94C864AED73B5FF48300F1141B9D00DA72A6DE38AA458B50

Function 00007FFD9B8B4649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f84cd82c0cf53dfbaae6bddc047746eb8fa673dc146638e289e583e899a706
Instruction ID: 6fd7adeb60d9350af5373dedafa2f2eddccf4badfcac17a24e74a5bb02014e6f
Opcode Fuzzy Hash: e6f84cd82c0cf53dfbaae6bddc047746eb8fa673dc146638e289e583e899a706
Instruction Fuzzy Hash: 0F21C330A0AA5E8FEB59DF64C46A1BD3BB0FF19301F0501BFD419C71A2DA346540CB81

Function 00007FFD9B8B6C41 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb2b5bc781c19af52b78a0c51cf32a513a9cba4ee102909deec071bfaf82e8c
Instruction ID: 6c5481afdc1717589a76c3641f38bbb9a11509c5a7dfe1c1468b09b384bdfb82
Opcode Fuzzy Hash: dcb2b5bc781c19af52b78a0c51cf32a513a9cba4ee102909deec071bfaf82e8c
Instruction Fuzzy Hash: 0111A570A0964E8FDB98DF6884751BD7BA0FF68301F01057ED41DC21A6DA35A544CB80

Function 00007FFD9B8B23F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c81e7412d912376e4fe1e659f12f68bc891515f41ab14b9704b21a312c0380a
Instruction ID: f0758aa8cf12a00fd2ca3fc4f783a0c5077de1fd45a4f40e35b237dc1d6b16ee
Opcode Fuzzy Hash: 7c81e7412d912376e4fe1e659f12f68bc891515f41ab14b9704b21a312c0380a
Instruction Fuzzy Hash: 08116730A1964D8FDB58DF68C4A55E93BA1FF58304F02027EE84AC2695CA34A650CB80

Function 00007FFD9B8B4C05 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d4176c95925f9b875636bc67cfa6ba97fb2a4eb87b8c8c92d836d075273f49
Instruction ID: 24ef7be101b6cc2226d221235853a1513a161a9eca4e653cec69edcf4446726b
Opcode Fuzzy Hash: 85d4176c95925f9b875636bc67cfa6ba97fb2a4eb87b8c8c92d836d075273f49
Instruction Fuzzy Hash: 1111E631A0EA8D4BEB59DBB488761B83BA0EF18704F0901BED01DC21E2DE356540CA41

Function 00007FFD9B8B46E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6671f2825af8f4da0a3817cba06d0526dc21a173df80ed6f83686de412a0f34
Instruction ID: 8df6caef02a9287c158d974a5d89be803cde2e00703aabfd1c3246469cfc2449
Opcode Fuzzy Hash: f6671f2825af8f4da0a3817cba06d0526dc21a173df80ed6f83686de412a0f34
Instruction Fuzzy Hash: CA11A230A0964E8FEB58EF68C46A2BD7BE0FF59301F0505BED41DC21A2DB356540CB80

Function 00007FFD9B8B4F79 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b990e3926a231dcdcc186a98136143f211d9f78165a288130e0e8aee0985082
Instruction ID: ab32eaa72f1f2be086523d0276cfe28acb1f28892c48d5b1077b77cee7524c69
Opcode Fuzzy Hash: 9b990e3926a231dcdcc186a98136143f211d9f78165a288130e0e8aee0985082
Instruction Fuzzy Hash: 8D118130A0A69E4FEB55EB64886A6B97BF0FF19300F0505BFD419C72A2DA356544CB81

Function 00007FFD9B8B6D85 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aa29a8a97e622c12ce22b0891eccd8a7b27133e27c5db21d5b3eb231388c81
Instruction ID: d47e534a24283bbfa72fde8fb7da735ebab6c4d389c55d85ddd1bb11fceb1aae
Opcode Fuzzy Hash: 26aa29a8a97e622c12ce22b0891eccd8a7b27133e27c5db21d5b3eb231388c81
Instruction Fuzzy Hash: 40110871A0EA4D4BEB699F6488751B8BBE0FF19300F0904BED41DC60F2DE26A504C741

Function 00007FFD9B8AC880 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5e625a13cf2f27bd5f5344af31f46d28d3c441a588808f7f3ccfcdbc4373e4
Instruction ID: 93b282f3eb4a0cfcc708c08fec9ea9b2506de6350c6b056add4ab893a33cfb58
Opcode Fuzzy Hash: cd5e625a13cf2f27bd5f5344af31f46d28d3c441a588808f7f3ccfcdbc4373e4
Instruction Fuzzy Hash: 08116D30A0A64E9EEB5AEF6888685F97BA0FF09304F0105BBD419C61A6DA38A540CB50

