Edit tour

Windows Analysis Report
gqIYXW7GfB.exe

Overview

General Information

Sample name:	gqIYXW7GfB.exe renamed because original name is a hash value
Original sample name:	ca1c3f84e0259d9c423e34e20840f142.exe
Analysis ID:	1587303
MD5:	ca1c3f84e0259d9c423e34e20840f142
SHA1:	3efc257f5027a1a1a205adcdbcb999e1ef8b3b7d
SHA256:	30d404945af42d77bfd6ac92739486e8d00496a977ba6a6f0240cd20b7989f2c
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Classification

Process Tree

System is w10x64

gqIYXW7GfB.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\gqIYXW7GfB.exe" MD5: CA1C3F84E0259D9C423E34E20840F142)

schtasks.exe (PID: 6172 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3652 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3060 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6196 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7176 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7192 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7212 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7228 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7244 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7260 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7276 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7292 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7308 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7324 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7340 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7356 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7372 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7388 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7404 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7420 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7436 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7460 cmdline: schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7476 cmdline: schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7492 cmdline: schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7528 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7564 cmdline: schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7584 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7676 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7700 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7720 cmdline: schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

NGtfpkeoDVuJA.exe (PID: 7512 cmdline: "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe" MD5: CA1C3F84E0259D9C423E34E20840F142)

NGtfpkeoDVuJA.exe (PID: 7536 cmdline: "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe" MD5: CA1C3F84E0259D9C423E34E20840F142)

RuntimeBroker.exe (PID: 7596 cmdline: C:\Users\Public\Videos\RuntimeBroker.exe MD5: CA1C3F84E0259D9C423E34E20840F142)

RuntimeBroker.exe (PID: 7652 cmdline: C:\Users\Public\Videos\RuntimeBroker.exe MD5: CA1C3F84E0259D9C423E34E20840F142)

WinStore.App.exe (PID: 7692 cmdline: "C:\Users\Default User\Templates\WinStore.App.exe" MD5: CA1C3F84E0259D9C423E34E20840F142)

WinStore.App.exe (PID: 7744 cmdline: "C:\Users\Default User\Templates\WinStore.App.exe" MD5: CA1C3F84E0259D9C423E34E20840F142)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"i\":\"%\",\"D\":\"$\",\"J\":\",\",\"R\":\"&\",\"M\":\"@\",\"v\":\";\",\"n\":\"`\",\"2\":\"(\",\"k\":\".\",\"C\":\"|\",\"h\":\">\",\"A\":\"~\",\"y\":\"-\",\"3\":\"<\",\"V\":\"^\",\"K\":\"_\",\"O\":\"!\",\"1\":\")\",\"I\":\"*\",\"U\":\" \",\"w\":\"#\"}", "PCRT": "{\"J\":\"%\",\"E\":\"@\",\"p\":\"-\",\"S\":\"*\",\"2\":\"~\",\"W\":\">\",\"t\":\"|\",\"Q\":\"&\",\"d\":\"(\",\"U\":\"<\",\"w\":\"^\",\"M\":\".\",\"B\":\",\",\"N\":\" \",\"F\":\"#\",\"0\":\"`\",\"T\":\")\",\"l\":\";\",\"3\":\"!\",\"k\":\"_\",\"O\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jShYReD2j8kQSBgF7EmL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://co91798.tw1.ru/@==gbJBzYuFDT", "H2": "http://co91798.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000022.00000002.1872453655.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1872171550.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.1872453655.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.1855613707.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.1855613707.000000000294C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1769780161.0000000003810000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000024.00000002.1874605583.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.1866151975.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000024.00000002.1874605583.000000000350D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.1865657221.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1772279919.00000000133DD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: gqIYXW7GfB.exe PID: 6768	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: NGtfpkeoDVuJA.exe PID: 7512	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: NGtfpkeoDVuJA.exe PID: 7536	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7596	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7652	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WinStore.App.exe PID: 7692	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WinStore.App.exe PID: 7744	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Videos\RuntimeBroker.exe, CommandLine: C:\Users\Public\Videos\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Videos\RuntimeBroker.exe, NewProcessName: C:\Users\Public\Videos\RuntimeBroker.exe, OriginalFileName: C:\Users\Public\Videos\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\Videos\RuntimeBroker.exe, ProcessId: 7596, ProcessName: RuntimeBroker.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\gqIYXW7GfB.exe, ProcessId: 6768, TargetFilename: C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Public\Videos\RuntimeBroker.exe, CommandLine: C:\Users\Public\Videos\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Videos\RuntimeBroker.exe, NewProcessName: C:\Users\Public\Videos\RuntimeBroker.exe, OriginalFileName: C:\Users\Public\Videos\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\Videos\RuntimeBroker.exe, ProcessId: 7596, ProcessName: RuntimeBroker.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\gqIYXW7GfB.exe", ParentImage: C:\Users\user\Desktop\gqIYXW7GfB.exe, ParentProcessId: 6768, ParentProcessName: gqIYXW7GfB.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f, ProcessId: 7404, ProcessName: schtasks.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\gqIYXW7GfB.exe", ParentImage: C:\Users\user\Desktop\gqIYXW7GfB.exe, ParentProcessId: 6768, ParentProcessName: gqIYXW7GfB.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f, ProcessId: 6196, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gqIYXW7GfB.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\WindowsPowerShell\smartscreen.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\Saved Games\SgrmBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000000.00000002.1772279919.00000000133DD000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"i\":\"%\",\"D\":\"$\",\"J\":\",\",\"R\":\"&\",\"M\":\"@\",\"v\":\";\",\"n\":\"`\",\"2\":\"(\",\"k\":\".\",\"C\":\"|\",\"h\":\">\",\"A\":\"~\",\"y\":\"-\",\"3\":\"<\",\"V\":\"^\",\"K\":\"_\",\"O\":\"!\",\"1\":\")\",\"I\":\"*\",\"U\":\" \",\"w\":\"#\"}", "PCRT": "{\"J\":\"%\",\"E\":\"@\",\"p\":\"-\",\"S\":\"*\",\"2\":\"~\",\"W\":\">\",\"t\":\"|\",\"Q\":\"&\",\"d\":\"(\",\"U\":\"<\",\"w\":\"^\",\"M\":\".\",\"B\":\",\",\"N\":\" \",\"F\":\"#\",\"0\":\"`\",\"T\":\")\",\"l\":\";\",\"3\":\"!\",\"k\":\"_\",\"O\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jShYReD2j8kQSBgF7EmL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://co91798.tw1.ru/@==gbJBzYuFDT", "H2": "http://co91798.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\WindowsPowerShell\smartscreen.exe	ReversingLabs: Detection: 78%
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\Saved Games\RuntimeBroker.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\Saved Games\SgrmBroker.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Videos\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Videos\RuntimeBroker.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\PLA\Reports\en-GB\SearchApp.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: gqIYXW7GfB.exe	ReversingLabs: Detection: 78%
Source: gqIYXW7GfB.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\WindowsPowerShell\smartscreen.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\Saved Games\SgrmBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gqIYXW7GfB.exe

Joe Sandbox ML: detected

Source: gqIYXW7GfB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Media Player\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\WindowsPowerShell\smartscreen.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\WindowsPowerShell\2afe4ed40d5a86	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Mail\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\56085415360792	Jump to behavior

Source: gqIYXW7GfB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://co91798.tw1.ru/@==gbJBzYuFDT

Source: gqIYXW7GfB.exe, 00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\Media\Garden\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\PLA\Reports\en-GB\SearchApp.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\PLA\Reports\en-GB\SearchApp.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\PLA\Reports\en-GB\38384e6a620884	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\INF\PERFLIB\71ebdaf38118f9	Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Code function: 0_2_00007FFD9B7E55D0	0_2_00007FFD9B7E55D0
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Code function: 0_2_00007FFD9B7F0EFA	0_2_00007FFD9B7F0EFA
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Code function: 0_2_00007FFD9B7D3545	0_2_00007FFD9B7D3545
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Code function: 28_2_00007FFD9B7E3545	28_2_00007FFD9B7E3545
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Code function: 30_2_00007FFD9B7D3545	30_2_00007FFD9B7D3545
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B815A31	33_2_00007FFD9B815A31
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B813398	33_2_00007FFD9B813398
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B813388	33_2_00007FFD9B813388
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B8168B0	33_2_00007FFD9B8168B0
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B8142AC	33_2_00007FFD9B8142AC
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B8143D8	33_2_00007FFD9B8143D8
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B8133C0	33_2_00007FFD9B8133C0
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B803545	33_2_00007FFD9B803545
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B813EE8	33_2_00007FFD9B813EE8
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 33_2_00007FFD9B814058	33_2_00007FFD9B814058
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Code function: 34_2_00007FFD9B7E3545	34_2_00007FFD9B7E3545
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Code function: 36_2_00007FFD9B7E3545	36_2_00007FFD9B7E3545
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Code function: 39_2_00007FFD9B803545	39_2_00007FFD9B803545

Source: gqIYXW7GfB.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: smartscreen.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wininit.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe1.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe2.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe3.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe4.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe5.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe1.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WinStore.App.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SearchApp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe6.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe7.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe8.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NGtfpkeoDVuJA.exe9.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SgrmBroker.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: gqIYXW7GfB.exe, 00000000.00000002.1769695409.0000000003310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000000.1694728415.00000000010B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1915823540.000000001BCA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1772279919.0000000017FE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1772279919.0000000017A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1768803756.000000000160D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1769446608.0000000001830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1919322846.000000001C7C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1918951642.000000001C720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1919055386.000000001C730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1919194286.000000001C7B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1923909852.000000001D3AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe, 00000000.00000002.1769465315.0000000001840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs gqIYXW7GfB.exe
Source: gqIYXW7GfB.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs gqIYXW7GfB.exe

Source: gqIYXW7GfB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@38/61@0/0

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File created: C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\d5442e823d81db9ad89555402da3ca0cd82a73c8

Source: gqIYXW7GfB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gqIYXW7GfB.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gqIYXW7GfB.exe	ReversingLabs: Detection: 78%
Source: gqIYXW7GfB.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File read: C:\Users\user\Desktop\gqIYXW7GfB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gqIYXW7GfB.exe "C:\Users\user\Desktop\gqIYXW7GfB.exe"
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /f
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Public\Videos\RuntimeBroker.exe C:\Users\Public\Videos\RuntimeBroker.exe
Source: unknown	Process created: C:\Users\Public\Videos\RuntimeBroker.exe C:\Users\Public\Videos\RuntimeBroker.exe
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /f
Source: unknown	Process created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe "C:\Users\Default User\Templates\WinStore.App.exe"
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe "C:\Users\Default User\Templates\WinStore.App.exe"
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: apphelp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Media Player\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\WindowsPowerShell\smartscreen.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\WindowsPowerShell\2afe4ed40d5a86	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Mail\71ebdaf38118f9	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\56085415360792	Jump to behavior

Source: gqIYXW7GfB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gqIYXW7GfB.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: gqIYXW7GfB.exe

Static file information: File size 3495936 > 1048576

Source: gqIYXW7GfB.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x351e00

Source: gqIYXW7GfB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe

Jump to dropped file

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Default\Saved Games\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Public\Videos\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Public\Videos\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\PLA\Reports\en-GB\SearchApp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Default\Saved Games\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\WindowsPowerShell\smartscreen.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Jump to dropped file

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\PLA\Reports\en-GB\SearchApp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /f

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Memory allocated: 1B3D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Memory allocated: 1B2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Memory allocated: 1A910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Memory allocated: 33B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Memory allocated: 1B3B0000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Memory allocated: 19E0000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Memory allocated: C80000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Memory allocated: 1AA80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Window / User API: threadDelayed 1788	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Window / User API: threadDelayed 550	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Window / User API: threadDelayed 372	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Window / User API: threadDelayed 365
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Window / User API: threadDelayed 368
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Window / User API: threadDelayed 371

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe TID: 6912	Thread sleep count: 1788 > 30	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe TID: 6916	Thread sleep count: 550 > 30	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe TID: 7660	Thread sleep count: 372 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe TID: 7768	Thread sleep count: 303 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe TID: 7972	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe TID: 7984	Thread sleep count: 365 > 30
Source: C:\Users\Public\Videos\RuntimeBroker.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe TID: 7960	Thread sleep count: 368 > 30
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe TID: 8124	Thread sleep count: 371 > 30
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Thread delayed: delay time: 922337203685477

Source: gqIYXW7GfB.exe, 00000000.00000002.1922900673.000000001D305000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5"

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Queries volume information: C:\Users\user\Desktop\gqIYXW7GfB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gqIYXW7GfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Queries volume information: C:\Users\Public\Videos\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Videos\RuntimeBroker.exe	Queries volume information: C:\Users\Public\Videos\RuntimeBroker.exe VolumeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe VolumeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe VolumeInformation

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Registry value created: PromptOnSecureDesktop 0

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\Desktop\gqIYXW7GfB.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1872453655.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1872171550.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1872453655.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1855613707.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1855613707.000000000294C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769780161.0000000003810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1874605583.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1866151975.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1874605583.000000000350D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1865657221.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1772279919.00000000133DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gqIYXW7GfB.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NGtfpkeoDVuJA.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NGtfpkeoDVuJA.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WinStore.App.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WinStore.App.exe PID: 7744, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1872453655.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1872171550.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1872453655.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1855613707.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1855613707.000000000294C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769780161.0000000003810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1874605583.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1866151975.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1874605583.000000000350D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1865657221.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1772279919.00000000133DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gqIYXW7GfB.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NGtfpkeoDVuJA.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NGtfpkeoDVuJA.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WinStore.App.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WinStore.App.exe PID: 7744, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	123 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Bypass User Account Control	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Bypass User Account Control	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gqIYXW7GfB.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
gqIYXW7GfB.exe	68%	Virustotal		Browse
gqIYXW7GfB.exe	100%	Avira	HEUR/AGEN.1323984
gqIYXW7GfB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\WindowsPowerShell\smartscreen.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Default\Saved Games\SgrmBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\WindowsPowerShell\smartscreen.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Users\Default\Saved Games\SgrmBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\WindowsPowerShell\smartscreen.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\Saved Games\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\Saved Games\SgrmBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\Videos\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\Videos\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\PLA\Reports\en-GB\SearchApp.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label	Link
http://co91798.tw1.ru/@==gbJBzYuFDT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://co91798.tw1.ru/@==gbJBzYuFDT	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gqIYXW7GfB.exe, 00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587303
Start date and time:	2025-01-10 05:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gqIYXW7GfB.exe renamed because original name is a hash value
Original Sample Name:	ca1c3f84e0259d9c423e34e20840f142.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@38/61@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 63% Number of executed functions: 484 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): RuntimeBroker.exe, ShellExperienceHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 52.165.164.15, 13.95.31.18, 2.23.242.162, 13.107.246.45
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target NGtfpkeoDVuJA.exe, PID 7512 because it is empty
Execution Graph export aborted for target NGtfpkeoDVuJA.exe, PID 7536 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7596 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7652 because it is empty
Execution Graph export aborted for target WinStore.App.exe, PID 7692 because it is empty
Execution Graph export aborted for target WinStore.App.exe, PID 7744 because it is empty
Execution Graph export aborted for target gqIYXW7GfB.exe, PID 6768 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:27:04	Task Scheduler	Run new task: NGtfpkeoDVuJA path: "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
04:27:04	Task Scheduler	Run new task: NGtfpkeoDVuJAN path: "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
04:27:04	Task Scheduler	Run new task: RuntimeBroker path: "C:\Users\Public\Videos\RuntimeBroker.exe"
04:27:04	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Users\Public\Videos\RuntimeBroker.exe"
04:27:04	Task Scheduler	Run new task: WinStore.App path: "C:\Users\Default User\Templates\WinStore.App.exe"
04:27:04	Task Scheduler	Run new task: WinStore.AppW path: "C:\Users\Default User\Templates\WinStore.App.exe"
04:27:06	Task Scheduler	Run new task: SearchApp path: "C:\Windows\PLA\Reports\en-GB\SearchApp.exe"
04:27:06	Task Scheduler	Run new task: SearchAppS path: "C:\Windows\PLA\Reports\en-GB\SearchApp.exe"
04:27:06	Task Scheduler	Run new task: SgrmBroker path: "C:\Users\Default User\Saved Games\SgrmBroker.exe"
04:27:07	Task Scheduler	Run new task: SgrmBrokerS path: "C:\Users\Default User\Saved Games\SgrmBroker.exe"
04:27:07	Task Scheduler	Run new task: smartscreen path: "C:\Program Files\WindowsPowerShell\smartscreen.exe"
04:27:07	Task Scheduler	Run new task: smartscreens path: "C:\Program Files\WindowsPowerShell\smartscreen.exe"
04:27:07	Task Scheduler	Run new task: wininit path: "C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe"
04:27:07	Task Scheduler	Run new task: wininitw path: "C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	1Ta6ojwHc6.exe	Get hash	malicious	DCRat	Browse	199.232.210.172
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	Appraisal-nation-Review_and_Signature_Request46074.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zip	Get hash	malicious	Unknown	Browse	199.232.210.172
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	199.232.210.172
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	199.232.210.172
	GT98765009064.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	5.717363071354036
Encrypted:	false
SSDEEP:	3:Xq9WIwGsBragjNOq8/DIulrDakXzC0LUu+NDZEHzS/j9JdJJ/S42/RM4Gqn:8W0KagQq8/DfPakX3UYzS/j9TJJ/SK4R
MD5:	FCEBCD6C79CD34EC248143101AC23741
SHA1:	EE0E02E08E6EE7851971A69B243A0CDF9C68EE8B
SHA-256:	09BFC7B7A4A966AF2B209599D57836555C7534F6266BF434D121C34F96BF46D2
SHA-512:	1184358F94256A2A775D44D124B886074F8C88CD6A0012C20F752AE5B54F27A4D24D1FF26435037971EFC068950085FBECE9EFB05D798EBE1FD9F4C9060297AC
Malicious:	false
Preview:	EwOb83mPUtb5IChOUynihq6ieFUrS2S3buRe0sIEmkCxtyFGiBY5ibmX0q63j56cahdXuDXlpi57oJzqANJRdXUAI3oKwPfrnjXLUrVfnwQAgotr0Q2Vwp8DNdP1YNzZDOUEwoVT1nnrGUddK7TgWJ48lU81beGZ707SUo4M4jeIBR63

C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	279
Entropy (8bit):	5.8184887921876225
Encrypted:	false
SSDEEP:	6:f/uVGwSCdmCwdHZWvFKVr/Xxr/D82/GyJzRGCAwNpPDycdesS:QSepIWM/RyqGCAwvDycdm
MD5:	38345FD2089F87B814D0AD0E737E41CA
SHA1:	72792432E39960995EB21B7E72BCBA13FC0DE2F3
SHA-256:	31B43B99A9F6949DA49473AA55F3EAA89D91A40EEE12AAA342603238077DC9A9
SHA-512:	BD4C36E12CD94A08AE28B69F387C3271EB17B3DF4149DCB513FF717E20E99E90AEFFE2DC7381714CC50908D5B2593F52C910B658D608F5C2EC8EF2902E36B350
Malicious:	false
Preview:	lEZMDSheDbNPmI74iMacX78wE3GC5hVgY289wcSUQjUikpgUM0iPxC3oFmHKLfjfGr0uJ8IG3FMxmaMYXv0E9FsV8U3KUIJvAzb3ywLOsbWr0GBpZtwZpegB8fvyE8wu6bwx9TjlklWhsAe2SOulWtFgSZ4TAWJuplvZTOqGJLzDI8S7A3fzNLYNVQejYPkNcm2HPEiEhobK4CXTH6TH1TgeMhECtHr3kllgGLr5UbRjtNSS3Kbb6dWIFX4sAfVa6ikTb1N5PYxZC7v8OvJipP7

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft Office 15\ClientX64\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (975), with no line terminators
Category:	dropped
Size (bytes):	975
Entropy (8bit):	5.9161650478489465
Encrypted:	false
SSDEEP:	24:x4n96dPc93zsD3H8qhShcXN8Uv94J4SWDvcMF5Y:xMx4zNs+Ru4SWDE3
MD5:	916E562667DE64A053EEF7CAA618DF9A
SHA1:	B42D17AA963D60EC5D6D0418D98A0B17F1E419A9
SHA-256:	E87E17B7185BC4377511A4246CBEE3641C914D80E0DD818E01BF6764E0778828
SHA-512:	6377A3AF2ADFBA279EA6DDAA3F31A28B6423ED5C2CED433D1720DEE9E1562663E42ECC82400C75101739B24D06C092F3CCEE929DD111D393B6FDACA9D15598DE
Malicious:	false
Preview:	Yk98tniyvoDBe8SNEROBx8iyx2dvicP2MzIKICO5Gf1msuJH0H9GCsLaBLL0JxPTYKzpzHEBCT4SG6FDsW4bdI0dosI71XvSPiNi4eRsC7Etx2TFFIHw2yzQUVAG9HKphmCishIOEMZfEGqvZC2sP9Zbs7OjdKt4wZML0vXhA3rqZTLNpOr6ObZiMlzvTiu4cetp3e5opVsWRtCYvA4OdxpV9o9O6lObIxN4kgUKTDQ3sCRdjaASogbpzXpPfqrEGROdfHyPqt5Zgvm7Xgpfk5wmWiFM0FomVMwbxx7bmvm5kBJDvs19BMdLfmG7ClYlESEU8KJjiN3zS1BVYBbINpkJsl6LrAYBWB0R7zEkiSayTo2olviAKQXZs5lXO82iy1cRAtYj70k5OwzEtRj5cY1GnbjCNrVjZ29bLkn2X8DTqcK5Fgo6Y6GaAVoiJVVPeAfWwY3IoridUhaKRn6rDYLcwjaz6FsBmxzp7yJqnfSrYmFc5dRgYoMFzCjN7DLi9g1hsuNceQDhGdEKd84dxMm7kt04O5tkUur1viuKPyBIkp9V8Zu9Isvx43683TOjgdMWwMY4NtN8KdX5uf5zKubm8471mvQ6kcmGcnjvA0vYewmafBOYXYZwCkX1PhRbcQXr1QcG6JyU8DHLShWlh2jMD0E2PrgdiU5OZ4iPiHbNkFx8dLjrLq4krLoBLk0OnVvoH3wX8HCZbWl8CFYDIyS1ZVgNQhD8QNkPTI1kZLtDneIVjq8GLwFyC3OvWiHaEEJOvWo3Oxo6FOO5MLnjj6wdHwMZ4FO1ES9jU4jNBE1YIIsypTjL4h1HRpG9JO9Ijw2xOokRlaheFYU8DYulgC6ga2SpykDwEtyVQ5jBsRjeAXC2UI6ueYmgzVWVV5dBWuZVk8sHzs2PdcgD0ZUpnSSqHRg4jNpxxiHP7qSWay5vgXDXyTe5lxXDctOTcxilCFb5VRFKH8PzWgK