Function 00007FFD9B8B27D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bc77b163352188940b891862636afcf7c726fa7dff9887783ac10b6ecc7918
Instruction ID: f8dba8c69a05ecbd0af74f560f073e3fe81bbae6e94adcccecd8800ec5e1034a
Opcode Fuzzy Hash: 09bc77b163352188940b891862636afcf7c726fa7dff9887783ac10b6ecc7918
Instruction Fuzzy Hash: BC11A530A1A56E8EE752EBB488585F97FE0FF0D301F0145B6D418C70A6EA349244CB81

Function 00007FFD9B8B6CFA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e605836f0633ffa6693a8798d144c2c179bc655f06ebda2970c8c439f80cd08e
Instruction ID: de99a731f332a372c135db5691d182eadd08bc59aa88f78cd2299e05a70171ab
Opcode Fuzzy Hash: e605836f0633ffa6693a8798d144c2c179bc655f06ebda2970c8c439f80cd08e
Instruction Fuzzy Hash: 0D11B270A09A1E8EEBA8EF68C4656BD7BE0FF18301F04057ED41DC21A5DE35A640CB80

Function 00007FFD9B8ABB75 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3706b059c914c39e7f5ad91360aebd115af6e3f020031cf7118baadae2c51b
Instruction ID: 428f3cd07c0564c562c9a609b3476f9a3120dc780f2021563300436c240afe34
Opcode Fuzzy Hash: ec3706b059c914c39e7f5ad91360aebd115af6e3f020031cf7118baadae2c51b
Instruction Fuzzy Hash: F6117C30A0A64E8FEB99EFA4C8682B97BA0FF18305F4109BED419C65E5DA34A641C710

Function 00007FFD9B8A11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction ID: 152186f0a42d0324c484139bcb78b387be3b5426517bb33c739677cd26d39b8a
Opcode Fuzzy Hash: 1bcf809e4581afe88099f66aa8a7a759dd04d66de57212a81d051866506cc4df
Instruction Fuzzy Hash: FB11B230A0A64E4EEBA5EBA4C4796B97BE0FF5A305F0504BED41EC60E2DE289540C710

Function 00007FFD9B8B6019 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41abc1457157181a28da9da5c51225a03e411249421765a48475e8da9578f396
Instruction ID: b843da86f25e6fcede2b82ea349e5a0c8a59aa9a455868916cd1fca3957e7efe
Opcode Fuzzy Hash: 41abc1457157181a28da9da5c51225a03e411249421765a48475e8da9578f396
Instruction Fuzzy Hash: 9E11A770E0E65E4FEB51EBB488695A9BBF0FF19300F0505B6D41CC70A2EE34E6458B41

Function 00007FFD9B8B4EED Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3679557ad2e60a8fcc02afca5597a97d6701ba6ecd0dfe2d3778fecb90fcf2b9
Instruction ID: eb8cf08492e7bd5bc3bd08d210785afaa5e13d7c90d79d97c36dd3266b3cfa53
Opcode Fuzzy Hash: 3679557ad2e60a8fcc02afca5597a97d6701ba6ecd0dfe2d3778fecb90fcf2b9
Instruction Fuzzy Hash: 08119430A0955E4FEB54DF64886A6B977E0FF18304F0505BED41DC71E6DE24A6408B81

Function 00007FFD9B8B4D2D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8567f3b0cadd918c875217b575834f6f72910e467b7d0b0a0cf6116c8724a3cf
Instruction ID: 24a9c5627c1865da7f9616fbbe34daec7627489979359998dcaac0fc16d15150
Opcode Fuzzy Hash: 8567f3b0cadd918c875217b575834f6f72910e467b7d0b0a0cf6116c8724a3cf
Instruction Fuzzy Hash: 00116030A4965E4FFB55DFA8886A6B97BE0FF18300F0905BED419C61A6DA35A5408B41

Function 00007FFD9B8A21D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bcd978f5a7bccfeb6bd598135497cd35e45cedfbb468b4b4595bc5ed94f016
Instruction ID: 308023713a2f80795446caf131ab4a7f889aa6cf20986155c38f41ad8ac6bdf6
Opcode Fuzzy Hash: 47bcd978f5a7bccfeb6bd598135497cd35e45cedfbb468b4b4595bc5ed94f016
Instruction Fuzzy Hash: 7C019631A4E54E4FE761EFB4C9655A87BE0EF0A300F4245B6D408C70A6DE38E680C711