C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\56085415360792

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (375), with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.842016179969664
Encrypted:	false
SSDEEP:	6:qfVc+F/urmebPx9FsRNkvQY5bjvV/i9QHTQhWhXoxFxA5hRS/srAKXRWv/r:qfW+F//eDxfsRNkppM9I4W4xSEKXRQ
MD5:	166F4456313752A4DBE2E550195A60C3
SHA1:	41E63D0FF9ACD138F8FB702A945512EC9D12692E
SHA-256:	182998FE6DA088324C0C704F342E85ECCA6AB9AC64D5D7F6E5D43AF9C124EFFF
SHA-512:	468F6E7980EFF5635E280F6EEE117C750C79AD940140D31729DCB0E25EA267317F46D21B73E8973E07CD4A4F08C334BF4776FCFF1FEE773357F5F4AA9BD50080
Malicious:	false
Preview:	9MELhPwCEBYKtjWBSy01nJ7mEvPW3WIZ8aqWg74fyfZp5D8oF0zfqZt0ObGw9aJs39LT29eU3VCIuSrBwlRCgmsjr0HF1HgYVrw52pwFWelVXkG6uEAYIGLQQmlC1ZdvznwCgvJHyMqBBXMGuLUwHHQPffpQDtN6BzgtxDa952j5ZKP3ZeSqErorXhhAG3EE9tAL1cTquV0OiVzVQv0ibg1ULyVQga3Cye5pKDB6Ll6t0aICrLuUDfnd2pACHDJUbyZEZKKMu3X0jHevqTiUqi8T1cxeD9zIbmSBAEnhAhkJIx3uLOWxezn2zFN6WqIuDOY7zdumqBTI8yLDiDTznBnm8ZL40qKUYzG3Y64seuHcff4A4JXTXTH

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Mail\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (488), with no line terminators
Category:	dropped
Size (bytes):	488
Entropy (8bit):	5.888596966214968
Encrypted:	false
SSDEEP:	12:txXOlA7fsS5P+XoJgjd9LaFv3oD+i+zXefEQR2xRRjvC:iADOYJgBJKJHSfERxRR7C
MD5:	800E79AAC853763CCE112E283F2BD2D2
SHA1:	457B77EFF0291757B86B80EE7A22C43CAA1F13F4
SHA-256:	5DBCC868F0B1060C16E52BCC4354C7F51A11710CA4B128DC8F520B5672F7882C
SHA-512:	7F9D393461B592D70933929AF22976139A9D81485496619F1299CE9C98E44C69F1281B2597EBDA9CD92D692715DB52EAF0764CF2D19D371B87C42A4FC60E94D5
Malicious:	false
Preview:	QrGiWWbIXG5b4hlwE7IUR1BeAKHgUKN6UNmyV5LyQ8Kf4Ftzvh81eKMZqmiLO4xM39Gr5xbJwUESqfk5bRuxLVbJANHtX9jVK7m58C48FzFKG3sLBnu7KABhh6qrpswwusIs2o6ZXwrWQRDHe6rtPmLK6FYBWMTXDSZYv9SWrVjXSpQP3iMtAChIg8wxQ4CKdUS82oVfnUC4Cx2RzJIxAjWBvQ1xNfGwSZ47WSWONrFp9mFsFe7HwPK37RMlwiSHOPmn245gw3kSeqBILIrsh8ACPBAEFvcoZ7buAczLjaV2p1YQQEan1jkPPkY140bAb53gPRHsTfJGnHWXmtyAVyx0XLfaE8Rs9Ubu82B96sUVadmHNAOLCapnIDJDwrnUOaHSqmYuryEndcZ3jXNDuFqipym5t8NPEAG9WTblmdeNWCJpnPeYdjjJtin1AdBtlyicVZhP6mbQldLno6Sdeyveb7PxqjkIculidrTN

C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Media Player\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (307), with no line terminators
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.798954862335732
Encrypted:	false
SSDEEP:	6:Hk2h05dHRzuTsLsBWE3/W/1zPbh1qK4vrjso4NZDshk0wxPhaon:HN05BluTqs93/61zXWvrgPZn1n
MD5:	70E279A243C970BCBDBF19CBACBD534C
SHA1:	7696F10E6C690ADDD7C4A5276D968E6ED64630C1
SHA-256:	6CB9296D65331B1C7ECBB838ECDAD4368C305088152E0A6EBCD6B52D8FA83F06
SHA-512:	AD11D70414877FC0694451AFA16CE67498FF959E71F428C01191B8FED398E2F8BF077768D6016104CA0FCBEB5192CBCF3D2CAC9ECFF88D46C0F5BE0D16075B0F
Malicious:	false
Preview:	rs1kQgTcYvQS9Q11oQIGs9DM3yQTTmLSkeOLdp38iYqcloLxQL80DgksooqcP9Iwk8reBqY8WJiTSllOmcCInUOE4ggy8bsiQ32n7qvkw9e47RZCDbzw6AIPtnkfJj95bADZt7R6qcVo0UGmGduhm5lPum4UGQbM9jc7NATGJ3GepeZYg7ZpzcSfYxoGD70aAIpR2IYGKoXtzHkQNgxI1vXhQ7jaWMCMDpdgzHgYiTfLEjpRNX3hJrjOuIA4j8u7lLqJnDbF9ZjhQMcrRSN8TfCVGPwrHlzkjhj33gnJ6yhuIB7ipTn

C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Security\BrowserCore\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (562), with no line terminators
Category:	dropped
Size (bytes):	562
Entropy (8bit):	5.892922173764232
Encrypted:	false
SSDEEP:	12:kDEQtZUSPw2Gyp5nnJLuhZTCOn7FZbHdFCdmSpedAXJSdHlzLDGb:ucSPw2rHn0/7FZb9F5SINBdLc
MD5:	7929E8517264D5B3A8A22EF3A9D2B2C7
SHA1:	37DC9F4CD6BA2C33412959199D9A7BDCBADDE2BB
SHA-256:	7F934B2F9D4F1194A7407E6765823A62A3D5A6EDB1012ED9242715A875B702D0
SHA-512:	EA2E58DBAB19DC01EE2F459D7BC73988590AB8AE3FB7F1ACBE5835B0A26DB3C9CB61BF6DC44210B417D5D9FD12F20883B9A9437C63813AE382A5A72F43B924F4
Malicious:	false
Preview:	UiAY2HexVNKHeRwQJKE4Rdva42iKY0wkWsy6cvr64KAxynPArV3FxER0wjd9jTZeakvvdzxXcI9Gd8mQnhcC7qwRb8J3SrXkvfWN2dh2hgnpEKXy7MWB1WhtxdUfp4EuuZV7mYYJ9kfaDHMRkV6FVVtZ8maYJCNnb24pzZMiyNCQ0GqpRC4U78ZYq58989A6X28LNhcLIXRHTci26uHGI3pccf83aMkyNF38HectksLjrRENWGDN13yeMgsriiu6xd4OjkubSYgarFvLbvhTJW6TRZwlwuKC7OwOWzowWm5dXYwGuhQxBbxagl7JyIohNdcdThylGu7gbd63np1OeXBgbWrv2e8N7XP35TxNtoqQeQ8CoEgIRZC0c6B6zCslwtjDND7U2of0qvBLXpHy8z6hVZb9R0Xq5Fdur4zlGMQn4MKq4zjK54n6xBsyl8CBQy4lSQeczfrwjSnJPuEbRNvAbg7pMA9IJOWFRiYnVGUZN0XeYjj13ktDD3JvTyQzfimU5h1qVbGL2VxlJdRmbIOjfTCXZnUhzf4oNCi0r3gcehLrGi

C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Security\BrowserCore\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\WindowsPowerShell\2afe4ed40d5a86

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	5.776957313699187
Encrypted:	false
SSDEEP:	3:SJrzUqHUU9jBjmCk2PRrwk+UAXifq9njVQtIHmQWiJ/+N63rAi7ZGyEBozMaNvDW:Sl4zmk2a2nC9n+tIGQWRsrA2ZG5azpNi
MD5:	48D6214240D1801F5B4D32B8B2B2BDDF
SHA1:	E728A41C10263D2B628A45023486F01C2BB1EA1C
SHA-256:	55FCD67B58862D62202C2B1A9D43FEB68C689B52CCACB12D4F515E71FB19EC40
SHA-512:	838E09F185D7FF5B20456503083442DB7B593C53050F89919CE23831D24459A85851689F1BF58BBE62989EB020C5CE7B680710A2A27925B21FC5731AA6535940
Malicious:	false
Preview:	TXTViPfNxKw5kAMhTrU9SwviKFJM5mSEJqH9MICq1aqLz1uoU7sd092gmvLcGSSK2sw33NULonH2GjtSVe274zOJykXb6kkjHfTHF0uHmhyM1AaCB3GlZUQDdmFTz2OEDiukQmNeuvVWABSyJUZDe8JwPQncvbRtTuJTPzwZpl1o93CcURJfdKkEY7V

C:\Program Files\WindowsPowerShell\smartscreen.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\WindowsPowerShell\smartscreen.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.9477027792200903
Encrypted:	false
SSDEEP:	3:iU5DZ3Ln:iU59b
MD5:	BE414EA86D3DC9BC853B97B67444DEB0
SHA1:	EA9EF78AF285482491D656F696772D0E6CEB931E
SHA-256:	BDA5395991CA93922D629F77C328B19B689DB21F0C93952BA4BF99C31FAA0582
SHA-512:	438539C5FD7256A5357A3D9E7BC856F04C72699E9AD89A41003A9D0D8CA846C11DF95A4BC64C9003956FD6C54F2908E88398B38A4125391432FC912D7FBC5547
Malicious:	false
Preview:	UrGEaIGOf9zXDRLRQW

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.73820045177527
Encrypted:	false
SSDEEP:	6:KdflciOUUtqKgqku238g3fjXWXVHXwmveMv:K9GAvIYxPjGX1XwmvB
MD5:	0753B5A23983871E06EDC04931A934F8
SHA1:	930991BE5BDB84E2F0FB56A733433CBD44D120BA
SHA-256:	96FC02C160B3E6519C8E0D00C7A7340637C0C4A716126D624D4BF44BAE68A049
SHA-512:	8A976179C5A498E689AC5C4FC996ABDE9F2A250C98B818DCAEA30CFB6BE26D83D1A70399C9396048696AB42E36C44419C459C5121F70F89364E8457595048316
Malicious:	false
Preview:	dV72JeqhCPMy59B4qz2dSWZrROVH4hg4PrBer6EflbFIt1nOky1fE52G5Pk4IimesSiN8gMtuW11RR8alGgFpBzTy4icVKWDykZaSZQElHvsEBznQKSCBhyrdOYE7uXj9yCq1iIMzcdiQHPxE5LL2UBRws7DALG1tLsP8JwsBGMiDQbV9l9CjMrpxu4JkELoWmyEYA

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\fd168b19609dff

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (691), with no line terminators
Category:	dropped
Size (bytes):	691
Entropy (8bit):	5.882765938518438
Encrypted:	false
SSDEEP:	12:M0URenPfjILFZdrH6NABwYKBEdVE/sVCwvWxRPe1kKvnYqdYlBUB8RY2iUcN:tURej2PsEdVGHxRnKvYz2SziUm
MD5:	A934278DC3F328DC357FDDA27539E7EE
SHA1:	4142589ED3BC87A1544A22E459CF12D643B1643B
SHA-256:	60590FFE1BA88AE93638B8484F5CC8EE2202D1061007CD0AB5690CCF975D3E86
SHA-512:	8BFE26DA46E9A1FB5E6E224D28F5502557E0B2DB879876ECCFC4B18DC0683C47273E2579B50BF573AF759A0ADB9DA83DC7F7CAA81BFB61429C2D4D8A5FCEE28F
Malicious:	false
Preview:	XvgGOoZqVXBvvsyevticiGZEq8aXC8nRaaHKeMZtoYKN4ZMPmpAm0bHRWcZQNCoWttVUkoAjUzxJ5LJRvKvW8Bb8S0xBwJfmuyeKE1p7oaRAo8VLSIeCQRXrSXBt19xKULZHr9N3fxsitaTUfmsnocVdaw1r05GpmHqdiNdS5khdjz81DrOOQJg1z6q4HgDkrC5mu0vRIZsE523lyAnIq1ZdkyomhjKZg6wg4VGM57G0bb66CFGH253znbB5MJujOTh8GWrc3bNtviCI1rjbdDhlD63cTL9vMglI480pYnOarJDEZ2EfjSGLv54JdOJsbbgO74O203DzzH333zDaGeM4aZW8ErMJef8QnzGeoLopPQWoCBQnLsl7PmxhiQyJr3VTInQDsiw50goKDr6Cbi8v4ABABj6XWe8W4DgYvM5n5qHs7ne0UvsI5jYHmPBJlZiViSPALhROnU0O3SDYFGDlwzbUoYwgKvCgHvKpXdowedektKOUMnEeV7js15VxvvD2SUGHHXBlcQHSV0leKcThrhKKMcycI1BsZmSZDGMymcCE0QXBT0nTbgKuJ55piiclPY2shLaEPf5OeFU6FxISOrR3chPHLgPD9bzbYodHZiD6l5PDl8kvaKWhH9QA6T2sP1ODQ2iaUA2poURgRMgM6emzERUYYdLGqUqtqMwsaKbaSr3

C:\Users\Default\Saved Games\91e168f4ec1147

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (807), with no line terminators
Category:	dropped
Size (bytes):	807
Entropy (8bit):	5.889486752654722
Encrypted:	false
SSDEEP:	24:1YbBvYgMDnmi7iihPnFx5Nqx13K7yAGCXQf:cwg0uInFxrwxK7JTgf
MD5:	2B0F5D976E00EB2BBC632017D6A45F8B
SHA1:	84BD441F8617D7A36795EF4417FBECCD277976C3
SHA-256:	58385EE36ED2D0F93F5170943422C38B27DEAAE9C778537D7A2D7CF311D090A9
SHA-512:	CA242411DA2843A68C3497195A8177A106317FF86CA584519EC28FF2D660773205F37839A74323F4443C2FE740290E0810239E53F796C309D824ABB01A311067
Malicious:	false
Preview:	5fdcU73ltcT5QakUec3m4dd4x4SvBkKodAwcOs3E2kbif0vyJaMB2M3cCjoapIjJSobQoIFvjyuTB5Z6JdllXIwRHTapEdYtBSQ0YfJAUbbDbkaHKsQLg8vJ2KIUsarGaAStoihoUlQ5rtzg3TfVMMMCgG8OWzS4uVmaRrclKl15r0cJVlbZ4V3NyPMikTSfSWLVGYPL03LkVRUqoy2uX39YcZmBe3B1TWmVoGD7WPiBKS1h5g4waiHZXw3qvNq72TR9o9Bhv5XHV8OJhFG89PavON81MWLJjkI0A225eXAeK9DZiuJpGs8n2guaBKUYuNiuzXIoMLdmO5kOKjTcNfD0me7eIc4UCmu7bSjLled5OWZ76fQc01KOKsIUZnguQIjlKmx19H1tCHlQFAinMcdKbgwsKOv78soFwxwTrYctAbLDG1PYF2iypYJo0ErvW3uTcfeROP5x9uK9UtmS8W2FK0aXoHcmrrWHr1kkX8K07uy4OJTHcYw9BpJmFGnGwTFSXDScIC4AMBIZBgJeyVKT4XFBs7fRVDEopfgL108adww9hukj6JSaIwY97RuLhnoJ7dug98m7XuzHlFe7X5UMvnf2HgNkFx20HnCDAEj8gUDY6QY1wxylScYT81YcuC1k1998Db7SWWqakH50IVxS9RhoOsFJpGNdcdg7QayVzfO6w7t15iUYPjlkbVtUVymPIM7Hk8jrhccdCl2R9NNHwzN316f5qd9B39xjAmR69m1xGHh0cbVHkfdT8DPncnBDcbkDxSRW6QHJ7axuZpcOI1aXgek6XodWlxU

C:\Users\Default\Saved Games\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (367), with no line terminators
Category:	dropped
Size (bytes):	367
Entropy (8bit):	5.83124828542863
Encrypted:	false
SSDEEP:	6:UQzbtnnY/Vp6cxYMdufmifW3Xt2D5M9DMn/QoskqVCRiEYOzTYEsu5lVU:PYb3xYq3ZM/Qo/qgRrYOvOu5lVU
MD5:	DECA2636584B1345E17F674395EA2D07
SHA1:	B3A184FBA1EDA2BBE413D8DA8E85F4DCC5AFC5B6
SHA-256:	EC46BF351F91A0871ADA956E4A458A09F6C0658FEF6D861E3AF50149E1DAB84A
SHA-512:	E33AB8A72DDAE19BB75628C029A5F02F67E33B384ACB47DB7505EDE7FD7E0205BB2F43AA54C54346F1928C5164D8CFAF645FCD748BB0ECBB89A6C0D90012DAC3
Malicious:	false
Preview:	vR5h5TjVecxUhU5UTdjvGfwZcB41xX3c9nEFHuQ8rBe7xhI2SScuNuPQfgE3ZshHjVV4PzNjMkEEBzl43Bie5IOOXyjlpWi8eWXcLNmcF2hmqKOq5K9XJCMaGHgbQl3zCFkobIspYGZCllhMj3qfXKzbK7VErLMe8rklkkOwbT8CnKyfjT1W4Yc1PJedxn8N45D3B5m9o4DDLwyAI0fXUzjkOsWbGu9xUvIsG4dnr2rAVYpcUdU6Il3EVdpTjK234PsaoG3OX1pbHiO0C3GmaCpt2DWnPJEg9xFFqPxOkGjQ6b6wOzQpEPd2k9iltQ8NxIcUdJJwF1CTdYwaGjYa2YctUNeqrMfTIWdx9mTFpdkNNKY

C:\Users\Default\Saved Games\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\Saved Games\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\Saved Games\SgrmBroker.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\Saved Games\SgrmBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Videos\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	166
Entropy (8bit):	5.644138793723457
Encrypted:	false
SSDEEP:	3:Nmm7Xg2LrgqenKGpmV/OXQe639mUMk5u0Uc2+vT2gsNwt3Tojwbj:kms04dB6sOU05vT2g/T+wH
MD5:	D3B9B200974B1791987B6BEAF3064EF4
SHA1:	4149A3D4547CCB8AC31A14A43AF68BD5C39F6E9F
SHA-256:	B1CF96F58045BCA3148C304B6084C330B772D435A08ED0A8591BA743D289EA0F
SHA-512:	E39448072E6B66D7B8854D87DB6C77FB0A1C8AF1FAE7F2055C26579D80210FFB3B8F47A7952FE9E99BD2C0BD37EDE8C9AA8E33B7236611B4DA3F950E41E7F212
Malicious:	false
Preview:	sRpmJkU34LGdfKArS17ErESm7dao8IlgvuSneuJw8OHZpf5HzDqABocn8CpqKq4wkjru2WNhrKGc737chTy4bkeGRopcFdmSUVzGxLPd0JS1iAqEENI019U9EldNrvcNhxHlE1oWEVDSSnhR7kX2UwbUAzBMrBvFqFUv2F

C:\Users\Public\Videos\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (818), with no line terminators
Category:	dropped
Size (bytes):	818
Entropy (8bit):	5.910586819145478
Encrypted:	false
SSDEEP:	24:7+z1Nh5VNdkVpnjEOR9DKtSHSYyJcaLwvsB/5r0:7+z1Nh5/dEEIDpHyZ0
MD5:	DB44F81B0C4747573294444EECDF3240
SHA1:	2AFDBFB90850E5A1D43B308AE0EB9A1E9D206DC7
SHA-256:	73B7EA180B1A5A5736BAEE8F12D11379405DF70EBFDD650F7718BCE76D04DC8D
SHA-512:	BE33AB16D6FE54FC9638BABB4A5629FE1E0D8C9FC187DA6C7DB063D2234BC33FFBC8A3378DC1D4A58F8870635750E4EAC91D2913D9C1FEB4AD99482FE9A88586
Malicious:	false
Preview:	G1nLn91B7fMip6GHm5dOVwvqkcE7aepPd8TKUkVP3IkJDZbRXTGVgqcTG6kL53ld07Ern5xCkOUNLlnLAwkHXTswfAEX9JTAhHSFUuobfDuSWPHeTZKITdFgOSLn0aDa4UqESh0QHImTjaaQ2jEk9KqDBw0BjBlFAUYBjCLvi4BK1v7y25uQVcbtnnDgqyqGhgTOCYrzYSBEJfLPyCJnQUth2oX59pEuN4nVcsvdN42CbXjIbxrnoDzNwvWXBvzsOQ0O20wFRqZVbqGfEPeM7aFKFairWXccFKyKgUPlAlW8ndvGo0TvRnuxLqJcSEt3O7QR259t92LVDGhlocCgEqLbZB9zLxT52dupMeNt0jwYcZtEJhxzCNyhwz216JiLjPdkW1ZKOTpf4w8AR4qnAd3ooM3WmWxrBkzM5IsRInlsiTn902jBc4LFVy6J7Ci1g7eT7wEIMZfW1KGUj4guxvOGYt0GMiUFEtMkzTCExazDZyNKslkDgyEvsX4N576nEZSI8ffP1b6W5LqjfpYl8RjQob2bZzJzdM89gFMMGULE1szhqUrPjVox0BdhnD0CSH2tMrDadMenFeZ6lUuEI3QIhKJfmpiCeIwuzGU9RQwW0BrWmg5TSw4Z0uLBhhyynbI6soHeAvw1H3Rgcx3FtPusOX3E5Sbtc7sY2vo7YaTh9DR6cpjuosFYrasUvCjrTCYJK2nrJ5qS6NsLF6mQtrFu2UrcCTMW0lN7oIwjB1lsBwcerhPyaT7l7oQ0LLp0tUbU9vg7KCP2GWsG2NufDX5hnl9915YzMv9qUHf5ASoXEFfk5K

C:\Users\Public\Videos\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Videos\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Videos\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Videos\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NGtfpkeoDVuJA.exe.log

Download File

Process:	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Download File

Process:	C:\Users\Public\Videos\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinStore.App.exe.log

Download File

Process:	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gqIYXW7GfB.exe.log

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
MD5:	5D3E8414C47C0F4A064FA0043789EC3E
SHA1:	CF7FC44D13EA93E644AC81C5FE61D6C8EDFA41B0
SHA-256:	4FDFF52E159C9D420E13E429CCD2B40025A0110AD84DC357BE17E21654BEEBC7
SHA-512:	74D567BBBA09EDF55D2422653F6647DCFBA8EF6CA0D4DBEBD91E3CA9B3A278C99FA52832EDF823F293C416053727D0CF15F878EC1278E62524DA1513DA4AC6AF
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\INF\PERFLIB\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (456), with no line terminators
Category:	dropped
Size (bytes):	456
Entropy (8bit):	5.844125353124876
Encrypted:	false
SSDEEP:	12:QmY0lAKsB0kY3c9FriGFrExa5A0nnVHl/Zqm7mqbLj/6c:QmYaYLsc9FunZ0nVum7X
MD5:	3A080D11A968E4EF4348AEE83F52F3EB
SHA1:	5F963EBCA908D74FB6DF0E4C419392B5CD4A9C24
SHA-256:	FF52DDF7B884E6B59409D1EAE37D9297F08399496776BA4D00A313B09933D56D
SHA-512:	11BD816748CD3B9B32BC32AC2C816ABA1F34E922489E4CA1B597A1F65B9972C96832375B6C0CF76A519552C26525745A70AAD1E1DFD7A56A1C89CC73D06BA48D
Malicious:	false
Preview:	qe1XhOtPXLIfCHlxov6UXF1pxofoxD88MdgasHlxhrfxnLZwrQOiZIElmLj2sEbTNKTjlLEhKJwpjDClPt6hzZjDY5xghsEcPMjd20LgLqYPVYBiJ7n9H3eykPKqYh9bFTaWejtZiaWIBUs93OXjFFVWsv2npeHnr6KC8pEkONbrhWwQhKxKKZV98DosqGtDSsaEKpBNJxV1ooyV9mFer7dRlKD4AW3IdXYy5rG1JjAWEeVUPSsEAPWVPJd9lGMw4NXQPAaRfOVH7GMGztpsnyHOBCjvNGPCWNc1GEEP2biw4OYI7WK2beIFFJONapDZ8SutoVAupa0MQVUxoay16Xl2FXv6z1yMXJyldpelVZMAo6zuybi91Mckr2oRkE4xlnzGgtT96MfhLkNIhAHXSyVKqO4lBNBReYYBHsOFIiDoq5ZGpftj6hfxRoZSys8sKOCwMLBy

C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\INF\PERFLIB\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Media\Garden\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (326), with no line terminators
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.828741216198298
Encrypted:	false
SSDEEP:	6:oSHIwOQAQOuKECZD5W3CreDA0RJgYPbQ8enlI3CCNqg1B5lB9ytBU:o7hQE1DAOeDASh8lKXqgtlKo
MD5:	5CE93D60EBCB669F59C924E0BA72CFBE
SHA1:	8123368DBB8B748963E4EB9D5221E04199A72A36
SHA-256:	44709399C002E1C0EDF2C1005ED7C8C23B6EF6323458A62D1E3DDEDC2582C374
SHA-512:	BCF20ABF959AB2025CDE7CA1D28EE9C4C5B4E29F3E520577CBFF37C183F41992F59B8CB701F37FE0A59EC3ACD7C57DDE4B333E2C89F23C81125CC72E893978D6
Malicious:	false
Preview:	vYxPgJyRcksUckBEHRmDZLYr0e9RSOpA5hw5kaL0bXAfKBQkFz0K1L3kAGYCJh9O4sZ4yGerFwmCK3hyNZLcXfItnL5eCJq4YwkcmWv9VJFEj1aHijzuVg1ZjpQmK9p6GsnYSFM0oMHNZEKwvx5cT5j15K26FIyWeI80NBydX8GIYn9ffe1XDMmKJvdIMPvfXvsRFTit9cEVzadRLXblRbSRgyrbiqQHNlun4sZM6HXlIQUsSL6yyJN6cbuRlGKTL7IOpzWc8OoKErJPd8IXtcTDXyKd8Ikz6EZKHGDdye0jfD2vRexn7xktnF00o3ezoyN9R8

C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\PLA\Reports\en-GB\38384e6a620884

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (815), with no line terminators
Category:	dropped
Size (bytes):	815
Entropy (8bit):	5.908537242363283
Encrypted:	false
SSDEEP:	24:FmRkNRmEUQDq+GbQIijWhs0K8+GDWFVMDQyhzBrSiAHn:0yNRmEUQD8bISqsK8bENH
MD5:	E5A5C074802395A2FF7ED20D54968F8F
SHA1:	C16A7D45BD08F78210EDA554D0971245D5E9A8D8
SHA-256:	D0BE3A8EF4EB17C14FECD3C9E614485806E05F3674EC3E1C8FE9C0DAB25F0EC5
SHA-512:	E25BCB6FBC80BEFFCDCA8B306EE431F0EC32368A19A0860221D112D1743379642AF3806AE71C02EEB9629254E126C75E0A9EAC4336856381E453EE01498CFAB0
Malicious:	false
Preview:	w9Toi0FZxvwCMgWXirpvbT9i5eQNxKRIklgskII2mU959sD2mm9bVFWc9usEj1mmdnckAowaiwIHUEiMaYlKL0wePDt0ZETusWbVQd170j3j7PI5LgnLQbbn07U646BddXY7nM67gnUl6Nh95yo3bIeR4xfSI5C3iZGk1KR8jppmHzqnaUBGRHCU2HCzrnzlkaDhH6IugqTwc2KEG22x36maXvrtIcQ60EBqwJfdMRklyP2A78szuBroynKWOYmDZX6Y0dS7WYllVAlH3rwKtbLyWW2I8JOxphMbTdJdpvdWaGTxBDchlcT8LICdlK8MKx6yyKxZiTe87zXPDEG5qrLNNOPLap2ewQLnJe80PD8S7VAWuwagDDgcltlk5l82b9MrntGiGQpns3P1N3aoPVbsutBa3Y5oEF17ISsBq1axY2tsdtWBLUnFie73rppsUBimCSt5LZ8Y5oU1AT7KB4cucvYoVyTAMrdWTGpK9b0vWOK4JG3YserZiyKR3EjWF7MNL7h3nwKjErXNkefP45SrADyf6YR51dpYC6tLiAu5UHV1a6qYjUcKofMHJC6PePskB8LnvTq4LWW3r6EAs2VhBfuhtlCgDebFZv0buCnQnh9RITaM86hm3KjfOn4JQK0q5Rd6GmPpOE3dfcZaK0iG7yLOLUNHId9drTV1zeFVr1XyRFAvOd8amtsHFPuwZIhuEZwLGhkquMZFbX6FTb2oej17kOwktT6jUmt1Typr3SqZUmpsSoc7P2Pfiyl1vA6aP0vynEvfwLuM3bm8jERF09UbWOTfNx53VPKe11FN27K

C:\Windows\PLA\Reports\en-GB\SearchApp.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\PLA\Reports\en-GB\SearchApp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\71ebdaf38118f9

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with very long lines (358), with no line terminators
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.82470979395457
Encrypted:	false
SSDEEP:	6:hQchNjtkKmdeP8IDmMX4aoGClNGEdSyQ4FpwTMn4t2E2cccGoq7w8ipR+uW9qqDj:hhhkKlEIKMX4ICpdC4Fye4cEob7w8ip6
MD5:	78960BB9D25DA55F4882F982FFF086EB
SHA1:	CE19A9AEAFBF17633F9E4B528E78C219C7C2D2B3
SHA-256:	7E881D6152FEB9010B9321C3FCA4B934935368DF4CED9D3E2BCFAA4F8D53FE70
SHA-512:	9BC869355A5B32426693EACE72518DC60DEDDA0C3D0C63019CEAA3FCD90FFAB25E25658C47ADA9CD7AAF5FAC3D04721620658FF7CEFE26C6067F1504A3B9ABF0
Malicious:	false
Preview:	2UDhM8AyNXE6fKpj0bcK7AWL6wsGpK71JEcSy99fnJlHIp9jiDA2YQY272kZQ3JCZMwbrXv0c6hxYODRxIilJEc3pkU6YjPtAir52h1KSJacskdsyTmHUh3Vt3vHCzc2rxx0gHYPQYT9nAKFGlHE6HZcpWL9wuHdrhu4wnLq5W05O3rssqAbrX5kYVKK5YdgRzSFQPScaaJjQdNwodQGuqwTmKgbdBvg3UoZklccXhAQOVT4IYfcHXwkD8dFt09Ypnq5yyLDAysMpfEQ0lSFfSYgiEVmHXthimklpYGUMccTpj5h3NOHi43XOJWucj5mELoD5dkce82CzE18Jxs3Jl9nsNWfBW1nhzOe51

C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3495936
Entropy (8bit):	7.77335915934961
Encrypted:	false
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
MD5:	CA1C3F84E0259D9C423E34E20840F142
SHA1:	3EFC257F5027A1A1A205ADCDBCB999E1EF8B3B7D
SHA-256:	30D404945AF42D77BFD6AC92739486E8D00496A977BA6A6F0240CD20B7989F2C
SHA-512:	8CF6D715FBCAD8EFF71F4102479ED189A8E71438613225AE26C4E40DD696152A9D2EFEC028D602B8E25902AEEA25961541749029D30A6F5FCE5FD36D997FD5E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6......^<5.. ...@5...@.. ........................5...........@..................................<5.K.....5.......................5...................................................... ............... ..H............text...d.5.. ....5................. ..`.sdata.../...@5..0..."5.............@....rsrc.........5......R5.............@..@.reloc........5......V5.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gqIYXW7GfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.77335915934961
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	gqIYXW7GfB.exe
File size:	3'495'936 bytes
MD5:	ca1c3f84e0259d9c423e34e20840f142
SHA1:	3efc257f5027a1a1a205adcdbcb999e1ef8b3b7d
SHA256:	30d404945af42d77bfd6ac92739486e8d00496a977ba6a6f0240cd20b7989f2c
SHA512:	8cf6d715fbcad8eff71f4102479ed189a8e71438613225ae26c4e40dd696152a9d2efec028d602b8e25902aeea25961541749029d30a6f5fce5fd36d997fd5e1
SSDEEP:	98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
TLSH:	81F5E1013E488E12F0091233D7EF49484BB4AD556AA6EB2B7DBA376E54123937D0DDCB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb..................5..6......^<5.. ...@5...@.. ........................5...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x753c5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x353c10	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x358000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x351c64	0x351e00	d463d8af5f602dc1e50b5b948f0b188e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x354000	0x2fdf	0x3000	fa569f63d8f3ffcdc1daeb58b45b4134	False	0.3101399739583333	data	3.2432728181359582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x358000	0x218	0x400	da6881969e2cf65665d6eacee3f1962a	False	0.26171875	data	1.8328647356031837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35a000	0xc	0x200	d91927470766a4c9901f6b8c88c94292	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "5"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x358058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 05:27:17.190835953 CET	1.1.1.1	192.168.2.4	0xf9bb	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:17.190835953 CET	1.1.1.1	192.168.2.4	0xf9bb	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:19.801337957 CET	1.1.1.1	192.168.2.4	0x2fcf	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:19.801337957 CET	1.1.1.1	192.168.2.4	0x2fcf	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:26:59
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\gqIYXW7GfB.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gqIYXW7GfB.exe"
Imagebase:	0xd60000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1769780161.0000000003810000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1769780161.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1772279919.00000000133DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:27:02
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Garden\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	23:27:03
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Templates\WinStore.App.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
Imagebase:	0xdc0000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.1866151975.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe"
Imagebase:	0x300000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1855613707.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1855613707.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\en-GB\SearchApp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Users\Public\Videos\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Videos\RuntimeBroker.exe
Imagebase:	0xce0000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1872171550.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Users\Public\Videos\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Videos\RuntimeBroker.exe
Imagebase:	0xcb0000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1872453655.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1872453655.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default User\Templates\WinStore.App.exe"
Imagebase:	0x8b0000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.1874605583.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.1874605583.000000000350D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJA" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NGtfpkeoDVuJAN" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\NGtfpkeoDVuJA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	23:27:04
Start date:	09/01/2025
Path:	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\WinStore.App.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default User\Templates\WinStore.App.exe"
Imagebase:	0x410000
File size:	3'495'936 bytes
MD5 hash:	CA1C3F84E0259D9C423E34E20840F142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.1865657221.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FFD9B7E55D0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

f|(, xrefs: 00007FFD9B7E8BAE
'N_H, xrefs: 00007FFD9B7E9883

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: 'N_H$f|(
API String ID: 0-3268084307
Opcode ID: d4abb15d257d4a652d9b070a4bfa56b1952ec73be3f28424a7bcd13d998d85f9
Instruction ID: fc034dd9e6584892a79c4685d438e503ef567664acbddea15f92834e4e640d72
Opcode Fuzzy Hash: d4abb15d257d4a652d9b070a4bfa56b1952ec73be3f28424a7bcd13d998d85f9
Instruction Fuzzy Hash: 8BC2CD74A1961D8FDBA5EB58C8A5BA8B3F1FF58304F5142E9D00DD72A5CA34AE81CF40

Function 00007FFD9B7D3545 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

Y_H, xrefs: 00007FFD9B7D35CD

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: Y_H
API String ID: 0-219585648
Opcode ID: 891b5940a5f52eaa517d88ed265d592fed8df6eedd04cd82260a6ee88a893423
Instruction ID: 199703343bbecaf78fbeb5b3b1fb2ec38e3ed5747f4d6be74af9a3f94e15aa3f
Opcode Fuzzy Hash: 891b5940a5f52eaa517d88ed265d592fed8df6eedd04cd82260a6ee88a893423
Instruction Fuzzy Hash: C8A1D171A19A4E8FEB58DF68C8657AD7BE1FF95340F4102BAD009D72E6CB7428058740

Function 00007FFD9B7DD6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MN_H, xrefs: 00007FFD9B7DD76E

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: MN_H
API String ID: 0-1998223119
Opcode ID: 1d8d6140b26be07f8de7ac3dfa8ac25681845c47ae4e8eb2daf910e6e4265768
Instruction ID: d0646a166ff421bdff3f0877bd046e8872fcebe34ca25a7fa5c073bd5978e244
Opcode Fuzzy Hash: 1d8d6140b26be07f8de7ac3dfa8ac25681845c47ae4e8eb2daf910e6e4265768
Instruction Fuzzy Hash: C3E15F71E19A5D8FDB68DFA8C8657BCB7A1FF98340F0542BAD01DD32A6CA346944CB40

Function 00007FFD9B7EDB98 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B7EDC12

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a1fc6ebddb83deba348aef33efc671157f5805b71f4b765473a10516d7d293e
Instruction ID: 01d43888a3a8c51276be12507c8dac51fdb40f78c7b1e0d3c47c8e7334a2f0fe
Opcode Fuzzy Hash: 9a1fc6ebddb83deba348aef33efc671157f5805b71f4b765473a10516d7d293e
Instruction Fuzzy Hash: 09515C71E0964E8FDB69DB98C4645BCBBB1FF48300F1142BAC01AE72F2DA352901CB50

Function 00007FFD9B7F1438 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

{z}, xrefs: 00007FFD9B7F1CA4

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: {z}
API String ID: 0-1552007774
Opcode ID: bf4a694ea81b7b006857412ab58d985ab8c3de4a05578e3cb86f079eaf3156fd
Instruction ID: 7b42c5165ea55c29fae3463a521cb2e93849c789959ba87b019610a29aa2908a
Opcode Fuzzy Hash: bf4a694ea81b7b006857412ab58d985ab8c3de4a05578e3cb86f079eaf3156fd
Instruction Fuzzy Hash: 92415C71F0AE4E4FE764AB5884A46B97BD2EF95350F05037AD05EC31E5EE28690147C4

Function 00007FFD9B7F2D30 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

#', xrefs: 00007FFD9B7F2DA5

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: #'
API String ID: 0-4287780502
Opcode ID: d09723e8b3257eb4510003073e2a6b8ca5e7bb880d53d4276a98890404f4c011
Instruction ID: 3d531b1ebfdaf30df5b39ba8cefd41ee04963ec06c97bb4f4ffaecfe5353347e
Opcode Fuzzy Hash: d09723e8b3257eb4510003073e2a6b8ca5e7bb880d53d4276a98890404f4c011
Instruction Fuzzy Hash: 2C411730719B0A4FD3A8DB98C0D05A1B7E1FF54310BA10A7DD48BC7AB6DA39F9458784

Function 00007FFD9B7F3088 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B7F3102

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d65107305781ee6ebc8be9fb64bae0cdddb47908803ce399fd094dde9bcb9f27
Instruction ID: cee88facae7ba3b8b6245964542fb8d912baef00ddd3e3c256f01c8d80bdf696
Opcode Fuzzy Hash: d65107305781ee6ebc8be9fb64bae0cdddb47908803ce399fd094dde9bcb9f27
Instruction Fuzzy Hash: A5414E71F0964E8FDB59DBD4C4A19FDBBB1FF44300F1241BAD01AA72A2CA396A41CB54

Function 00007FFD9B7EC60B Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

_M_H, xrefs: 00007FFD9B7EC661

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: _M_H
API String ID: 0-2404144706
Opcode ID: c5c876779e7ba39a56180e8214be964d1517002b9792d10da91fe6051525a448
Instruction ID: e361d7f474b4ff9dcad411a5d1c0ba169334b660ed6d02440c42a6407c8576ae
Opcode Fuzzy Hash: c5c876779e7ba39a56180e8214be964d1517002b9792d10da91fe6051525a448
Instruction Fuzzy Hash: D9314071F19A1E8BDB68DAA8D5A15A8B7A1FF58310B11427AD01ED72B2DF347C118B80

Function 00007FFD9B7F1CD0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

s0M_^, xrefs: 00007FFD9B7F1D4A

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: s0M_^
API String ID: 0-3360724483
Opcode ID: 249a343ccf3901b02ac5f9340d6db30b3e2768a2e28cf064e43466682e7abfdc
Instruction ID: d1b99c0c9facaf515d523a71e53ed14ceb6863b4e0537c7719fd0a94ed3b3903
Opcode Fuzzy Hash: 249a343ccf3901b02ac5f9340d6db30b3e2768a2e28cf064e43466682e7abfdc
Instruction Fuzzy Hash: A4218622F2DA1D4BEB68DA9CE8A15FC77D2EB99720F110376D00AD36A2DD246D0243C4

Function 00007FFD9B7F1400 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

K2, xrefs: 00007FFD9B7F460C

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: K2
API String ID: 0-1063998418
Opcode ID: a39a413aa811cc6335dcd76eaec1f04cb7ff47f667612793c492d6f0ef92ade9
Instruction ID: f1f6c51841e732afd7e0b0125aa3ff43aa68a00f0fdab27cdc3f452750c3e0a6
Opcode Fuzzy Hash: a39a413aa811cc6335dcd76eaec1f04cb7ff47f667612793c492d6f0ef92ade9
Instruction Fuzzy Hash: 87E07610B1F20B83E638A5EA193913C38816F44790FA2033EE11B826F0EC0C6A5822CF

Function 00007FFD9B7EAB9A Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

c, xrefs: 00007FFD9B7EAB9D

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 6d6efab64c35abfb2c6d69ed4e2d2e33534746d44855ab49ad515eb851b137f9
Instruction ID: 2aaa5f4328ad874a76b60205b204930ec41bf0a1b5e1898af8212bcb3a9fe994
Opcode Fuzzy Hash: 6d6efab64c35abfb2c6d69ed4e2d2e33534746d44855ab49ad515eb851b137f9
Instruction Fuzzy Hash: B8E086311099454FD759EE6CC499A157BE1FF55750F12019AD456CB172C724DC45CB40