Function 00007FFD9B8B2604 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b3e1988ac7c90dcedb12372c38eea01ac8759f00f2e6090994060a2091289
Instruction ID: 2a1f306a066cb991dfc046057e4dc47d70bc00bbd927a868b9c451f52a96623f
Opcode Fuzzy Hash: 572b3e1988ac7c90dcedb12372c38eea01ac8759f00f2e6090994060a2091289
Instruction Fuzzy Hash: D4110230A4A25E4EDB69DFB4C4655F93BA0EF1A304F1200BED019C70E2DA29A642CB81

Function 00007FFD9B8A34C5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction ID: ab3decae7baa057e2b09cace9a4a3caea48320b2e39efd4aedf80c7822c10a08
Opcode Fuzzy Hash: 11aa1667005850a1854662fec9f509ae161460e0cd1e13e02fde379fd67ef3bb
Instruction Fuzzy Hash: 6F113070A0A64E8FDB55EFA8C8696BD7BE0FF19300F0105BED419C65A2DA35A5448710

Function 00007FFD9B8A2E51 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction ID: e259cecb3e157f5725ea30490a2c8fff1fccfc568b70f8b735babec105f93983
Opcode Fuzzy Hash: b391c15e40500f9c3d3f9166e6ebd65e72af27ae169fe5f03ba81aa81d37c028
Instruction Fuzzy Hash: C4018430E1E64E8FE761EFA488A85A97BE0FF19300F0245B6D40CC71A7EB34E5948711

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction ID: 8425a18b5a6d5c1306b106213985d314b576ed0a2c6dc4ec9fac1af0c3ab60c6
Opcode Fuzzy Hash: a16a658bd7dde50d7f036faf0d1ea0a92cd8f55baac1c21a2ea7d060b01dfd47
Instruction Fuzzy Hash: EF019E30A0A50E8FEB58EF64C0646B977A1FF6A304F51007ED41EC21A5CA35A650CB50

Function 00007FFD9B8ABF6A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b9787201b19a3ea21009d8eaaa931412abe4884b5da01595b355af360b0293
Instruction ID: 2a8c4c463ec0589e8b9adad9e90a577751e3c6c6b093e98dde32bdc399240189
Opcode Fuzzy Hash: 18b9787201b19a3ea21009d8eaaa931412abe4884b5da01595b355af360b0293
Instruction Fuzzy Hash: 3D015E30A0A94E9FEB95EF68C8686BD7BE0FF18304F15097ED81DC21A5DE35A650CB50

Function 00007FFD9B8A282D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction ID: 0d22346dbe54c15dc4e02549633f015a3d59e039d50a69f50c998e67fb143e5a
Opcode Fuzzy Hash: 8621763e1fccb9be8ee3f2e950125919cb5718bc7397d66e7d3526f42a5f358b
Instruction Fuzzy Hash: 4A018430E1A54E8FE761EFA489585A9BBE0FF1D300F0245B6E418C70A6EE38E244C750

Function 00007FFD9B8B2285 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372daebc37f5152b5be2e3d7fec66df4d1d24babb850548942f2f2e940e363f1
Instruction ID: 8cefab8cd2c30c94e91d0f8cdbea6917f4143e72cc55bd79f56ce8269054edde
Opcode Fuzzy Hash: 372daebc37f5152b5be2e3d7fec66df4d1d24babb850548942f2f2e940e363f1
Instruction Fuzzy Hash: F2017530A0A54E4FDB59EFB4C4695B9BBE0FF19304F0604BED419C60E6DA75A544CB41

Function 00007FFD9B8B74D9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6479288db9299ae9f2efbedcd03645fea3a8ecb301533ac7135ce9b4c5e20a74
Instruction ID: a7ec13b1288736a1d2c9a6173b9056a9cf818de9388d8053366c1f10c09259f9
Opcode Fuzzy Hash: 6479288db9299ae9f2efbedcd03645fea3a8ecb301533ac7135ce9b4c5e20a74
Instruction Fuzzy Hash: 9901B530A0E75E4FE752AB7488689A93BE0FF09300F0604F6D418C70B6EA28E5448741

Function 00007FFD9B8B7A89 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663c7c9c90e6ffe5916785a33cfdc7198ea752174d74144ff698ba2c036c5a70
Instruction ID: 1b9c9dbd18f16583b14c6743d3a58b8c1c3b50d071bb855543a41f447694d268
Opcode Fuzzy Hash: 663c7c9c90e6ffe5916785a33cfdc7198ea752174d74144ff698ba2c036c5a70
Instruction Fuzzy Hash: B201D630A0A78D4FD795EB74C8685B93BE0EF0A304F0604FEC009C60E2DA349644C741