Function 00007FFD9B7EDE0F Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3c788692deea9c5e464c11a0d60adb29377083dbdb31af1cb02e6ef6f9262d
Instruction ID: e0bf0441ef13ea1f299f51e221e83d70db3e5d81eb41f7266e01923437e11dc0
Opcode Fuzzy Hash: 5d3c788692deea9c5e464c11a0d60adb29377083dbdb31af1cb02e6ef6f9262d
Instruction Fuzzy Hash: 5AD1C43061964A8FEB98CF48C0E05B537A1FF49310B5546BDD85BCB6ABD638F981CB81

Function 00007FFD9B7EDE2F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5bab49ea86bac51042ba088cd2e5d503efd63345d5ad5e2e1b3749521dd4e8
Instruction ID: 99a0b3dffd8aaa841949e27ff5fe13a95a7468c373a4e1f12331ef06adccd3b3
Opcode Fuzzy Hash: 9f5bab49ea86bac51042ba088cd2e5d503efd63345d5ad5e2e1b3749521dd4e8
Instruction Fuzzy Hash: A6C1C33061964A8BEB6DCF44C0E05B137A1FF49300B554ABDD85B8B6BBDA38F581CB81

Function 00007FFD9B7E3805 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25383e38d36f47259f2a0142bc07c4c1604cd1e2edc4b1c1178103082688312f
Instruction ID: 0fd5839768cf5810d98aeca8b52ca6a80a85c34529b25e3c683c5d590270c92b
Opcode Fuzzy Hash: 25383e38d36f47259f2a0142bc07c4c1604cd1e2edc4b1c1178103082688312f
Instruction Fuzzy Hash: 97D19770E1962D8EDBA5EB98C895BECB7B1FF58301F5141A9D00DE72A1DE346A848F10

Function 00007FFD9B7ED71A Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e3610a43658689d99c04b9b648eea6f26602608a0b32682bbcee0559c11e54
Instruction ID: 107010e4fcb23ce9bd560f8a978ca6e69540983c7281b197fe21df84c9ff713f
Opcode Fuzzy Hash: 26e3610a43658689d99c04b9b648eea6f26602608a0b32682bbcee0559c11e54
Instruction Fuzzy Hash: 4DB1D530A0EB4A8FE759DF68C4A06A4B7A1FF55300F4542B9C44EC7AB7DB28B951C790

Function 00007FFD9B7EB0D3 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c90f1910bb5d10bc82451bf743d8c92853897711ba17e73b434229ee91a755
Instruction ID: 724405035e37428f24f7bd6348c342f03540f92fb14f54be348136f155d78dbb
Opcode Fuzzy Hash: b2c90f1910bb5d10bc82451bf743d8c92853897711ba17e73b434229ee91a755
Instruction Fuzzy Hash: 25219D22F0F29B8AF63462E924B61BC7E409F85311F9B03B6D45E862F6DC0C3A455392

Function 00007FFD9B7D1698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d05e6efbfb11c0c35c9777bea7cf3d776f84c369158b3f07e1494e97901ac39
Instruction ID: 0dedca76ec801b5abe260bc1df29c5584893f924a280180941608d491ea67cc5
Opcode Fuzzy Hash: 2d05e6efbfb11c0c35c9777bea7cf3d776f84c369158b3f07e1494e97901ac39
Instruction Fuzzy Hash: 4A81DD31B0DB494FDB68DE5888615A977E2EFD8340B1547BEE49DC32A2DE30AD06C781

Function 00007FFD9B7ECC06 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5857591959daae0f1f8293b47e1bf9da9b02439ef48711b97bf202a7c6f3a8b9
Instruction ID: 22ed83d5ba50f3bfb1daf2c73537165d7ab9574d1388a93ff467af08869cba9c
Opcode Fuzzy Hash: 5857591959daae0f1f8293b47e1bf9da9b02439ef48711b97bf202a7c6f3a8b9
Instruction Fuzzy Hash: AB812535B0E74A4FE3389A7894651757BE0EF45310B16067ED48FC31F2DE29BA028741

Function 00007FFD9B7EAD61 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9891c2004c1f1d1b3367bde902444bb5ec00ed93e8bb3b21a310d7960a47f1
Instruction ID: 3a78bfccc17145429a5c63ef6dde3d950bfd5ce3dfce350fad00ea2432a717e7
Opcode Fuzzy Hash: 1c9891c2004c1f1d1b3367bde902444bb5ec00ed93e8bb3b21a310d7960a47f1
Instruction Fuzzy Hash: 49712730B0DA4E8FEBB8DA58C8665B437D1FF88311B160379E45FC75B1DE28A9068780

Function 00007FFD9B7F341A Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e94f5ec7254f3a396a72f5496db27ff321fc9b337e0681721c539f5c11ae79
Instruction ID: bc2b995b1432200d6a183050123404780bfcd7a89a0a1b33eb70f59ca9d5c2f4
Opcode Fuzzy Hash: c8e94f5ec7254f3a396a72f5496db27ff321fc9b337e0681721c539f5c11ae79
Instruction Fuzzy Hash: B3612730B6E7894BE30D9A68D8921B43BD0FB89319F25067DD4CBC35B3D928A84383C5

Function 00007FFD9B7EB92B Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4f5404f2412f3d77054f96a5093f317c0e55c98140705a8d1fa08673c3e068
Instruction ID: 3ef9cdccdbfbb5e60655c2dc9acc9907ed3fb4f3e2572a0b425a01427fce2056
Opcode Fuzzy Hash: 8b4f5404f2412f3d77054f96a5093f317c0e55c98140705a8d1fa08673c3e068
Instruction Fuzzy Hash: 8371B431E1D64E8EEB64DBA488A56BC7FB1FF49300F51067AD00ED72F5DE2869418740

Function 00007FFD9B7E1C17 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5475e9c46560c2f2ecdebbbaa4780a6983e0eb2d3aae765a4909934bb0da935e
Instruction ID: 3a6bf0d5d127e56fcad574b56a530bc0e580cc42582ee69f3c7959d8df5dbe9c
Opcode Fuzzy Hash: 5475e9c46560c2f2ecdebbbaa4780a6983e0eb2d3aae765a4909934bb0da935e
Instruction Fuzzy Hash: 50711F70E09A5D8FDB94EF68C495BA8B7B1FF58301F5041B9D50DE72A5CE34A981CB40

Function 00007FFD9B7EEE77 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4af33ac0299d07f4afa9b90039af770f475954382a9e3151870434fedc621f
Instruction ID: bbac75b57d3d9fba923cfe8b7690225f712af988e46c5e4302cb4422134885f2
Opcode Fuzzy Hash: 3c4af33ac0299d07f4afa9b90039af770f475954382a9e3151870434fedc621f
Instruction Fuzzy Hash: 6571C230A0AB4A8FE3B5DB54C1A057177E1FF44304B514ABDC48ECBAB2DB29B942CB41

Function 00007FFD9B7E318D Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a8602c37181380f390e21e16cc2844ab2b6a3d91c1f19752964bbdddadaed5
Instruction ID: d140fe7153f2553ca831cb5fcbc081c53ffa9c20a6205096380ab3dbd1c1d235
Opcode Fuzzy Hash: 73a8602c37181380f390e21e16cc2844ab2b6a3d91c1f19752964bbdddadaed5
Instruction Fuzzy Hash: 1A51D813E0F7DA5BE72396AC58760E97FA0DF52215B0B42F7D0D8CA0F7DC186A058291

Function 00007FFD9B7DAA98 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20662149572eb1f378f6b669f123875f36c279296fe36eac9ac530d1cfbd59ce
Instruction ID: 81a858659cd6f02af1ff6c7b121c57d0904f0d18fabd9875daf8db12e15d6d53
Opcode Fuzzy Hash: 20662149572eb1f378f6b669f123875f36c279296fe36eac9ac530d1cfbd59ce
Instruction Fuzzy Hash: BC61FF70E19A1D8EDB64EBA8C4656EDB7F1FF98340F510279D00DE72A1DE346A458B40

Function 00007FFD9B7D1CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3883ff2dc9952aad23ece4a9cb51f5ce847e9a620c18940b0c9ff1193584ff
Instruction ID: 690f18597ecc4e9833a0e5c6a2fb829eb4c1f46ea7ccef808dd21535168e8bdc
Opcode Fuzzy Hash: be3883ff2dc9952aad23ece4a9cb51f5ce847e9a620c18940b0c9ff1193584ff
Instruction Fuzzy Hash: B751DC31B09B894FDB58CE5888645AA77E2FFD8341B15467EE45EC72A2CE34E8028781

Function 00007FFD9B7E4EED Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbcc9337bd235982f891548c9bc6cf113c8bfd4910146d2633762a712c2028f
Instruction ID: 40a8c3b726a40537edb7e7ecae1f08bdf5b56463bbb8060e561ffaa0d930e67c
Opcode Fuzzy Hash: 0cbcc9337bd235982f891548c9bc6cf113c8bfd4910146d2633762a712c2028f
Instruction Fuzzy Hash: AF512E71E09A1D8FDFA4EBA8C4A5BACB7F1FF58301F41026AD00DE72A1DE3469458B40

Function 00007FFD9B7E88D3 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20f73e65333b06aaf36362efa613640327468f49a846bc1bd27c1087dadfb1b
Instruction ID: c22c160b3fa9abce89a30d4cc9ad481fbdb389581867180e453a0f5a46e753f8
Opcode Fuzzy Hash: b20f73e65333b06aaf36362efa613640327468f49a846bc1bd27c1087dadfb1b
Instruction Fuzzy Hash: 43519431E0D2AA4FDB15EF289865AED3BB0AF01309F1541F6D45DDA1A3CE38A544CB94

Function 00007FFD9B7F1F6F Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793d059ae54b2c93a9fb00b979515ac54bc0b52e57b3fa0b30ffe2b7307084e3
Instruction ID: 14ae6b23377370e77a6e5a08131a8e0cdf6d67bad8b3148714318b64e151ac27
Opcode Fuzzy Hash: 793d059ae54b2c93a9fb00b979515ac54bc0b52e57b3fa0b30ffe2b7307084e3
Instruction Fuzzy Hash: AB51C522B0F78A5FD7764AA858345647FA0EF42250B4A02FBE089CB1B3DA485946C3D5

Function 00007FFD9B7EF358 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0557020c2b7678346ef2c055345d8b4f246d85a1442f7227694a250b5470c45
Instruction ID: bd3d82b4e61d53b5cc729c972d195b7ec61e99aa928fedcabbb11267113df495
Opcode Fuzzy Hash: d0557020c2b7678346ef2c055345d8b4f246d85a1442f7227694a250b5470c45
Instruction Fuzzy Hash: D9512131608A494FEB58FF18C4999B4B7E1FBA831470405BEE49FC35A2DE24F845CB80

Function 00007FFD9B7D3191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ecdf840b4ab454f4c0a290685f0491fa66982fbe0c620a99cf7cb1627d9b9d
Instruction ID: 93023ab02b334ca291a90e2eaa974b8ea964b9830d03848a6fbd308cf23f5a59
Opcode Fuzzy Hash: 54ecdf840b4ab454f4c0a290685f0491fa66982fbe0c620a99cf7cb1627d9b9d
Instruction Fuzzy Hash: 26514E71E0961D8FEB64DB98C4646EDBBF1EF98340F520279D009E72B1DA386A49CB50

Function 00007FFD9B7DBE89 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b533ffd1676dc8ab39dc06a18d60145ed949ae08b24b3e2843a71fb1c92e4535
Instruction ID: b677ae3dde284163f15960740fa7c3e8d7c36be3dcb58147f00048003b3f8b27
Opcode Fuzzy Hash: b533ffd1676dc8ab39dc06a18d60145ed949ae08b24b3e2843a71fb1c92e4535
Instruction Fuzzy Hash: 44511E70E1961D8FDBA4DBA888657ED77B1FF99340F41027AD00DE72A2DE346945CB40

Function 00007FFD9B7E4F00 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01477dc0941d1da400b1e8f9f5ce2419fff4a263f2df070fb9a41e9211c733b
Instruction ID: 69858bb54694f1263d804f3f2a9b732a55d2e9f64c0293a77c273e263178103d
Opcode Fuzzy Hash: a01477dc0941d1da400b1e8f9f5ce2419fff4a263f2df070fb9a41e9211c733b
Instruction Fuzzy Hash: E4511171E09A1D8FDFA4EBA8D855BADB7F1FF58301F41026AE00DE32A5DE3469458B40

Function 00007FFD9B7E925C Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c38eaa47116505b3cc0fe7bed091ba7d04f4f4b4ddb2982f35522dbd359378
Instruction ID: a5190ec55a4d0b557fab7a1d2705b07c45b1056e516d71207fb283e87cf325ad
Opcode Fuzzy Hash: 93c38eaa47116505b3cc0fe7bed091ba7d04f4f4b4ddb2982f35522dbd359378
Instruction Fuzzy Hash: 67511075E0A61D8FEBA5DB58D465BBCB7B5EF59300F5101A8D04DA32A2CE346A81CB01

Function 00007FFD9B7E92B3 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd46fc22235fdb6008f4042e97aa181795be95ec43e6c318ac6c4182fd23084
Instruction ID: 8a4c99ec53bd7250e830381748eb5822611ce61be57b230458044ba4c318e296
Opcode Fuzzy Hash: 7bd46fc22235fdb6008f4042e97aa181795be95ec43e6c318ac6c4182fd23084
Instruction Fuzzy Hash: 62510C71E0961D8FDBA9DF58D4A5BBCB3B5EF59700F5101A9D00DE32A1CE34AA81CB01

Function 00007FFD9B7E72C5 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56fa5ccda4bd028a0775b669fa1ee330dc6dfaaab947da0be285a625da24612
Instruction ID: fffefc3cb98e7837cc25cefb86d38f936ccb0feba7197742244551a1ee2c3011
Opcode Fuzzy Hash: b56fa5ccda4bd028a0775b669fa1ee330dc6dfaaab947da0be285a625da24612
Instruction Fuzzy Hash: 87514F70E0A35D9FEB65DFA4C4A86ED7BF0EF05304F11467AE409E62B1DA386A44CB41

Function 00007FFD9B7E83FC Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef89c269af98bd5461fe6399254697997edc3c8f20fd52b83205ab10d26cfc9e
Instruction ID: 9e1653be06bca88d631aeee9f8827c48b68cf3ab815ff7209b77137b03218988
Opcode Fuzzy Hash: ef89c269af98bd5461fe6399254697997edc3c8f20fd52b83205ab10d26cfc9e
Instruction Fuzzy Hash: CD516E71E0AA1D8FDBA4DF9898507E9B3B0FF15300F5042B9D41DE72A5DA34AA45CB90

Function 00007FFD9B7F1761 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab25559a45ff6ef196739fc17cd0ffaa484a303dd40be258d7dd281be10c31d
Instruction ID: 81d3a956f8dac0d0e2358214e2604522e9336bc0103365e917ab8f4cb96f2155
Opcode Fuzzy Hash: 6ab25559a45ff6ef196739fc17cd0ffaa484a303dd40be258d7dd281be10c31d
Instruction Fuzzy Hash: 5E41A421F1D65E8FE7B49AAD14311787AC1EF98690F5602BAE10FC3AF6DD186D0103D6

Function 00007FFD9B7DADFD Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66392f02f0a4a419b247db62a2463f16a2a41e4b268e9a346706fb9f0d27ab6f
Instruction ID: 39ac399d03467d41e63821bd57fa39eaab9361d63e0ab1cd0a52e9a69af7eebf
Opcode Fuzzy Hash: 66392f02f0a4a419b247db62a2463f16a2a41e4b268e9a346706fb9f0d27ab6f
Instruction Fuzzy Hash: 8B519270E0961E8EEB64DBA4C4557ED77F1FF98340F0546BAD01CE72A1DA386A898B40

Function 00007FFD9B7E1720 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e006d05bac43abd5d4d46761bc64ac561e70088539bc78c508768c3d01bac669
Instruction ID: c1df5be38ed42f3ca39493c2302808003543f079fe2f6c6319bae412c2c528dc
Opcode Fuzzy Hash: e006d05bac43abd5d4d46761bc64ac561e70088539bc78c508768c3d01bac669
Instruction Fuzzy Hash: 72516A7190E7C94FD707CB7488766A57FF0AF17214B0A45EBC485CB0B3D628A95AC722

Function 00007FFD9B7EF32E Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852b08f124b656ff294c78e326d57f338b957985258ca83814f672669e9321d0
Instruction ID: bde4e0915d0d8bf704d2ae2123274d8f67953356a383e7e0e0881793adbb4487
Opcode Fuzzy Hash: 852b08f124b656ff294c78e326d57f338b957985258ca83814f672669e9321d0
Instruction Fuzzy Hash: BB41D331608A498FEB98FF58C4A8DA577E1FF64314B04056AD45EC75B2DE24B844CB51

Function 00007FFD9B7E926C Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0609b0a3240f4110fc8005e43029dfbd17474660919ee3e06c1b8453416ef637
Instruction ID: 75bee79094864269004d12cfed0cd7eb8968724eeba7a0221e7123f8d78a1026
Opcode Fuzzy Hash: 0609b0a3240f4110fc8005e43029dfbd17474660919ee3e06c1b8453416ef637
Instruction Fuzzy Hash: C1511E75E1961D8FDBA9DB58D4A5BBCB3B5EF99700F5101A8D00DA32A1CE34AE81CB01

Function 00007FFD9B7E5D85 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea10fefede4be4765c8759f058c3d9747afc8261e405e2c4a224e202545259e
Instruction ID: cfada2993149abbc17b3a57926e80ecbd1548ccb4b3cb940b6db5d7a7c4a94cc
Opcode Fuzzy Hash: 6ea10fefede4be4765c8759f058c3d9747afc8261e405e2c4a224e202545259e
Instruction Fuzzy Hash: 1051C970E0961D8FEB69EB54C8657A9B6B1FF54301F1142BAD01EE62B2DF346A84CB01

Function 00007FFD9B7EF625 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7edc9f53c04bcc76c4fad659310664545a56ccd6541ccc5fec346341be7a807
Instruction ID: 8525ef582505622f757466204c4552f9352caba39ce540acf7806f0c21c96a50
Opcode Fuzzy Hash: b7edc9f53c04bcc76c4fad659310664545a56ccd6541ccc5fec346341be7a807
Instruction Fuzzy Hash: EE411A21B1DD4E4FF7A8EB68846497877D2EF983447554AB5D00ECB2FADE28BC428341

Function 00007FFD9B7DC63D Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fca9d810c219003c7ad1d4cc1bd6351245e20339196770a3b042c3038329699
Instruction ID: 5f6abec3d79221bc1723e1121d2ae84325e753b5dcc2b03e090c03730991a5af
Opcode Fuzzy Hash: 2fca9d810c219003c7ad1d4cc1bd6351245e20339196770a3b042c3038329699
Instruction Fuzzy Hash: 2341D436F0965E4AE725BAFCE5254FC7B60EFC0365F160376D01EC50F6CE2866498660

Function 00007FFD9B7E7A11 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198fe6517db4bb8ca4f17e5eb4a6601a90054d0df1be1792c71bbd9b78f9e200
Instruction ID: 72d30b4d3684dc27e8531f5f40f5fadb9c087f41ae1065e1c12921363c581939
Opcode Fuzzy Hash: 198fe6517db4bb8ca4f17e5eb4a6601a90054d0df1be1792c71bbd9b78f9e200
Instruction Fuzzy Hash: A4419171E1A60E9FEB64DFA8C8696BD77B1FF44300F41067AD019D62F5DE38AA418740

Function 00007FFD9B7E92A6 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0181093ec763bd531fd6244ba9448a2fb8702813a4596a6d86556ac57fee0e8f
Instruction ID: 22c57770c86a03d2911cb6ab14c86d1422782c63da26b48f7c06442985dedea4
Opcode Fuzzy Hash: 0181093ec763bd531fd6244ba9448a2fb8702813a4596a6d86556ac57fee0e8f
Instruction Fuzzy Hash: 57413175E0D61D8FDB68DB58D465BFCB3B5EF59300F5101A8D00DA32A1CE34AA81CB01

Function 00007FFD9B7EE1A0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec9500ba7e6e757883487530f468ee0eebb4086e5371fd21377df2c4957159f
Instruction ID: 537ac516939b9c8512b9bb846b069b1450daaa9b8becca7f550c697ff01cf383
Opcode Fuzzy Hash: 2ec9500ba7e6e757883487530f468ee0eebb4086e5371fd21377df2c4957159f
Instruction Fuzzy Hash: 24412930A1DA5E4EE7F8DA5884716B477A1FF98300F154AB9D04EC71F6DD386B848741

Function 00007FFD9B7E9279 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b70dcaccb49a8cd2f755ee2688d2ccc7648a11a6e3a78291208afc132994f0
Instruction ID: 44ea572b6b4807b843814ab8c1368b353c972a21cc113ab52795789b787d05ca
Opcode Fuzzy Hash: 87b70dcaccb49a8cd2f755ee2688d2ccc7648a11a6e3a78291208afc132994f0
Instruction Fuzzy Hash: 95411175E1D61D8FDB68DB98D465BFCB3B5EF59300F5101A8D00DA32A1CE34AA81CB00

Function 00007FFD9B7E237D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd91bc08d0fb03565d7c55a63a51e9bc5d7017ad56a000ba29248849e254ff9
Instruction ID: 324397871d29b04a8ad0005be93b1dfc009851692303551daf2d4cc56c4c91ae
Opcode Fuzzy Hash: 6cd91bc08d0fb03565d7c55a63a51e9bc5d7017ad56a000ba29248849e254ff9
Instruction Fuzzy Hash: 1C412B30E1965D9FDB54EBE8D865AEDB7B1FF88300F010279E019E72A6CE3469458B41