Function 00007FFD9B8AA919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a89d8610e02d5d42719ba838498590c9c7f11654b9405f74b92ac696c0970f
Instruction ID: d891c4963b364d97f6f45202739778754d131aac61f4c17408864c820c360d2d
Opcode Fuzzy Hash: c7a89d8610e02d5d42719ba838498590c9c7f11654b9405f74b92ac696c0970f
Instruction Fuzzy Hash: E2014430A5E64E5FE762AB7488996A97BF0EF0A304F0749F2D41CC74B6DE38A544C721

Function 00007FFD9B8A2EC9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction ID: 45c9e22747b00fee4c917e2f86422403f429c64ded80a42e495f745d4bddd813
Opcode Fuzzy Hash: c59ce917d5ee1b79b03b49a1764b6d5c741ad16be1e989f281fb53fba937884f
Instruction Fuzzy Hash: 45018430A1E64E4FE762EBB489695A97BE0EF4A300F4605F7D408CB0B6DA38A544C711

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction ID: 9746e323cb3abbc38f08c20a93b61245972003c7011afba51c976345fbb64d35
Opcode Fuzzy Hash: 420603b43faf66d2473e3fe587a9d411b545fa02f737168ae0c619f201905d99
Instruction Fuzzy Hash: 5B018130A1950E8AEB68EFA4C5696B977E0FF1C305F11087EE41EC21E5DF35B690CA11

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction ID: efe334a1ac8c74e12d76f941783e76cbfaefe26f6a3bf4351876009d2ee50c4d
Opcode Fuzzy Hash: 72b2cab9a866e810e2305bf12b556bdd8f92187d3cdf53c81290fe1ee07ff2fb
Instruction Fuzzy Hash: 86016D30A1550EDAEB69EFA4C5686B976A0FF1C305F51087ED41EC21E5DE35B690CA10

Function 00007FFD9B8A11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction ID: 6d894c14f4014adacf4036812e0ecfcd0381f96fa6a0ddffe842f29ee19c1428
Opcode Fuzzy Hash: 52ea9d41b8d4b3f8acf2166e2b59a35d6988ad4713b42c5171d891ccdddc8533
Instruction Fuzzy Hash: EEF0A430E1A54E4AEFA4ABA488782FA77E4FF5A305F01143AE41DC20E1DE645650C611

Function 00007FFD9B8B537B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5286ac3026b582e1c8b8f3c633a0b15de6f3313cc7086b5462a37d2902558e
Instruction ID: fc187b594c075f53ee01d3eba628ae11bb95dc4eda7b356d7355532c17b8d036
Opcode Fuzzy Hash: 0f5286ac3026b582e1c8b8f3c633a0b15de6f3313cc7086b5462a37d2902558e
Instruction Fuzzy Hash: B8F01432A0892D8EDFA0EBA898647ECB7B1FB5C210F400066C00CE3251DE342A818B40

Function 00007FFD9B8A1C1D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction ID: 4914cbafb1686f0657e3103b5b7db6c2e22e7c5d47b419bc68c3020e320a9be6
Opcode Fuzzy Hash: eaceb19111d426e003e8f4d08074c319ca8db64785e5d4cc2eb89bbf54055d51
Instruction Fuzzy Hash: F4018630A4A64E8FDB65EF64C4656B97BA1FF5A300F4510BED40CC61A1DA759650C740

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction ID: 63ea2133509e46c7c915ecfc7736c44890dadebef5da37a159c5ba3ad6eac56e
Opcode Fuzzy Hash: a49116d159186173196ffe179f1fbe5738d256ed80d376fab8a221de4dc0b11a
Instruction Fuzzy Hash: 5BF0C230A0A61E8FEB68EF6494256FA77A4EF1A308F41007AE80DC20A1CA39A650C740

Function 00007FFD9B8AA985 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb0e7856b25cfa828a118f240eb132d36eecb8b651bc3ce0919a11be9097cb7
Instruction ID: dc5a3d67deb4dade821f0878967d19d9b76f6757cbe323212867351a24536efc
Opcode Fuzzy Hash: 5eb0e7856b25cfa828a118f240eb132d36eecb8b651bc3ce0919a11be9097cb7
Instruction Fuzzy Hash: 4AF0AF7564A3868FC316DBA8ACE15993770EF4630870E94E3C568CE4A3FB2854098761

Function 00007FFD9B8A2749 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction ID: 4bf7424194c4b1d5c19344312717ece5802b04af6756122c54b2e6f6bc02c89a
Opcode Fuzzy Hash: ac5e1e2258b29bf8de4ceaa0af333c035cb8fbedb5cb740c0bd0d9d09140db39
Instruction Fuzzy Hash: 63F0F63090E38E8FDB2A9F6488642E93B70FF06304F4604FAD809C60E6DB38A654CB11