Function 00007FFD9B7EF2F0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a53dcd07e2b2b1d0d7be97586c6316fd9248f6a3424df59207dc6ea91cbae9
Instruction ID: 0da42f023c1d6935f802d5e86a69c766031da6c3f774752fefd5b955398b90af
Opcode Fuzzy Hash: 58a53dcd07e2b2b1d0d7be97586c6316fd9248f6a3424df59207dc6ea91cbae9
Instruction Fuzzy Hash: B741A232608A598FDF98FF58C0E5DA477E1FFA8314704056AD44EC75A2DE25F844CB51

Function 00007FFD9B7E6C39 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4273b1c30f70f9278a1f722b0b8bb0b8503dc089022251397db9c7a16b1c17eb
Instruction ID: a2a22b78eeb60c97c7a60cb4395f07ee7c5af3448fedecb093a97091b7ea95c8
Opcode Fuzzy Hash: 4273b1c30f70f9278a1f722b0b8bb0b8503dc089022251397db9c7a16b1c17eb
Instruction Fuzzy Hash: 4F41DB70E0A64E8EEB64DFA4C8656ED77F0EF58310F15027AD409D62F2CE38BA448741

Function 00007FFD9B7ECA29 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3824be7ffe648aa742a1b713f2b1b82cd3333fb591357038af0a8b18bdce3fca
Instruction ID: 90236745c386eb7b1ba3ed6bc84f1554f1e38b74d5dc28d026122229c108a895
Opcode Fuzzy Hash: 3824be7ffe648aa742a1b713f2b1b82cd3333fb591357038af0a8b18bdce3fca
Instruction Fuzzy Hash: FE319234B1EA0E8FE774D7B898655BD37A1FF49310F2602B6E00ED31B1CE286A019781

Function 00007FFD9B7E55C8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a7869b0b8aae8609b8139cfa0b67350ab79c9f90a14550c28dfeb31450d87f
Instruction ID: 06d521bd94766d37f14780c358d045cf6c3fa9d0fa36658290c51ffab99bce86
Opcode Fuzzy Hash: 35a7869b0b8aae8609b8139cfa0b67350ab79c9f90a14550c28dfeb31450d87f
Instruction Fuzzy Hash: 9231C971A1961E8FDBA4EF58D855BF977F0EF59305F0102B9940DE32A1DB34AA80CB81

Function 00007FFD9B7F20DC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a848055198dcdd1f00a8b99020f6687a2bf6912ac0a8df2f6bcad2da4d14275
Instruction ID: 7dba99f3d221f673d43d78d684ca6e168dccf01383b758973c4b0419a6be3073
Opcode Fuzzy Hash: 8a848055198dcdd1f00a8b99020f6687a2bf6912ac0a8df2f6bcad2da4d14275
Instruction Fuzzy Hash: B9317F30F1EA4E8BE674DAC8846557D7AA1EF48310FA20276F50EC31B0DE286A0092CD

Function 00007FFD9B7F1D6F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85805a2150f5058fed29036c0a0197a196d3c4bf46de1f0e2c083bd9f75d51b
Instruction ID: e6f7ccacfdead2f4c90695675e78f547a625b0b13e4f0afcffa97ed495c2369b
Opcode Fuzzy Hash: e85805a2150f5058fed29036c0a0197a196d3c4bf46de1f0e2c083bd9f75d51b
Instruction Fuzzy Hash: E321C572F0EA4D4FE76DE6A854726A87AD1EF84310F050379D05DC36F2ED19690143C5

Function 00007FFD9B7F21DD Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483144d48215850d655bee2ae4b0178e4b994589b6d8e01f8a76e469fb5782aa
Instruction ID: 3431e0297515dd109e74dc19d40f51488d80ee78d068f44dbb13b1f206040dd0
Opcode Fuzzy Hash: 483144d48215850d655bee2ae4b0178e4b994589b6d8e01f8a76e469fb5782aa
Instruction Fuzzy Hash: 5B213A5271EECE0FD396A7A848755B17FA0EF66210B0642F7E089C71F7DD142905C381

Function 00007FFD9B7E844A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ef646909741807b6b51dcb15dbdd0bd0ea7e332405a061c9e5133efbc896da
Instruction ID: ed5814b6484a9dd6ef250d144b002bfe81084957288126cfb70d18886a3961b0
Opcode Fuzzy Hash: 22ef646909741807b6b51dcb15dbdd0bd0ea7e332405a061c9e5133efbc896da
Instruction Fuzzy Hash: B5213E71E0AA1D8FEBB4DE889850BE973B0FF25310F1102BAD45DD72B1DE34AA458B50

Function 00007FFD9B7EC6DE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a24beadf5b9a676c67041b39a2eca73f8065f3cfb68f06999bd5629c95ebfea
Instruction ID: 6ea4890bd769868fe994d9fb2a59321a84cf844c4062ce129f938f7048dd902b
Opcode Fuzzy Hash: 2a24beadf5b9a676c67041b39a2eca73f8065f3cfb68f06999bd5629c95ebfea
Instruction Fuzzy Hash: B321E975F1E74D4FE768A7B858711E8BBE0FF59350F06027AD01ED66F2EE1869014640

Function 00007FFD9B7E8182 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7e07448f6ee35717ad2da8c7efe686c5af8df8e93a73884b0ff88e4a5a2fd5
Instruction ID: 28beae20ca4ed9ef392c18bacc6f781c0eb1b59071cbc3b8aaaa9ed1a3fc9069
Opcode Fuzzy Hash: fd7e07448f6ee35717ad2da8c7efe686c5af8df8e93a73884b0ff88e4a5a2fd5
Instruction Fuzzy Hash: 8621EE72E09A4D8ADB659F6498612F8B7B4EF55300F4416BED09EA61B2CE34A6818B40

Function 00007FFD9B7E6B15 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e7fd643e2002fc0e31aab922cb6b9c85971ea05726d1ce6bcc213dd7760589
Instruction ID: 5e259cb845992a24c227dc65fcb12ee7e825e95ad1474b5c2c264b0ed822df35
Opcode Fuzzy Hash: 27e7fd643e2002fc0e31aab922cb6b9c85971ea05726d1ce6bcc213dd7760589
Instruction Fuzzy Hash: 3721AE31E0EA4E8BEBA9AFA488762BD36A0FF55300F1141BED41DC61B2DE35A654C701

Function 00007FFD9B7EE170 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2ea3ab5a6ddcce0d72b35529243c43b3080c6fb3acc3a89536f44db85b2797
Instruction ID: 051e1129ab2677e0b1e8128e2b464409545194b5adfe78d1b6de23f5031db783
Opcode Fuzzy Hash: 5f2ea3ab5a6ddcce0d72b35529243c43b3080c6fb3acc3a89536f44db85b2797
Instruction Fuzzy Hash: 2331C020A1E69A8AE3B9875844704B03F51EFC53007194BB6D09FCB0F7C42CB685C381

Function 00007FFD9B7EB5A2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cfa7301eba0afbcfd187c3187579d431a6d15921901857af6921d0385dde07
Instruction ID: 3e065620b13fe2ef4dc56fb967fbc3795491d827569611aa67b6e927ebcb267c
Opcode Fuzzy Hash: 98cfa7301eba0afbcfd187c3187579d431a6d15921901857af6921d0385dde07
Instruction Fuzzy Hash: 1831EA71E1591D8FDF98DB58C4A5AED77B1FF58301F4102AAD00EE32A1CA35AA918B40

Function 00007FFD9B7F1A41 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69382413221f34f2788443a7bb0634a43ca1a048525bca51c40ececd6da4baa6
Instruction ID: 8f23fe7962756d1d36a8b9e275d4392f6b2494ad4e2929bb64018983cf2c4d01
Opcode Fuzzy Hash: 69382413221f34f2788443a7bb0634a43ca1a048525bca51c40ececd6da4baa6
Instruction Fuzzy Hash: 7231DD34F1990D8FDF99DBA8C465AAC7BF1FF58300F4541B9D00ED76A1DA34A9418B40

Function 00007FFD9B7D33A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c0b6291b773b0e9f6bc1e94aa0ea0ce0fa5821a9c3ee8ecabce7029349773b
Instruction ID: cf9f38c971341cd971d9ef021f250d6fadc3f76cf131981e89e4ae47e5135ebe
Opcode Fuzzy Hash: 22c0b6291b773b0e9f6bc1e94aa0ea0ce0fa5821a9c3ee8ecabce7029349773b
Instruction Fuzzy Hash: 2831D73194E38E8FD753DB7488585A97FF0EF46350B1606FBD045C70B2DA28A949C721

Function 00007FFD9B7E7151 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c98d30d0a84e3dfee61cad7db82ed0b39ebc1bd496c4789740521e081bf967e
Instruction ID: 33fa84f5315198149d8fd4e57ae04c25ab393c14192449afe41972350c551cce
Opcode Fuzzy Hash: 8c98d30d0a84e3dfee61cad7db82ed0b39ebc1bd496c4789740521e081bf967e
Instruction Fuzzy Hash: 15214F30E0A74E9FEBA4EFA8846D2BD7BE0FF58300F01097AE419C61B1DB34A6418740

Function 00007FFD9B7DC120 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23157fbbf89509075dd0d133c5f11cf1a34eb54d1f075dfc356dccd381a64b9
Instruction ID: cd102f9a13f7fef7725f510f8317dee2915b0924746720ce13e2bd89237fea60
Opcode Fuzzy Hash: b23157fbbf89509075dd0d133c5f11cf1a34eb54d1f075dfc356dccd381a64b9
Instruction Fuzzy Hash: E721CF7188E3DA0FDB139B705C364E63FB49F43214F0A02EBE458CA4A3C92D125AC362

Function 00007FFD9B7E848E Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4363e5377a1b9e020f9b71dad02fff33c3558175f6fd291ef56d519442cdeb93
Instruction ID: ecbb079de8c5d6350c67bf28de304a0619eddc1b706831d81a2894a844d42a23
Opcode Fuzzy Hash: 4363e5377a1b9e020f9b71dad02fff33c3558175f6fd291ef56d519442cdeb93
Instruction Fuzzy Hash: E621FF75E09A1D8FEFA4DE589C50BE973B0FF25700F5042AAD45DD3260DE70AA858B50

Function 00007FFD9B7ED0A0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3eb9733a2545b2e07ffd86f2049714b6342a332e2710b1021e3cb1acf7ccce
Instruction ID: 045ece574de21bf68ec0573aaf2eebc71473fea26adedbe8b198a4246aa42db3
Opcode Fuzzy Hash: ef3eb9733a2545b2e07ffd86f2049714b6342a332e2710b1021e3cb1acf7ccce
Instruction Fuzzy Hash: AB210331B09B0B8FE725DAA8C5615F577E0EF05350F01067AE44AC75F2EB2AFA448750

Function 00007FFD9B7F23B1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a0875c5786cd5a01253bd7cbebdf9124f1620ac8146ffc65086e1fce14b2d3
Instruction ID: 327a10e10daeee7726711071631e0fef99643f2d87415de1e2942fc29fddf462
Opcode Fuzzy Hash: 69a0875c5786cd5a01253bd7cbebdf9124f1620ac8146ffc65086e1fce14b2d3
Instruction Fuzzy Hash: EF11E732F1E71B8BEA7985D8A4210787BC0FF44724BA20779E88B872B0DD59BD4251CD

Function 00007FFD9B7E907F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1715ea5264011e62882076ee437a6f7e53e965e1044a4d791761dc9f0380188a
Instruction ID: d16ba3d3e4e5b124beb655b0c50e077dedd33d4176b63e11f94c2bc0b739a65e
Opcode Fuzzy Hash: 1715ea5264011e62882076ee437a6f7e53e965e1044a4d791761dc9f0380188a
Instruction Fuzzy Hash: E221BA31E0A51D8FDBA8DB58D8A5AFDB3B1EF59300F5151A5D00DE32B5CE346E818B40

Function 00007FFD9B7E1ED0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692caaf85591cb329488a6b1bd0b683b539eed021ab362d3ec24a45af9e1a921
Instruction ID: 46dd2461a65533247d4a79362d3a821a85f85f3837e068a4b6275b05ce23fd6b
Opcode Fuzzy Hash: 692caaf85591cb329488a6b1bd0b683b539eed021ab362d3ec24a45af9e1a921
Instruction Fuzzy Hash: 17219D3094E3CA4FDB569B7088669E57FB0AF07314B0A05FBD449CA4F3DA286A46C761

Function 00007FFD9B7E7259 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918cf4581d00e51f3ef1150899b07829e1ee57b54e14fb806cfe05e16ad442d9
Instruction ID: 052238f1d1c29f0e85057783b168a8795abab77b8523ac9d8f6585a9d3583416
Opcode Fuzzy Hash: 918cf4581d00e51f3ef1150899b07829e1ee57b54e14fb806cfe05e16ad442d9
Instruction Fuzzy Hash: 7A218330E0A64E9FEB61EB64886D5BD7BF4FF15300F050AB6E418C70B6EA34A6548701

Function 00007FFD9B7EAA29 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a77d5328ed6862fa046641c6c4b32c68d0223cc3d18b88b0f592e78a27c4ac
Instruction ID: 4ff90e299cc5117aa7a00559df82f47f2783f7504cdf05b5275ce03bef772a82
Opcode Fuzzy Hash: 88a77d5328ed6862fa046641c6c4b32c68d0223cc3d18b88b0f592e78a27c4ac
Instruction Fuzzy Hash: DB215E31E1DB8D8FDB54DB98C8609ACBBB1FF98300F51027AD00AE72B1DA3869058B50

Function 00007FFD9B7D2189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e684ba33e915a40f517cd81769c53d5eb16917a3f15ecb0c55193f687dadeb8a
Instruction ID: a482eadbb7644b5aa40518dcb3c59e8eba4737869a17498e1a0dd0e232b9f8e8
Opcode Fuzzy Hash: e684ba33e915a40f517cd81769c53d5eb16917a3f15ecb0c55193f687dadeb8a
Instruction Fuzzy Hash: 0D11E131B1D60E4FE715E7B488295A977E0EF86340F0146F6D41DC70F6EE28B6898711

Function 00007FFD9B7E69D1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6d29c11a5c3c61b4a62bf4f3454d9646d7e9400ed08030a968cc506e4ca316
Instruction ID: 68aaea90323ba0c3f172cc77f29544b8a65f29b7329458d25e2ebdef4cbc6f37
Opcode Fuzzy Hash: 8f6d29c11a5c3c61b4a62bf4f3454d9646d7e9400ed08030a968cc506e4ca316
Instruction Fuzzy Hash: 2F11AC70E09A4E8FEB98EF68846A6BE37A1FF58304F0142BAD41DC61B6DE34A540C740

Function 00007FFD9B7D084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca27cbe481a1f69695db4acadabeb1e7b26e15ce0fb35496921328bf28494c03
Instruction ID: a1f0e0e0560f1b5bf1897d1b60b3bf60cf07ca4042140137860e5a332308cef9
Opcode Fuzzy Hash: ca27cbe481a1f69695db4acadabeb1e7b26e15ce0fb35496921328bf28494c03
Instruction Fuzzy Hash: 48113630B0924E8FEB11EBB8C4789E937E0EF85304F0656B2D419DB0BBDD34A158C291

Function 00007FFD9B7D0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1c76be992162173d3501249e11ef427a69f7b67193fbbe887873107e409daa
Instruction ID: af44ca5082e07df1d44ce8f8325a40049121361b43664c85352134047c2180b4
Opcode Fuzzy Hash: 1f1c76be992162173d3501249e11ef427a69f7b67193fbbe887873107e409daa
Instruction Fuzzy Hash: C511B231E1960E4EE750EBA884685BD77E0FFD8340F8156B6D41DC70B6DE34A548C700

Function 00007FFD9B7ED220 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c29e92d15c7e983ea69bb6b0002ecb4230ef1a9106c74191e253c4fcedaf92
Instruction ID: 59d60defc3cda5ca381f263da2fe8bafa2b0046e9a19401604161e212f4e6653
Opcode Fuzzy Hash: 13c29e92d15c7e983ea69bb6b0002ecb4230ef1a9106c74191e253c4fcedaf92
Instruction Fuzzy Hash: 8B11B231F09A4E4AEBB4AAA494219F573A0EF54311F01067AE44FC75F2EE29FA058290

Function 00007FFD9B7E2E49 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b42fa14b3a869c23431a05e63942d010e9c87bd9ab436a432a8b7c524feb32
Instruction ID: dbee87d49df864e8e7c554dcec09c55bb8ec539f33a1b8dd3b1862f1402ad6c1
Opcode Fuzzy Hash: 42b42fa14b3a869c23431a05e63942d010e9c87bd9ab436a432a8b7c524feb32
Instruction Fuzzy Hash: E921D23190E69A8FE752EBB48C6D6AA7BF0EF1A300F0505F6D448C70B2DA28A644C751

Function 00007FFD9B7D0EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa54caf18771a3c1d89aec395c3acae836b493415bb1ee53450e1e752561cc9
Instruction ID: 9c9db4b17556eff77ac4e87484d0e4cd7765d7f0e4f411e3eed83b38eaf74ed1
Opcode Fuzzy Hash: 0aa54caf18771a3c1d89aec395c3acae836b493415bb1ee53450e1e752561cc9
Instruction Fuzzy Hash: CB215431F09A0E8BEB64DB94C464FEE77A1EB94340F115375C009D72A9DE34A945CB80

Function 00007FFD9B7E6A75 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e37bf4278a2cfb4586c77539da07be579ea2419cc4ce283e8f6f4cccd6d3f3
Instruction ID: e42ceb6550dd44300540b0902f35dee54a59ad1020fd4a263100c2faf1552baf
Opcode Fuzzy Hash: c6e37bf4278a2cfb4586c77539da07be579ea2419cc4ce283e8f6f4cccd6d3f3
Instruction Fuzzy Hash: E011AF30E09A4E8FDB58EF6884696BA3BA0FF58304F0142BED419C61B6DA34A540C740

Function 00007FFD9B7E20E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43ee7cc96c0067dbd77946642fee6f66e6dcf5f41cdf9b22c8b04204452452f
Instruction ID: d4a5933222460f848ce92f9b9e2b75808fd041b05476f85f20facb9862ee7ee7
Opcode Fuzzy Hash: d43ee7cc96c0067dbd77946642fee6f66e6dcf5f41cdf9b22c8b04204452452f
Instruction Fuzzy Hash: 13118E70A0928D8FDB59DF64C4A55F93BE1FF59314F1202AEF84A832A1DA34A654CB81

Function 00007FFD9B7E43C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94dda9d063e8c26ea938164c17e323441f6bfbd2fd99d42aa9bed7d15cbf9e6
Instruction ID: 2da2b22b32f9fa8801421c76bd738926659d92969fd967a30ba62deb934a4d39
Opcode Fuzzy Hash: d94dda9d063e8c26ea938164c17e323441f6bfbd2fd99d42aa9bed7d15cbf9e6
Instruction Fuzzy Hash: 5511A270E0964E8FEB58EF6884692BD7BA1FF59301F1202BED41DC61B1DA346550C750

Function 00007FFD9B7E4329 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d4eb749f9702050904fa477614760ccf13b08d8e618a905bc57106ad666f9f
Instruction ID: 243274cbc152ff4373887e6b5d963caf0c0ea17b9839b95cd286a51dce659b90
Opcode Fuzzy Hash: 63d4eb749f9702050904fa477614760ccf13b08d8e618a905bc57106ad666f9f
Instruction Fuzzy Hash: 9D218C70A0978E8FEB59EF6884692BD7BA0FF99301F0202BED41DD61B6DA34A540C741

Function 00007FFD9B7E32C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c7abf1ecd8ef6e0e018c7ccf20266a4145d433859255633113400a6f295eba
Instruction ID: 41525f73aff368c82db47bc252fb32633f5dc0da9a98c794d5192f6c061c0b43
Opcode Fuzzy Hash: a1c7abf1ecd8ef6e0e018c7ccf20266a4145d433859255633113400a6f295eba
Instruction Fuzzy Hash: 3F11B962E1E7CA9BF7675B7448765B57FA4EF12204F0B02B6D49CC60F3DD186A048261

Function 00007FFD9B7E48E5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b21a458bf33152a3a28aa97e1b702a1d263b49f11d1255caaee37818b427afb
Instruction ID: f63bcd720f7b21db3f2b94a0a8ab42e2381703cfb3612759198cf4e1fe6c8c7c
Opcode Fuzzy Hash: 5b21a458bf33152a3a28aa97e1b702a1d263b49f11d1255caaee37818b427afb
Instruction Fuzzy Hash: 2D11EF71E0EB8E8BEB69DFA488B62BC7A90EF55304F0601BED01D965F2DE297510C601

Function 00007FFD9B7E4C59 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e854efc7fb04f5309b52caac735b0d9a25cb9a6b52e885f9aa63c921f3896525
Instruction ID: 031550f75c9dbad2462e92c2d8a424d01c6aef8d8ddd3570b28184f45a1e6fa0
Opcode Fuzzy Hash: e854efc7fb04f5309b52caac735b0d9a25cb9a6b52e885f9aa63c921f3896525
Instruction Fuzzy Hash: F0117930A0968E8FEB65EBA488696BD7BA0FF19304F0106BED41DC71F2DA356540C701

Function 00007FFD9B7DC6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f2d82953fd73cd33e12cf66f6f31a075322fb3095548ad72eecb7e65432fa
Instruction ID: 1e294cb2c094f808770aef6a97b023040c666366a839621b0fdb9db59cf66c88
Opcode Fuzzy Hash: 8b3f2d82953fd73cd33e12cf66f6f31a075322fb3095548ad72eecb7e65432fa
Instruction Fuzzy Hash: E9118F31A0A64E8FEB55EBB4C8695B97BB0FF55340F0106BBD41AC60B2DF346A54C750

Function 00007FFD9B7F1C12 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f3fbace51abf67ac187e83dc2025cf5ee7f171388cab2b850f8e24d34d683c
Instruction ID: 1872c6792dadc7269211acca5f5fc1d0ca51c367a43e8956bb932ca796bab08a
Opcode Fuzzy Hash: f5f3fbace51abf67ac187e83dc2025cf5ee7f171388cab2b850f8e24d34d683c
Instruction Fuzzy Hash: 7F01F931A4F7CD1FD36297B448685A53FE5DF87610F0A02FBE448C70B2EA590906C761

Function 00007FFD9B7E24D1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e276d431f05edb06b7b13e0574d0c6fc38f1967cde3d80c4f90d6c643010e64f
Instruction ID: f9e0507ca9bec246f5587e1e7fcb085ccb94d8c48fad9853716a9a2bdce17561
Opcode Fuzzy Hash: e276d431f05edb06b7b13e0574d0c6fc38f1967cde3d80c4f90d6c643010e64f
Instruction Fuzzy Hash: 3511C431E0D65E8EEB52ABB488685F97BE4EF59300F0506B2E418C70B6EA34A244C701

Function 00007FFD9B7E6BAD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d4e49f08bbd58c54badf80039f6482b6eeaf636646dba5acd4c0c700122be6
Instruction ID: f388ba5ba69a35755b071fbb6b22ed69ac4c61d34ac031668054984b72da452a
Opcode Fuzzy Hash: 29d4e49f08bbd58c54badf80039f6482b6eeaf636646dba5acd4c0c700122be6
Instruction Fuzzy Hash: 5011CE70A0A64E8FEB68EF64C4656BA7BA0EF58304F1102BAD41DC61F2DE35A554C741

Function 00007FFD9B7E70D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db788791a2856179c7267d9f5b720d04dc5e46de34b9d5e3281178867d152ac
Instruction ID: bfc8607d88665fd003b82a044182396f880fe28f7af72017838be9eb1b61dc18
Opcode Fuzzy Hash: 9db788791a2856179c7267d9f5b720d04dc5e46de34b9d5e3281178867d152ac
Instruction Fuzzy Hash: BF118E31A0A64E9FEB61EFA4C85C6A97BF0FF19300F0609B6E419C70B1DA38A6448750

Function 00007FFD9B7E4BCD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1d689e8550ad56098fc2df6c04b127e86256c362b9407037ccf6977abada2e
Instruction ID: 9547f41d07d32d6e25cc915e74a317b0e44248d35b86655cb2cdb05d1656d618
Opcode Fuzzy Hash: 2d1d689e8550ad56098fc2df6c04b127e86256c362b9407037ccf6977abada2e
Instruction Fuzzy Hash: 47118831A1968E8FEB58EF6488696BE77E0FF18304F0105BED41EC61F6DA34A640CB01

Function 00007FFD9B7E8638 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bd76e4238d6d1bfb30349c28ac3fe5d4df1533f68df1c251902e3b4f8fa1a6
Instruction ID: b5f68e818650e796f3a7aece6de122545007a4f29147242fd3c1424caede6a49
Opcode Fuzzy Hash: e9bd76e4238d6d1bfb30349c28ac3fe5d4df1533f68df1c251902e3b4f8fa1a6
Instruction Fuzzy Hash: 0F114F30A04A0ECFDF54EFA8C4596BD77E0FF58305F10067AE419D21A4CB34A540CB90

Function 00007FFD9B7E7991 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a72ae0ef9f87b8930732b66da3dd3233aaefa441277c8c61334e8b1a1495075
Instruction ID: 145da1fa6ad46d16fb5e5eb3adc47a049630e047d8366e8f4f8731a671d7433f
Opcode Fuzzy Hash: 4a72ae0ef9f87b8930732b66da3dd3233aaefa441277c8c61334e8b1a1495075
Instruction Fuzzy Hash: AC019E30A1960E9FDB58EF64C4696B977A0FF19304F4205BED41ADA1F2DA35A650C700

Function 00007FFD9B7E5CF9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d66997a07c58936a3a4bd1f36bc7309078ee5a4ebb2bd481c1681d789de6d86
Instruction ID: dbf1de872ff658660d38960827816924bd9c62e83de89a6dc527b6ed30cb66db
Opcode Fuzzy Hash: 7d66997a07c58936a3a4bd1f36bc7309078ee5a4ebb2bd481c1681d789de6d86
Instruction Fuzzy Hash: BD119130E0964E8FE761EB6488AD6A97BF0FF15300F0506B6D41CC70B6EA34A544C711

Function 00007FFD9B7D1140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afff5a060ea6dca98dc452cbde193fe170d071b2dfb0e7bc84c3bdd36d2c2517
Instruction ID: f78c0422d389606d53409ba04704985e0cd2fd397da96ff8c1bc6e9516a202db
Opcode Fuzzy Hash: afff5a060ea6dca98dc452cbde193fe170d071b2dfb0e7bc84c3bdd36d2c2517
Instruction Fuzzy Hash: 3311E970E0960E8AEB64DBA4C4687BA77E0FF99344F00067ED41ED65F1DE356654C600

Function 00007FFD9B7E4A0D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d8b596b7bfa952614204e5956341857eeed98f37b167c0442f9e540dcabae4
Instruction ID: 077b0e88f16a4f93e271fd4ec6316f4e41de15b33a1fc63830117b11753f5dbc
Opcode Fuzzy Hash: 18d8b596b7bfa952614204e5956341857eeed98f37b167c0442f9e540dcabae4
Instruction Fuzzy Hash: F2116D71E0E68E8FEBA4EF6488696BD7AA0FF18314F0505BED41DC61B6DA3565408701

Function 00007FFD9B7D34C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acd61d669edf8dfed4f5e88e813c8636e66806857a1ebd99158feb1518fc093
Instruction ID: 7f7d84689eaafeb171017f781269b0e19e962b20fea0d74b1bfa5163f3838361
Opcode Fuzzy Hash: 0acd61d669edf8dfed4f5e88e813c8636e66806857a1ebd99158feb1518fc093
Instruction Fuzzy Hash: B0118E30A1964E8FDB54EF64C8686BE7BE0FF58304F4206BAD41AD71A2DA35A644C710

Function 00007FFD9B7DAF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8362676066860e7e6d9c02ca9882a6ade10e20ae4d514993b94e6a29915328db
Instruction ID: ca8a6102b969a8e545961708d25fbe4f441dcc17bccdf08ba69417ccd1f0342d
Opcode Fuzzy Hash: 8362676066860e7e6d9c02ca9882a6ade10e20ae4d514993b94e6a29915328db
Instruction Fuzzy Hash: 0F110370E0A62D8EDF60EBA4C455AED77F1AF98340F5147B6D40CE32A1DB389A858B50

Function 00007FFD9B7E3789 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2552844e923d4b6a39244ed78abc6b9795bbd4047ccdccdb36a0cd38991447
Instruction ID: d7bd1cfa286be037c58f731157a377fa64ca2c37d97814c106531c714ca04cab
Opcode Fuzzy Hash: 4a2552844e923d4b6a39244ed78abc6b9795bbd4047ccdccdb36a0cd38991447
Instruction Fuzzy Hash: 0D019670E1964E9EEB51FBB488695BA76F0FF18310F0206B6D41CD71B5EE34A6408751

Function 00007FFD9B7D05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b49f00fe0fe556be4e2041fd7ae45a1c9fef86a534180b0365c215b02bcfd6
Instruction ID: da06b734a693aed83bcabe1eabd9a3e05bae32ae8920418a2896bebaf5069c30
Opcode Fuzzy Hash: b8b49f00fe0fe556be4e2041fd7ae45a1c9fef86a534180b0365c215b02bcfd6
Instruction Fuzzy Hash: C4019230A0560E8FDB69EF64C4656B977A1FF98344F61067ED40EC25F4CE31A654C740

Function 00007FFD9B7DDC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ec0b012ca5ea8bf4a9645bc7514ac69e293ffbb7fb1f9c143ab6b1f49ac27c
Instruction ID: e0f9edb76e6cc2d2fdb5ac8f83099ab2950fecf0041ccd75f96755dea4a99f87
Opcode Fuzzy Hash: e8ec0b012ca5ea8bf4a9645bc7514ac69e293ffbb7fb1f9c143ab6b1f49ac27c
Instruction Fuzzy Hash: 7E112B70E0A61D8FDB68DF90C864BADB7B2FB94341F110369D00EA72A1DB746944CB40

Function 00007FFD9B7EEE0C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a1250bc7173f6498e182548bf0c88029d094bea11e12b5dc8c3bcfbc9dc8ca
Instruction ID: 0e68b92e76d67e31beb64a789089d1ebf3a7412af4048473a3846de334560963
Opcode Fuzzy Hash: b0a1250bc7173f6498e182548bf0c88029d094bea11e12b5dc8c3bcfbc9dc8ca
Instruction Fuzzy Hash: 7B01D63160E70A8FE394DA14D4A05E1B7E0FF05320B410A7AD046C7AB6EB697945C741

Function 00007FFD9B7DABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c630a8340c2bb04b132f87eea7c45467e983811595159a1afcffafee7a305a
Instruction ID: d9366b0c32cf7f43b8d1f960bf766882b6e64d1fe1f44887fd517841eb3f22ce
Opcode Fuzzy Hash: 51c630a8340c2bb04b132f87eea7c45467e983811595159a1afcffafee7a305a
Instruction Fuzzy Hash: E701C461E0EA4E4FEB61A7A884681A97BD4FF99364F420776D51CC20F1EE24A5488240

Function 00007FFD9B7F2799 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38e99e1fd5a2950a6c14d544dbeb6715fcd03e0fd38d69968920591d9275bd4
Instruction ID: 317d0ad0f1d3681d496216ce002a6d2d0346ec8c46bf4b1d0488993ebcf8f3a0
Opcode Fuzzy Hash: f38e99e1fd5a2950a6c14d544dbeb6715fcd03e0fd38d69968920591d9275bd4
Instruction Fuzzy Hash: 42017131B1DF098FDBA4EB6890205A6B3E1FF54354B500ABDD04EC76A6DA39F8458780

Function 00007FFD9B7E789C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a34e4a3273331d581fc9b3d11265146f9aba1eaea566d0181eaa47413a77bfc
Instruction ID: e78f4a5059b0ff052074b71fd59c742e1abb148ccf89c2dc639de421bb4d46c3
Opcode Fuzzy Hash: 3a34e4a3273331d581fc9b3d11265146f9aba1eaea566d0181eaa47413a77bfc
Instruction Fuzzy Hash: FB014030A0960E9EEB59EF68C8685BD77E0FF28304F1005BAD41DD61B5DB35A650C700

Function 00007FFD9B7DAB68 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422d22f611c1b72d7c84cc077cfceb2df1cce967c418972f4cfb49de47595c2f
Instruction ID: a8e31de2263abc0af1fe197655f0ddc428df0c1645ab3ca63b80536ce38c04f1
Opcode Fuzzy Hash: 422d22f611c1b72d7c84cc077cfceb2df1cce967c418972f4cfb49de47595c2f
Instruction Fuzzy Hash: 36014830A19A0E8EEB94EBA4C4686BE76A0FF58305F510A7ED41AD72B1DA30A654C700

Function 00007FFD9B7DB98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1b53817cc88c3ed328f11a29ff314eff2247c9c67379e525add45abca3666f
Instruction ID: c6dfb170a4b42bb87c4db7481ad6bd6bdf55da4cf5be2a196ba0d2cef886b1af
Opcode Fuzzy Hash: 8b1b53817cc88c3ed328f11a29ff314eff2247c9c67379e525add45abca3666f
Instruction Fuzzy Hash: 57018C30E0964E8EEB94EF68C4A82BD7AE0FF58305F41067AD41AC62A1DE31A6448740

Function 00007FFD9B7D280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92d94d04e365950c6553aaf3e8deb40ec1e4640e1a8edea11d071621127aa04
Instruction ID: b39e8d39e402986e5b62e96b73f4cc4d975bdc2dba50694799658e60c51c6def
Opcode Fuzzy Hash: a92d94d04e365950c6553aaf3e8deb40ec1e4640e1a8edea11d071621127aa04
Instruction Fuzzy Hash: E0018430F1A64E8FD751EBA4C4585B977F0EF99301F4246B6D418C70B6DA38E659C710

Function 00007FFD9B7DAB28 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4fa49b291140384bda5575e5e57a5073c58a6c81ad2f52d48b6e8d52dc1626
Instruction ID: 0af373602759a9087d7f02cd172f5af63a4703c9c3a75782deedd9b177a803b7
Opcode Fuzzy Hash: 5c4fa49b291140384bda5575e5e57a5073c58a6c81ad2f52d48b6e8d52dc1626
Instruction Fuzzy Hash: 0301B130A0960E8FEB58EFA8C4656BA77A1FF98304F51027AD41EC21B4CA31B354C740

Function 00007FFD9B7DC180 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a983de41161fe0b0624fd78742ca36bc4fdf8d734b9d97ff77762d9f699c1e
Instruction ID: 01be8a62f2bbd8a1dafd9ae1c8b860ca94a8e957c8ad79c717541771fdea92e9
Opcode Fuzzy Hash: 34a983de41161fe0b0624fd78742ca36bc4fdf8d734b9d97ff77762d9f699c1e
Instruction Fuzzy Hash: E9017170E15A1E8EEB94EFA4C4686BE77E0FF58304F500A7AE41EC21A4DE316654C700

Function 00007FFD9B7F1FFC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f0a2bbe4c4a71bde2a58539f17a40e2bf31725728b5e33ad95dc0ab8741097
Instruction ID: 6d1109cb6fe15b6c025f0ad5dc2dbd73eabd98827e18409887b8df4a27b6fdd1
Opcode Fuzzy Hash: e4f0a2bbe4c4a71bde2a58539f17a40e2bf31725728b5e33ad95dc0ab8741097
Instruction Fuzzy Hash: C8017102F1F78A4AE77559E814380383D919F41650F9A03BBE04ACA1F7EC4C2A45D3C9

Function 00007FFD9B7D2EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fb32a7a07c697797d86be941978de871cf72a5f5826cdb35c64f6f5b072311
Instruction ID: 9975e90b26328cbc6c6d654f66fe139009f9277cea5fc96459756dd4651db3d8
Opcode Fuzzy Hash: 06fb32a7a07c697797d86be941978de871cf72a5f5826cdb35c64f6f5b072311
Instruction Fuzzy Hash: C0018431A0A74E8FE751E7B4C85D5A97BE0EF45300F460AB7D018DB0B6EA38A648C711

Function 00007FFD9B7DA789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8505927788829e8d70dcd5fabc332509feffc44765fa4f51b1a63318165d26af
Instruction ID: 0ea6a612d497016cedf9d9fda9ad1375d5780e83d26e36a44cfa7010b9f8c64a
Opcode Fuzzy Hash: 8505927788829e8d70dcd5fabc332509feffc44765fa4f51b1a63318165d26af
Instruction Fuzzy Hash: 8301D430A5E34E4FD712EB7488685A97BF4EF45310F460AF6D008CB0B6D934A648C311

Function 00007FFD9B7DF1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7df000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd358c4c3f8f3adb035bf6fb67076c32e8187df3259e355346ee504fbd7d17d
Instruction ID: 4f2fd33b9cf0126bf7647aa0191db4938cc030a3958b1c581d7432a6b526acb0
Opcode Fuzzy Hash: cfd358c4c3f8f3adb035bf6fb67076c32e8187df3259e355346ee504fbd7d17d
Instruction Fuzzy Hash: 9811BE70E1965D8BDBA8DF2488657E8B6B1FF58304F4142F9915DE32A1DE342EC18F44

Function 00007FFD9B7D0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8954c9241c1e45c4340fdc93e9350069b8b77f275f82500965691e46de3c040
Instruction ID: bdfd96ad7de74750f962e86a0566ea4bd128de876d6a9ee612ca983b8f319f9f
Opcode Fuzzy Hash: b8954c9241c1e45c4340fdc93e9350069b8b77f275f82500965691e46de3c040
Instruction Fuzzy Hash: 4601D130A1560E8BEBA8EBA4C4686B973E0FF48305F500A7ED41EC21F0DE35B645CA00

Function 00007FFD9B7D0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668e4b173e94d043739cdabff8f16a002c24369cfd84ba413b57be0a243bbedd
Instruction ID: 8fc4caddc966d7c320cae4477ea784e0d5194dcce837976955988c1785f54915
Opcode Fuzzy Hash: 668e4b173e94d043739cdabff8f16a002c24369cfd84ba413b57be0a243bbedd
Instruction Fuzzy Hash: 4401D130A1960E8BEB68EBA4C4686BD77A0FF58315F100A7ED41EC21F5DE35B695CA00

Function 00007FFD9B7D1C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aece6cb90d4f6e041052d8d5d8c667f263b7cf5657fbcf0da9b71c35bafb7fa
Instruction ID: dfe9041a5faccd8d34fd7ddb45d46cd04ecaf7913c8afc7060d5eb6b89c26002
Opcode Fuzzy Hash: 8aece6cb90d4f6e041052d8d5d8c667f263b7cf5657fbcf0da9b71c35bafb7fa
Instruction Fuzzy Hash: FCF0F430A0A74E8FDB55DF2084656BA37A0FF95304F91027AE80DC75E1CB35AA64C740

Function 00007FFD9B7E77E9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d652210ab94597df62ae0120b5660c53f392b72093c63c5f3f69ce4718fd672
Instruction ID: 35040d33cdfb65026941d445c500e9e3d248474c77d24cf9a1300382daf5ca79
Opcode Fuzzy Hash: 1d652210ab94597df62ae0120b5660c53f392b72093c63c5f3f69ce4718fd672
Instruction Fuzzy Hash: E90181B2E1660D5FEB54EFA8D4596EDFBA0EF90311F000279E418E72F2CA752949C741

Function 00007FFD9B7D05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8119ff4f15a11fd00ddf8bd7da0857200fb189c50710372c515c10d5721dadb
Instruction ID: fcb9fe86a04757e29d1bb7bd9f96406e69273e47ff8fcc2efc5a62ca8b5b00e9
Opcode Fuzzy Hash: a8119ff4f15a11fd00ddf8bd7da0857200fb189c50710372c515c10d5721dadb
Instruction Fuzzy Hash: 0CF0F630E0A64E8FEB65EF6494656FA37A0EF85308F91067AE80DC25F1CE35A654C740

Function 00007FFD9B7DBE09 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639cea9832d7ec7748c50afa6090ca468fdf2e09f387aea054d279e2b6ee4ffd
Instruction ID: 9f8822975043cc6dba0d28ecebf8ed8b4a17596baa3faa3001dd7710aac8434c
Opcode Fuzzy Hash: 639cea9832d7ec7748c50afa6090ca468fdf2e09f387aea054d279e2b6ee4ffd
Instruction Fuzzy Hash: 22018F3090E78E8FEB559B6488692A97BB0FF49200F4606AAD508C71B2DB3496188740

Function 00007FFD9B7DC1E9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7da000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e8cf68566903057f94fe86d89046e1a52675402241be970ae78d2011067adc
Instruction ID: ee0c58eebbd07f79daee8c16e38bc4312b6a0efde7c58926d1488caa75aa464a
Opcode Fuzzy Hash: e1e8cf68566903057f94fe86d89046e1a52675402241be970ae78d2011067adc
Instruction Fuzzy Hash: 2501A93090E78E8FDB559F7484651FA3FA0EF56300F4606BBD818C60B2DA38A654C741

Function 00007FFD9B7EB8B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25171c3498e02e71c9a604325e962c3a687aef1d6ee522744445caa47d7280e6
Instruction ID: dbec7099214ffa496881a65ea4fac7c000387cf07636324ce73eedf552c046f6
Opcode Fuzzy Hash: 25171c3498e02e71c9a604325e962c3a687aef1d6ee522744445caa47d7280e6
Instruction Fuzzy Hash: AEF0F63194F3C99FD312CBB088654E57FB4AF47210B0901F6D085CB1B2C62C2616C792

Function 00007FFD9B7D2729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cabe1dd4e939340124f6f78d382327c1450f4bc99c6804fcfe011bb9da13bd5
Instruction ID: b6cdfa39b0cf7229c054d6c70bc8f565ab002e5219791b10584da8755547d3e2
Opcode Fuzzy Hash: 0cabe1dd4e939340124f6f78d382327c1450f4bc99c6804fcfe011bb9da13bd5
Instruction Fuzzy Hash: B1F0F63090E38D8FD76A9F60C8642B93BB0FF46201F410ABED419C61E2DB38A558CB00

Function 00007FFD9B7E8024 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59292a58efa281a58adac7f1e8b6179bc94b92f3e686ff511894005d81427c01
Instruction ID: 1a3b8655964380f73c9e82fc472adc68af815cb7946ad787644c9c0fb10b98e6
Opcode Fuzzy Hash: 59292a58efa281a58adac7f1e8b6179bc94b92f3e686ff511894005d81427c01
Instruction Fuzzy Hash: 30F04930E09A2D4EEBA0EB64C8947A9B2A1FF95340F5002F5844DE2262DE302E858B41