Function 00007FFD9B8A27BD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8a0000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction ID: 953563ecbaf28355e591ec01b9335d833e2ec53f6048e945a8ef692b33253dfb
Opcode Fuzzy Hash: 28e20250c55289532d1bcb9923e09e1a12809e23bcf2b0cebf7664d2003b72b8
Instruction Fuzzy Hash: DBF0F63090E68D8FDB699FA088251A93BA0FF09304F0104BED409C10E5DB79A654C711

Function 00007FFD9B8AA998 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3a1652bd5a831a33afb0831da53712b42f52fd326763e753441b54e22effec
Instruction ID: 2673cebedf10db1091a531238ca10b229ed045cccf4a5dd8a48438f342bf16e7
Opcode Fuzzy Hash: 6d3a1652bd5a831a33afb0831da53712b42f52fd326763e753441b54e22effec
Instruction Fuzzy Hash: F0F0823564920A9AD715EBE8A8E14E933A0EF4431CB0998B2D57C8A592FB6960058660

Function 00007FFD9B8AB76E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8aa000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aa0a98d025cdde975b3092b603220cbba7f51d6fbca84f773f688b7cbb5c99
Instruction ID: 82e9c2aa04c31e4cbcacdde9391c17658c9c3de5897b6e0507cca542329eae18
Opcode Fuzzy Hash: 96aa0a98d025cdde975b3092b603220cbba7f51d6fbca84f773f688b7cbb5c99
Instruction Fuzzy Hash: 3BD09230A1991E8EEBA4EB54C890EE9B378EB18300F1052F1800D9219ADE34AAC18B80

Non-executed Functions

Function 00007FFD9B8B1148 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8B165B
}, xrefs: 00007FFD9B8B11F1
[, xrefs: 00007FFD9B8B10F9
*, xrefs: 00007FFD9B8B1106

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID: *$/$[$}
API String ID: 0-3119010630
Opcode ID: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction ID: 3133764fa9798f17e3cb1563f2cab07f74e9af9f7cf45979d4a8174e25b6b2d3
Opcode Fuzzy Hash: e810a8749cfd9ec1a089103b49380ed1a14602e41d8ea624d85138a26a769670
Instruction Fuzzy Hash: F7311D70D1522E8FEB68DF94C8A4BF9B7B1BB58301F1005B9D04D9B291DB385A84DF50

Function 00007FFD9B8B10E5 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

&, xrefs: 00007FFD9B8B1953
/, xrefs: 00007FFD9B8B165B
[, xrefs: 00007FFD9B8B10F9
*, xrefs: 00007FFD9B8B1106

Memory Dump Source

Source File: 00000022.00000002.1783381536.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b8b1000_Memory Compression.jbxd

Similarity

API ID:
String ID: &$*$/$[
API String ID: 0-928903987
Opcode ID: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction ID: 732c9e7a5a07d1b5612880ac957dfca070ea016d5a058dd12cfaf51c51a14772
Opcode Fuzzy Hash: 0279422f43836351d6de7e868c3757276c0a5cf099b2289123cd53377214c0e0
Instruction Fuzzy Hash: 56113070E0522DCFEB28DF90C4A07E9B7B1AF59311F15447DD0499B290CB781684CF54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O782uurN5d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Media Player\1a5d5b8dcee3d8

C:\Program Files (x86)\Windows Media Player\Media Renderer\5811fce5ef954c

C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe

C:\Program Files (x86)\Windows Media Player\Media Renderer\hKONDisxvRbjdh.exe:Zone.Identifier

C:\Program Files (x86)\Windows Media Player\Memory Compression.exe

C:\Program Files (x86)\Windows Media Player\Memory Compression.exe:Zone.Identifier

C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0

C:\Program Files (x86)\Windows Multimedia Platform\System.exe

C:\Program Files (x86)\Windows Multimedia Platform\System.exe:Zone.Identifier

C:\Program Files (x86)\Windows Portable Devices\5811fce5ef954c

C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe

C:\Program Files (x86)\Windows Portable Devices\hKONDisxvRbjdh.exe:Zone.Identifier

C:\Program Files\Windows Multimedia Platform\5811fce5ef954c

C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe

C:\Program Files\Windows Multimedia Platform\hKONDisxvRbjdh.exe:Zone.Identifier

C:\Program Files\Windows Sidebar\5811fce5ef954c

Windows Analysis Report
O782uurN5d.exe