Function 00007FFD9B7D279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1964f9d34931efb9fe158e8bad4a955b5c34fc8c66386214d8975c1b555d2682
Instruction ID: a887dcef81628a67fd8a0c68b8b9fd2b87b3ff0785d5e18611bb74c2967031e2
Opcode Fuzzy Hash: 1964f9d34931efb9fe158e8bad4a955b5c34fc8c66386214d8975c1b555d2682
Instruction Fuzzy Hash: 40F0F630A0E78E8FE7699FA484251A93BA0BF45320F4506BED509C51F2DB399558C700

Function 00007FFD9B7F2627 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dbb15faafbd0492509da3f8f685f8d13280454891a77f1b9043a34e8a04740
Instruction ID: ec2a0cad4f70ab1ac8b8d86f9dd2d8bba24658477c7166137ec04a8a9e50f700
Opcode Fuzzy Hash: 24dbb15faafbd0492509da3f8f685f8d13280454891a77f1b9043a34e8a04740
Instruction Fuzzy Hash: AAF0A73274D74A8FE7269798D8317E47B91EF42360F1A03BAD045CB6F2C56D9581C781

Function 00007FFD9B7DFCCB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7df000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b8fd2be9deb6a7a98a815e191bc76a339df64e276144464be20823289dac27
Instruction ID: 6cddc8d2eeb6c717a239b0d7fa52c9da9cc1904035c5bdc774c343032c938a3a
Opcode Fuzzy Hash: f2b8fd2be9deb6a7a98a815e191bc76a339df64e276144464be20823289dac27
Instruction Fuzzy Hash: 88F0B770E4A62D8EEFA1DF58D854BEDB7B0FB58350F0106E9D10DE22A1CB346A948F50

Function 00007FFD9B7E782F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59672b57073183bff36dd38745251446cfd923e285139b4c1efb19f4856a1f2
Instruction ID: 8d6ceb4b26ac11d676e02ff8fe5b95fba589632c062c11aec51a417c36968f61
Opcode Fuzzy Hash: f59672b57073183bff36dd38745251446cfd923e285139b4c1efb19f4856a1f2
Instruction Fuzzy Hash: 68E04F75A1450D8FDB40EB89E841DEEFBB4EFC4320F400276E018E32E4CA7469868790

Function 00007FFD9B7F3740 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9dc483877f23349f334657bca140a5909400e58566d6c9174dba4777809b8
Instruction ID: 0ec6a762fab307c8d169ef5c121a35bcde16924be967ab5519e9b97d729e6c97
Opcode Fuzzy Hash: 34b9dc483877f23349f334657bca140a5909400e58566d6c9174dba4777809b8
Instruction Fuzzy Hash: F9F05F70E1961D8FDB6CCF99C8A06ECBBB1BB48300F21016DD00EA7351CA342A80CF44

Function 00007FFD9B7DFC48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7DF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7DF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7df000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction ID: fadd80f743c9ae4d402696f990cb9f0d687421a54200039892ca7f07f71c7cc1
Opcode Fuzzy Hash: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction Fuzzy Hash: A8F0AC70E0862E8BDB69DF49C8507ADB6B5EF94300F0142B6901D922A5CA345B849F41

Function 00007FFD9B7EF7D2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaf257eebf803e94ace99c8b501af186a17cda38a385dfdb899863ad9c8462f
Instruction ID: cd74631efedeb63ea571989f095bcf59f208072a3a0e4cc83b58fc92da9193f5
Opcode Fuzzy Hash: edaf257eebf803e94ace99c8b501af186a17cda38a385dfdb899863ad9c8462f
Instruction Fuzzy Hash: CFC01220B1E75E8FE3A25AB400A01782181AF0A2047A10DB6A00ACAABBC82E6A014250

Function 00007FFD9B7F13D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6547e7e1f5e996259497afcffa46dc20f4bf09773b07f59a1c33663b678231f8
Instruction ID: 2070f1754520174ef898f85c15cf870149e0c97a89d24314c66e017dccab8c9e
Opcode Fuzzy Hash: 6547e7e1f5e996259497afcffa46dc20f4bf09773b07f59a1c33663b678231f8
Instruction Fuzzy Hash: 5DC0EA00F1F61E92E43472EF056107838816B44354EA20379D41E825B5A80D639925CB

Function 00007FFD9B7ED07B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df3d5426a5cbd7c111e9eb6d1bf0f3efd5ab79cdc683058eb422a10010bb25b
Instruction ID: 443a77d20913f34d54cc05a68fd9c925541e91b145b61dc316e8cfc08ed69f97
Opcode Fuzzy Hash: 4df3d5426a5cbd7c111e9eb6d1bf0f3efd5ab79cdc683058eb422a10010bb25b
Instruction Fuzzy Hash: 5BD0C924F0F74F85F23996D5403023D32968F40300E2A823DC09F458F1CD1DBB066211

Function 00007FFD9B7D4B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: 40aec588929bac0607304cebfaf4f3bb4c06bba21e6bf962bde60a5c69440966
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 76C0E970A0A61D8AD7B4DA54C8606E872B5AB98380F5143F8D10ED71E1DD246BC55B54

Function 00007FFD9B7ED08E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d31fcdba8a49d8914eb5164607dc00f5f35adfa20eb26a981774b937eaccab
Instruction ID: 8665ce31c48083eb5eea5e9a53d30e70722aae7f41be1d9d551595c08de86ace
Opcode Fuzzy Hash: 47d31fcdba8a49d8914eb5164607dc00f5f35adfa20eb26a981774b937eaccab
Instruction Fuzzy Hash: 20C01220A0E30B8BF23697A4803126537618F81300F2282B9C40A4A4B2C9287B46A221

Function 00007FFD9B7F2618 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95e1ffc57c41a9dfb59919410de8823a7e1738b26f17a0ea3a32d3899d1241b
Instruction ID: 97af4d33a42e5e9805487a3f09887be521c6f4990a44dee68972c40c0d1751e8
Opcode Fuzzy Hash: e95e1ffc57c41a9dfb59919410de8823a7e1738b26f17a0ea3a32d3899d1241b
Instruction Fuzzy Hash: ADC04C30B0E70B8AE77596E1C02063939919F85344F624579D04F96EF1CD39FA429755

Function 00007FFD9B7F1750 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba613bfd2a4de9e7d0b4427259cbd9f1d2ff0b32ae429630114d7fa9d5010f1
Instruction ID: 41fb67d76fda804195bd112a1e9b2a8fd895da851c5b7770f6ab32a2fac24506
Opcode Fuzzy Hash: 0ba613bfd2a4de9e7d0b4427259cbd9f1d2ff0b32ae429630114d7fa9d5010f1
Instruction Fuzzy Hash: EAA00204E9790E01D81831FA1D970A479555F89164FD61660E808809A6E98F56E902D7

Function 00007FFD9B7EC5C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e730ab2157b4d797773b2b4e7b4029a1790f1020a7bfd4f29e6fe6074300d5b
Instruction ID: 53fc022820208db2dce369d4ee9b3ef9f6ab7405f5b948b5b7a98ddc4db06f14
Opcode Fuzzy Hash: 0e730ab2157b4d797773b2b4e7b4029a1790f1020a7bfd4f29e6fe6074300d5b
Instruction Fuzzy Hash: 86B00209F4E30F57F53410F4087547E25510F59655F670F35E52B561F7ED5C3A401151

Non-executed Functions

Function 00007FFD9B7F0EFA Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1925826104.00007FFD9B7E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e1000_gqIYXW7GfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c436a03e46767f0c77cffa3f5865eaa4dfde80b85ce1cb1b009a79bcbfed5446
Instruction ID: 7fee0b96dac0d7a9c3215aa762ebc3b477ce8c392f34100cbfac366d9c7ed070
Opcode Fuzzy Hash: c436a03e46767f0c77cffa3f5865eaa4dfde80b85ce1cb1b009a79bcbfed5446
Instruction Fuzzy Hash: 90D1CE17E0E1D24BD316F77CA9798EA7FA09F4222D71E82F7E09D4E0E7DD0865488285

Analysis Process: NGtfpkeoDVuJA.exePID: 7512, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E3545 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B7E35CD

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: 791b3a8a96944ff0c79569baf5ad5ee3cd40db39bd772075b8b70994a8952273
Instruction ID: 8c9374deb60bcd11333e4e6fe836e40bd714c8e809c613050b8cd7cae64d9be6
Opcode Fuzzy Hash: 791b3a8a96944ff0c79569baf5ad5ee3cd40db39bd772075b8b70994a8952273
Instruction Fuzzy Hash: E5A1C271A1994E8FEB59EF68C865BEDBBE1FF95300F5102BAD009D32E6DB7428018740

Function 00007FFD9B7ED6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MM_H, xrefs: 00007FFD9B7ED76E

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: MM_H
API String ID: 0-1969015126
Opcode ID: 32f9f3b368a1f7a286d0b2deff21026af533bc89e8c201783fdcc4698810e9ec
Instruction ID: 946b048566db93fcbfdae00a3fd271975ce0049ae98f26f4e49c1b9ee47dadf0
Opcode Fuzzy Hash: 32f9f3b368a1f7a286d0b2deff21026af533bc89e8c201783fdcc4698810e9ec
Instruction Fuzzy Hash: 74E13E71E19A5D8FDB68DF98C8A47BCB7A1FF58300F4501BAD01DE72A6CA346940CB41

Function 00007FFD9B7EC5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~M_^, xrefs: 00007FFD9B7EC601

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: ~M_^
API String ID: 0-1662397256
Opcode ID: 7e85c348f5650722bff92a4ff28ec5bb3032c8ab7b566e1d72e55929fa0321ac
Instruction ID: 1439b65dad38af65197798614b0aa738d08769f5b078b8db48882a3cf9593883
Opcode Fuzzy Hash: 7e85c348f5650722bff92a4ff28ec5bb3032c8ab7b566e1d72e55929fa0321ac
Instruction Fuzzy Hash: AA41162BB0D35E4AE725BABCB9254FD7B60EF8133AB1A02B7D10DC50F3CE1865454260

Function 00007FFD9B7F2F38 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842b3304dc059beb41330138ad161829cdfb354627fe201e104035699fbb1451
Instruction ID: ee9a761470d59dead1898cae0983e026b48e58f7662e89e291185ffd85a97401
Opcode Fuzzy Hash: 842b3304dc059beb41330138ad161829cdfb354627fe201e104035699fbb1451
Instruction Fuzzy Hash: B641F352E0F7CA4EE712E7B888691A97FB0AF06214B4A46F7D098CB0F7EC1465048396

Function 00007FFD9B7F2FA8 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230bab267ce1f64cf5ca730d1761a08968710ffbb3a8f268aa58c875d8194dad
Instruction ID: f1e9e0396cbfd2064d20e449829d051c7318c04e84b9587372eeebc65bda8c4c
Opcode Fuzzy Hash: 230bab267ce1f64cf5ca730d1761a08968710ffbb3a8f268aa58c875d8194dad
Instruction Fuzzy Hash: 35115461A0E7CA8FE75397B44C255A97FB0AF52204B4A05F7D498CB0F3E9186A14D362

Function 00007FFD9B7F3805 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb28fe384718efbdeab76449da917b30ea2c0d4087dc9d5ebef735eb592031b4
Instruction ID: 546181e2ac7e5cd72f7b4b5a60eb6bc67ece82e68824a0699de59439421ce27e
Opcode Fuzzy Hash: cb28fe384718efbdeab76449da917b30ea2c0d4087dc9d5ebef735eb592031b4
Instruction Fuzzy Hash: 42D1B970E1962D8EDBA4EB98C8A57ECBBF1FF58300F5141A9D00DE72A1DF345A848B54

Function 00007FFD9B7E1698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2420f0523f38ab89cc718ca76cc2591474922638cc25121cacfb5b043fc2bfa5
Instruction ID: e79df68125193f4f8245083b36b8969c05c367275d4e44a04070f09410f2c09d
Opcode Fuzzy Hash: 2420f0523f38ab89cc718ca76cc2591474922638cc25121cacfb5b043fc2bfa5
Instruction Fuzzy Hash: 9F81C031B0DB494FDB58DE5C88665A977E2EF98304B15027AE45DC32B2DE34AD028781

Function 00007FFD9B7EC55D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c084af052dee6f7ae4370c9fd4bbad6fa1cb4ce31be35476ac26d719669e07d
Instruction ID: 37fcf13f561c5615c94bd6c033410e0ceaf214af0e7680d9ead6148dcdb126e3
Opcode Fuzzy Hash: 3c084af052dee6f7ae4370c9fd4bbad6fa1cb4ce31be35476ac26d719669e07d
Instruction Fuzzy Hash: E551282FB0D66A8AE325BBBCB8254FD7760EF80336B1946B7D109C50F3CE18754646A0

Function 00007FFD9B7F1C17 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20fd21976f54e9520a534d2655b716d41c8ce4623a3b0025f0f96db55c49d00
Instruction ID: fd3233e7ef3c8a484e3912be4228d5a99beb4fb5c5f3a0eda4d86d045796c902
Opcode Fuzzy Hash: b20fd21976f54e9520a534d2655b716d41c8ce4623a3b0025f0f96db55c49d00
Instruction Fuzzy Hash: 29710E70E09A1D8FDB94EF68C4A4BA8B7B1FF58305F5141B9D00DE72A5CE34A941CB40

Function 00007FFD9B7EBE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e316d574bff14430731975de31865ad55f8528e9f1fcc8cea76cb634a055b9dc
Instruction ID: 12325667f84a403bbca3eafa8b777d6268ee7f7ce2408506670d46f56c4cc7cf
Opcode Fuzzy Hash: e316d574bff14430731975de31865ad55f8528e9f1fcc8cea76cb634a055b9dc
Instruction Fuzzy Hash: 1861FC74E1961D8FDB64EBA8C8A56EDBBB1FF59300F51027AD00DD72B2DE3869408B40

Function 00007FFD9B7E1CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d2b52982fb1fef5901df64a8779d29bf83c2c131d5b5712895c563b06c8e
Instruction ID: 293ce3a4bfb979f757d5d8bf1e230b16c3c8ac17dfb72b289afabd356ee81b97
Opcode Fuzzy Hash: 57a1d2b52982fb1fef5901df64a8779d29bf83c2c131d5b5712895c563b06c8e
Instruction Fuzzy Hash: 4051DD31B09B494FDB58DE5888655BA73E2FF98301B15427EE45EC72A2CE34ED028781

Function 00007FFD9B7F4F00 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8138473455f2ddb78b71722acc5b7579504affbf6c0cb898c7f0a3b6710766
Instruction ID: 96ecab24a3058b1f1d276b565503307f5c0be0453b08d9dbbb6c96476a662b46
Opcode Fuzzy Hash: 3b8138473455f2ddb78b71722acc5b7579504affbf6c0cb898c7f0a3b6710766
Instruction Fuzzy Hash: B9510171E09A1D8FDFA4EBA8D455BADBBF1FF58301F51016AD00DE32A5DE3469418B80

Function 00007FFD9B7E3191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1353fc68447bc769c4817d90aaa279427554654414b4e9716ac54c43baa3aa
Instruction ID: 61789c457c93b375ab0606384aa5a6db3a400873fd9b3c7831c3c4a22ac21078
Opcode Fuzzy Hash: df1353fc68447bc769c4817d90aaa279427554654414b4e9716ac54c43baa3aa
Instruction Fuzzy Hash: 23511C71E0961D8FEB65EB94C464AEDBBF1FF58300F52027AD009E72B5DA386A44CB50

Function 00007FFD9B7F72C5 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67abed173af2f488bccea082520e64648dc6da54a544dc4e4a8edac12f69c3
Instruction ID: 7111999c6c8b3a2ba41bf5d45834fbbca11871c0d8e15239054675db4a6ea1d5
Opcode Fuzzy Hash: 4b67abed173af2f488bccea082520e64648dc6da54a544dc4e4a8edac12f69c3
Instruction Fuzzy Hash: 5B514F70F0A35E9FEB65DFA4C4A46FD7BF0AF04310F12457AE409A62B1DA386A44CB45

Function 00007FFD9B7EADFD Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c4c79a9a018066cc41158af41eab6e15a3840a1aae924a50e07d2605e72636
Instruction ID: f1d0795547b0fbf6d24e693fd1584006a9164118905a4abf9db97e2d2916fa41
Opcode Fuzzy Hash: 93c4c79a9a018066cc41158af41eab6e15a3840a1aae924a50e07d2605e72636
Instruction Fuzzy Hash: 93515171E0A61E8EEB64DFA4C4957ED77F1EF58300F0142B6D01DE72B1DA386A858B50

Function 00007FFD9B7F5D85 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ada5453ff4e4b36390411b96b18e616979f02661d49d4c9e88addb2aaf35aba
Instruction ID: 270bed0ab035c322bc7593306508a11ac5e68b02fb9ed325b21976ef4d4abbc9
Opcode Fuzzy Hash: 9ada5453ff4e4b36390411b96b18e616979f02661d49d4c9e88addb2aaf35aba
Instruction Fuzzy Hash: 8F51EC70E0961D8FEB68EB54C8657A9BAB1FF54301F1142BAD00EE32A1DF346A84CF45

Function 00007FFD9B7F237D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be90fb5a0bcdbf4252dc286b4da5797093fb72662bb32951770998834862db2
Instruction ID: 381f6c29e322d7f0ba9596b73c9e22c89cc1d6f08b0bced7745d2a859c75ae09
Opcode Fuzzy Hash: 1be90fb5a0bcdbf4252dc286b4da5797093fb72662bb32951770998834862db2
Instruction Fuzzy Hash: DD415D30E1965D8FDB54EBE8C865AEDB7B1FF48300F410279E019E32A6CE3469418B81

Function 00007FFD9B7F6C39 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8d22d4933bd0a082a7e8f5ef9eb84d830082ce4ab14030bed493fac5b142db
Instruction ID: 20a8cdef527ed094264b780f0b9c53667947e3b1935a27d372fb51b116b8ff53
Opcode Fuzzy Hash: da8d22d4933bd0a082a7e8f5ef9eb84d830082ce4ab14030bed493fac5b142db
Instruction Fuzzy Hash: 0541C870B0A64E8AEB649BA4C8646ED7AE0EF14310F11027AD459C62F2CE38AA44C795

Function 00007FFD9B7F6B15 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871c9db3967682a693b4254070342a727baf3ed6ee9c74a23f42dbe4f469fa27
Instruction ID: d9c13072ef3bc4b4f83b3d84f993da0785c047b71781da88b46c2c3ae2ad1efb
Opcode Fuzzy Hash: 871c9db3967682a693b4254070342a727baf3ed6ee9c74a23f42dbe4f469fa27
Instruction Fuzzy Hash: 6721D131B0E64E8BEB69EFA488762B93BA0FF14300F0141BED41DC61B2DE35A550C781

Function 00007FFD9B7F7151 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13926747246aa0345102f21a8fd4ee1200b3ce64e8deaa9458d6c2eb9803ec4e
Instruction ID: ba6d2ac5b6b22c60871cd72609d976feb4847c9a649e813693c16af7f66b14a7
Opcode Fuzzy Hash: 13926747246aa0345102f21a8fd4ee1200b3ce64e8deaa9458d6c2eb9803ec4e
Instruction Fuzzy Hash: 56214F30F0A60E9FEBA4EFA888696BD7BF0FF58300F41057AD419C61A1DB34A6548780

Function 00007FFD9B7F1ED0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424a34724cee0793671b9b2e17018ab67b762f519b4c0b5de3d64eba8227559e
Instruction ID: d0dcfd890fe7d56d3c202bdd18578e9925eaae4d40d91b1055f298e68cde5eaf
Opcode Fuzzy Hash: 424a34724cee0793671b9b2e17018ab67b762f519b4c0b5de3d64eba8227559e
Instruction Fuzzy Hash: BF219F30A4E3CA4FD7569B7088655E57FF0AF07314F0A05FAD449CA4A3DA286946C751

Function 00007FFD9B7E2189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd5cf436bb26961841da3d8e282f7beeaa4df175090f6589fb1b54ff03c048e
Instruction ID: a2d6fba657c20a3195b61ba6480929b4c06041c20cbf59ffb44737e44d192337
Opcode Fuzzy Hash: 7bd5cf436bb26961841da3d8e282f7beeaa4df175090f6589fb1b54ff03c048e
Instruction Fuzzy Hash: 1811BE30F1960E8FE715EBB488699B977E0EF46304F0245F6E41DC70B6EE38AA858751

Function 00007FFD9B7F7259 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144c47d1d25bd7ca9e6eb0bd543a9ec926ab1695930ab930c4232a14332f5a0a
Instruction ID: 16cbd833c4aacc9418bf10cef5114fba173ecf6581b63b8cb4a4234eda986b6b
Opcode Fuzzy Hash: 144c47d1d25bd7ca9e6eb0bd543a9ec926ab1695930ab930c4232a14332f5a0a
Instruction Fuzzy Hash: 0C218330F0A64E9FEB61EB6488695FD7BF0FF19304F410A76E418C60B5EE34A6548741

Function 00007FFD9B7F797D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445e6d00623871f5a9068f507ffdf3dd564bf6ac570704033a30171307a0ac3a
Instruction ID: 61cb4a6038460cba416277904be3f37145363c67217de942d46b1771a20ca85f
Opcode Fuzzy Hash: 445e6d00623871f5a9068f507ffdf3dd564bf6ac570704033a30171307a0ac3a
Instruction Fuzzy Hash: 8721B031A4E78E9FEB69DF6488656BE7FA0EF05304F0205BED419C60F2DE346654C681

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7F69D1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69241cbee6a1f39724a3f8ddc5e9d8898fdfad2a6440481a8faeae587ea07f2e
Instruction ID: ba52cfd21f3ab1e4848d3ab844ef1a2aa239ee85b700274cc6a6d3bb49801783
Opcode Fuzzy Hash: 69241cbee6a1f39724a3f8ddc5e9d8898fdfad2a6440481a8faeae587ea07f2e
Instruction Fuzzy Hash: 3E11B170E0964E8FEB98EF6484692BD3BA1FF58300F0141BAD41DC61B5DE35A540C780

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798b7b6935e5a55f1a2173a88875d95e6eb9c792aaceb379d453690455ad1db0
Instruction ID: 8829da2b36ade883aada1e826a5f0d7cd01a4eb448d4d1c4b2724d466edb4f03
Opcode Fuzzy Hash: 798b7b6935e5a55f1a2173a88875d95e6eb9c792aaceb379d453690455ad1db0
Instruction Fuzzy Hash: E5119130E1960E8FEB50EFA8C85A9BD77E1FF58700F4246B6D41DC61B6EE38A5448740

Function 00007FFD9B7E0EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbf59bd9719152cf13a3f330f7c3c46c2c1efbca28cd1d419bd0887e4d265b7
Instruction ID: d234ab1b8bc8baf2b7d32f8d84e1674e1f4335649e9c53676f6c0cccd06cb5de
Opcode Fuzzy Hash: cbbf59bd9719152cf13a3f330f7c3c46c2c1efbca28cd1d419bd0887e4d265b7
Instruction Fuzzy Hash: AD212431F09A0E8BEB64EB94C865FEEB7B1EF54300F114275D009DB2B9DE34A9458B80

Function 00007FFD9B7F2E49 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e040a96ef224cc53c2d93eebf84246bc72ccc6d510b703da6ef09b202c1b1e
Instruction ID: 251ab89eae59735944102b681a79e055024b8f18fc96853bf91622c0a308f802
Opcode Fuzzy Hash: f0e040a96ef224cc53c2d93eebf84246bc72ccc6d510b703da6ef09b202c1b1e
Instruction Fuzzy Hash: 9B21D531A0E68A8FE752EBB4886C6E97FF1FF5A300F1505F6E448C7172DA286644C751

Function 00007FFD9B7F20E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94182054105ca92d64308dccc6870d2807112c4f0313fc384b13f68e77c2e3b9
Instruction ID: c478bea09b290c29d7d6fd0aa78f3cf0788ef0bf20607f2e370efbf9d5d7bb66
Opcode Fuzzy Hash: 94182054105ca92d64308dccc6870d2807112c4f0313fc384b13f68e77c2e3b9
Instruction Fuzzy Hash: 3111BE30A0924D8FDB59DF68C4A55F93FE0FF59304F5202AEF84A832A1DA34A540CB84

Function 00007FFD9B7F6A75 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27e311ed50a98cc65b72684550dc3f0c9904cb0465759dbb140270211fa9ff7
Instruction ID: 013ff00d881c4579a215f0647eed92bbb053f7fbf5444ffe385eda572705e664
Opcode Fuzzy Hash: b27e311ed50a98cc65b72684550dc3f0c9904cb0465759dbb140270211fa9ff7
Instruction Fuzzy Hash: 8C11B130E0964E8FDB58EFA884696BD3BA0FF68300F0542BAD41DC61B6DE34A540C781

Function 00007FFD9B7F43C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21db55df2f9101068357edfa52c3d17ef63d6378c34d983888f15cfae96ab1f
Instruction ID: b5d9d5cf3e93720672cfe91986895eb1802eeae84bf3023e7b996c009abfc445
Opcode Fuzzy Hash: d21db55df2f9101068357edfa52c3d17ef63d6378c34d983888f15cfae96ab1f
Instruction Fuzzy Hash: 0411A270E0D64E8FEB59EF6884692B97BE0FF58301F0201BED419D61B1DA346550C780

Function 00007FFD9B7F4329 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5341bbbb2b7fc823e6816eaf2b68aa5614f68f51d7ff705af262c953ff46bd6d
Instruction ID: fc580afce288e3764ae5094fe41cbf9483b9f597b0c1ed5971836e7c26ed6a51
Opcode Fuzzy Hash: 5341bbbb2b7fc823e6816eaf2b68aa5614f68f51d7ff705af262c953ff46bd6d
Instruction Fuzzy Hash: 37219D30A0D78E8FEB59EFA484652B97BA1FF59301F0602BED419D61A6DA34A540C781

Function 00007FFD9B7F48E5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb720a565a679409863b7ef4f7313d5362a3b5a2c20f3a8305bca27d120dc54
Instruction ID: 329db558a0138cf4df528fdc3c2c2552688b26d1a64d3162e89c9d78d1557e71
Opcode Fuzzy Hash: 0cb720a565a679409863b7ef4f7313d5362a3b5a2c20f3a8305bca27d120dc54
Instruction Fuzzy Hash: 6311D071B0EB8A8BEB69DBA488B52B87AD0EF55304F0601BED01D865F2DE256510C641

Function 00007FFD9B7EC6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c4d0d9a2f784049087e8ca746d017fae9497f7327800bfc13745860fbc7c57
Instruction ID: 62c8a6f287aae0e5bfce910ea1179d5901dee1663a88113c1839a3bd2de1c70a
Opcode Fuzzy Hash: c4c4d0d9a2f784049087e8ca746d017fae9497f7327800bfc13745860fbc7c57
Instruction Fuzzy Hash: 05116D34A0A74E8FEB59EB7488695B93BB0FF15304F0205BBD419D61B2DE386A44C710

Function 00007FFD9B7F4C59 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf45ae9e55bbbb295ede5463a8c176d8466b68d8e3bff9bfd5a83a63995e7f4
Instruction ID: ec6e41dd1bdabac23c0bf1617c46a70b2a79f0ee1899c6af046a72ce5b562dea
Opcode Fuzzy Hash: adf45ae9e55bbbb295ede5463a8c176d8466b68d8e3bff9bfd5a83a63995e7f4
Instruction Fuzzy Hash: F911DD30E0A68E8FEB65EBA488696B97BB0FF19304F0105BED419CA1F2DE346540C741

Function 00007FFD9B7F24D1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dca6dd68e5fecfffa00727ffc66e861230a9550a530da44098773b1d451ce8
Instruction ID: 360c32a84bf310932ca15cdf40b4e4106c8eabbbdfc93fdec5f6437d122ffc1a
Opcode Fuzzy Hash: 11dca6dd68e5fecfffa00727ffc66e861230a9550a530da44098773b1d451ce8
Instruction Fuzzy Hash: B111C470E0D65E8FE752ABB488685F97FE4EF1A300F0505B2E418C70B6EA34A644C741

Function 00007FFD9B7F6BAD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e621cf0eca817504e741c2beeb95de4bb5d69504da230bb840c913e4b2ccc71b
Instruction ID: 60efbb94df65f8b21b643469143a26453e694b80367193de72ee4f06d648d86d
Opcode Fuzzy Hash: e621cf0eca817504e741c2beeb95de4bb5d69504da230bb840c913e4b2ccc71b
Instruction Fuzzy Hash: AD112070B0A64E8FEB68EFA4C4656B93BE0EF28300F1102BAD41DC61F2CE34A540C781

Function 00007FFD9B7F70D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4f1584378570c3312eebbd928d3a1d934b00d6f1f0fff2ce50b92861ac66bd
Instruction ID: 85c902f9b8df714dd43abd9c9e0bf2c172106198488518d42e81584815a508d4
Opcode Fuzzy Hash: bd4f1584378570c3312eebbd928d3a1d934b00d6f1f0fff2ce50b92861ac66bd
Instruction Fuzzy Hash: 4C118E31A0A64E9FEB61EFA4C8586A97BF4FF19300F0509B6D419C70B1DA38A644C790

Function 00007FFD9B7E1140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction ID: 3662f187c08f0301d37186b3c001a57f64c1fc2552c126a858981d742ed6893a
Opcode Fuzzy Hash: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction Fuzzy Hash: CA11E570E0960E8AEB68EBA8C4697BE77E0FF59304F00057EE41AD65F1DE356650C740

Function 00007FFD9B7F4BCD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c63e041fd6f0280a36c198b080321e56c4871193f355b3675c5bb7bcb38380
Instruction ID: 53dea1c79a67ec8ab9cf462f3d5a54c5f76e80ceefd18db18d87547af0291c3d
Opcode Fuzzy Hash: 92c63e041fd6f0280a36c198b080321e56c4871193f355b3675c5bb7bcb38380
Instruction Fuzzy Hash: 3111CE31A0968E8FEB58EBA488696B97BE0FF18304F0105BED41EC61E2DE346540C740

Function 00007FFD9B7F5CF9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b190659d05249c2b400efc6b20dab803bbc9e0afc681adbc5fbe2624b3b44d
Instruction ID: b576c882993442bc51c96a95fa22d80f1b56160befd8451cc1dafd0ee22d9e00
Opcode Fuzzy Hash: c2b190659d05249c2b400efc6b20dab803bbc9e0afc681adbc5fbe2624b3b44d
Instruction Fuzzy Hash: 7D119131E0E68E8FE751AB7488AD5A97FF0EF19300F0606B2D40CCA0B6DA34A544C751

Function 00007FFD9B7F4A0D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1d27f65bf572a954087f9b796d38a98b15a8a21291c59e9e2aa149e2704290
Instruction ID: f190844f2621dd13785291efed2afe44b77ce3ba9255f534feeffe00de6f20cb
Opcode Fuzzy Hash: ff1d27f65bf572a954087f9b796d38a98b15a8a21291c59e9e2aa149e2704290
Instruction Fuzzy Hash: 0D11DD70E0E68E8FEBA8EB6488692BD7AA0FF18300F0105BED019C61B2DE346540CB45

Function 00007FFD9B7E34C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction ID: 0ea4e29a4c0d0e1dce4da760db3ad5755ae372c0ff49500bf658117d26439517
Opcode Fuzzy Hash: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction Fuzzy Hash: 9F113C70A1964E8FDB55EF64C8696BA77B0FF18304F4205BED419C61B1DA35A540CB10

Function 00007FFD9B7EBE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404e2d308da1ac9b3dcf5305aa201686634a765f29ed4ec48a54c896fdfd568b
Instruction ID: 3045e498a18f452ee4a3736bb909e16804f4a877b83ac672d3cc2e6374b2b53f
Opcode Fuzzy Hash: 404e2d308da1ac9b3dcf5305aa201686634a765f29ed4ec48a54c896fdfd568b
Instruction Fuzzy Hash: 8D117030A0A74E8FEB55EB6488A96B97FF0FF19300F0505BAD419C61B2DB35A650C740

Function 00007FFD9B7EAF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbc5df70d4c68c538d656c81b30763efa704db3deeb524bc189afc866e2a3c0
Instruction ID: a49ca6d9a3489a5a4ed6ced50dce29f628164c6d7fc4c18b0b0788a4758017e9
Opcode Fuzzy Hash: dfbc5df70d4c68c538d656c81b30763efa704db3deeb524bc189afc866e2a3c0
Instruction Fuzzy Hash: 82111570E0A62D8EDF60DBA4C455AED77F1EF58300F1142B6D40DE32B1DB38AA858B40

Function 00007FFD9B7E2E31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fd50d2d1be3c0a3a46886e8a05c8d5640c109ca26c02374e7d74768c0d9030
Instruction ID: b9822aa60a2cf1f9bd42d47f2acf137c549acd1a0512c36a7f707f2b046d5dd7
Opcode Fuzzy Hash: 60fd50d2d1be3c0a3a46886e8a05c8d5640c109ca26c02374e7d74768c0d9030
Instruction Fuzzy Hash: A0018F30E1A75E8FE761EBA484599AA77E0EF19300F4245B6D40CCB0B6EE38E540C700

Function 00007FFD9B7EDC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3c03ee38776e8312f4cb0178fefd55c8cbcdb8fd12732f8e34e8946b420d20
Instruction ID: 13d9d3009776089c77d7c52d8d3194376b75f73957abe80091c6691e59e37726
Opcode Fuzzy Hash: cb3c03ee38776e8312f4cb0178fefd55c8cbcdb8fd12732f8e34e8946b420d20
Instruction Fuzzy Hash: A9111C70E1A61D8FDB68DF94C8A4ABDB3B2FF58340F11427AD40AA72B1DB746940CB44

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction ID: 75a94b7efd98b69b9b066d1c2c60441150caf154f7b2776d669f7cb7dcee7c51
Opcode Fuzzy Hash: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction Fuzzy Hash: 99018030A0560E8FDB59EF64C4666B977A1EF58304F61057AD41EC25F4CA31A650C740

Function 00007FFD9B7F3789 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b334cfcc304f31290eef243238d9d2a221fd787d4ca72b54b6d42dda8ab2f198
Instruction ID: e8d28c55fdcc9e77be1030d0e8517c38352a178b47d924d593bdeb7158ae200e
Opcode Fuzzy Hash: b334cfcc304f31290eef243238d9d2a221fd787d4ca72b54b6d42dda8ab2f198
Instruction Fuzzy Hash: D3019671F1964E9EEB51FBB488A85B97AF0FF18310F020676E41CC71B5EE34A6808761

Function 00007FFD9B7EABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27740b078acc9a473131c06b082be79a2acf15b819fab3991e4f1091160339c4
Instruction ID: 4484cdc67889e673804d6d5d3af29921cddab47dc562219dfeb4b5b25fad3478
Opcode Fuzzy Hash: 27740b078acc9a473131c06b082be79a2acf15b819fab3991e4f1091160339c4
Instruction Fuzzy Hash: 9701B971E0EB4E4FE761E76884A81B97BD0FF59314F1206B6D45AC30F2EE34A5448240

Function 00007FFD9B7EB98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b496b33f10078b24d891343983edb5555544f99b89664ba9383c845374512e0b
Instruction ID: c263cec0ad0fdb37fac6f57deea5c8a213233ac8cb3397d0507a6377a420d682
Opcode Fuzzy Hash: b496b33f10078b24d891343983edb5555544f99b89664ba9383c845374512e0b
Instruction Fuzzy Hash: DB014030A1964E8EEB54EF68C4A82BD7BE0FF18305F51057AD41AD22B1DE3566508740

Function 00007FFD9B7E280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction ID: e481ae0e336800f2b9303de39e94c6d04b775eac9d1173a9721bc28f653af0b1
Opcode Fuzzy Hash: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction Fuzzy Hash: B9018F30E5A60E8FE761EBA488595B977F0EF59300F4245B6D418C60B6EE38E654C710

Function 00007FFD9B7F7909 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0fdea374931b6cfe2bd9e0adb20b4918f8591a1d423700aa42ceb561c3aa47
Instruction ID: 5e40c717ff1fd04e97fb0aa8329df8fe05652b5ed0461a2c83fd8d55f5ec93a6
Opcode Fuzzy Hash: 6d0fdea374931b6cfe2bd9e0adb20b4918f8591a1d423700aa42ceb561c3aa47
Instruction Fuzzy Hash: 70016D31A4E68E9FDB59DB6488656BD7FA0EF15304F0205BED009C60E2DA25A654C741

Function 00007FFD9B7EA789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ea000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8b6f58777cbf62a111a66123871fbc914ab7c190a57ebad19aaf5980ed6678
Instruction ID: c37e4298879f7e11eccf94436b0c592ef3fd3f6774df4f6814efe933988e4199
Opcode Fuzzy Hash: 5e8b6f58777cbf62a111a66123871fbc914ab7c190a57ebad19aaf5980ed6678
Instruction Fuzzy Hash: 4B017C30A5E74E8FE752EB6888685A97BF0EF19300F4649B6D409CB0B6EA38A5448711

Function 00007FFD9B7E2EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction ID: c3f639ea0485c816fc75c7695c9fb249511a910a272efa67aa92abc2db058b7c
Opcode Fuzzy Hash: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction Fuzzy Hash: BA018431A0A74E9FE751E7B4885D5A97BE0EF05304F460AB3D018CB0B6EB38A654C711

Function 00007FFD9B7E33DC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction ID: 84b419b225b9ea2a6a09a7aefb02d41830ed0d710f6432af186c0b7d396212e6
Opcode Fuzzy Hash: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction Fuzzy Hash: E4014431E1991E8EEB52EB68C4585B9BBE0FF19304F020576D419D70B5DA34E5448750

Function 00007FFD9B7EF1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ef000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd231af7372be9a9c096781b0605d19ae88aecec76c95c8e5f223781a63cf2f
Instruction ID: 0f8389fe71f3c57751201f23b7562f05d397e448e88f5c544174a22b4f50e42b
Opcode Fuzzy Hash: 9fd231af7372be9a9c096781b0605d19ae88aecec76c95c8e5f223781a63cf2f
Instruction Fuzzy Hash: AE11BE70E1965D8BDBA8DF2488657E8B6B1EF58304F4141F9915DE32A1DF342EC18F44

Function 00007FFD9B7F5054 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7f1000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4971c53b4c4d491380705e0e153a5bdda198a8e71bea4f86eb352f3f8e4ec8b
Instruction ID: af09bced771f6443bd9744e62ea396cfdd0b829367d4528cb6b260a4cbaf06f0
Opcode Fuzzy Hash: e4971c53b4c4d491380705e0e153a5bdda198a8e71bea4f86eb352f3f8e4ec8b
Instruction Fuzzy Hash: 8801DA35B09A2D8EDFA0EAA8D4657E8B7B1FF58300F4101B5D00DD3261DE3469458B94

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction ID: f31e1c7207844b9d830d083f79ad5afc88e9fc18d39795919b65d12913244a19
Opcode Fuzzy Hash: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction Fuzzy Hash: 95018130A1560E8BEB69EBA4C4686B973E0FF18305F5109BED41ED61F5DE35B690CA00

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction ID: fbf07ceec4f330f2b46aca7980fac30786f209bad93175c5fdcf7f17ae895dbe
Opcode Fuzzy Hash: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction Fuzzy Hash: 17018130A1960E8BEB68EBA4C4686BD77A0FF19305F51097ED41ED61F5DE35B690CA00

Function 00007FFD9B7E1C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction ID: f1a32bcb6caf1a653441f840fffb17786255f923c5487ee1eedfda296e87d001
Opcode Fuzzy Hash: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction Fuzzy Hash: 86018130A0A64E8FDB559F5484666BA37A0FF55304F51057AE80DC65F1CB35A950C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction ID: 1f91c7b488d209ebef7cc993ba3dcf1b4c0887a4c5bbb2886d72d846ef9a4963
Opcode Fuzzy Hash: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction Fuzzy Hash: C2F0C230E0A64E8FEB65EF6494666FA37A0EF45308F51057AE80EC25F1CE35A690C740

Function 00007FFD9B7E240C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction ID: e4b771a4add17d1d00e1f37439792e42959b4bdae21016c118425390f03861c1
Opcode Fuzzy Hash: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction Fuzzy Hash: 7201CC30A0961D8EEB74EB80C8657EDB3A1FF56301F5142B9C04ED21B1DF782A888F00

Function 00007FFD9B7E23DE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction ID: e5164c7f1db9cc9dcaa34ee9d25554a0cf7cdfc0fdc8de8d5c1b3e433b02ce32
Opcode Fuzzy Hash: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction Fuzzy Hash: 46F0CD31A4961D9EEB64EB80C8657ED73A1FF56301F5146B9C44ED21B1DE742A848F00

Function 00007FFD9B7E2729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction ID: 0b2516705c18dee6b01dd89ee505a2a40ef71aa701d7e9377aff3c071adec39a
Opcode Fuzzy Hash: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction Fuzzy Hash: 13F0963191E38E8FD76A9F6488652B93BB0FF06204F4505BAD419C61F2DB78A554CB41

Function 00007FFD9B7E279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction ID: 389e4183e63f0a5e99ea6db9ca7025e633bf78f457688b438f52f598e5a0ed24
Opcode Fuzzy Hash: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction Fuzzy Hash: 38F02B3091E78E8FE7699FA484251BD3BA0FF06310F4105BED509C50F2DB399554C700

Function 00007FFD9B7EFCCB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ef000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5a71ea54bb4006919fdbdc31a384dae9b85e67216692e749e055e125d70b2
Instruction ID: d694b8c259115e6115da2382a5e51b0631a547a98d7d14e1b5770e4311ce3ae3
Opcode Fuzzy Hash: 01a5a71ea54bb4006919fdbdc31a384dae9b85e67216692e749e055e125d70b2
Instruction Fuzzy Hash: C4F0B770E4A62D8EEBA0DF58D854BEDB7B0FF18310F0105E9D00DD22A1CB345A908F40

Function 00007FFD9B7EFC48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7ef000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction ID: bf77bb29d4743f302f75a41dba5088eabd4ac11d78829419a50478674670e6ff
Opcode Fuzzy Hash: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction Fuzzy Hash: DCF0AC70E0862E8BDBA9DF49C8507ADB7B5EF94300F0141B6901D922A5CA345B809F41

Function 00007FFD9B7E4B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1910751875.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9b7e0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: a717ae1a23a0a560ef16894fa7a97f3d479d0fe9e6229c6c9a1565600b65f01c
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 9EC0C970A0A61D8AD7B0DA4888606E872B5AF08300F1141F8D10ED31F1CD242BC14B54

Analysis Process: NGtfpkeoDVuJA.exePID: 7536, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7D3545 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

Y_H, xrefs: 00007FFD9B7D35CD

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: Y_H
API String ID: 0-219585648
Opcode ID: 175b2ac2e5b4b35c100814edc6e443c068c8b8e846238b18e60502bb6cf39829
Instruction ID: 9847461ceb5d97d0318b0148ab137f01fc9503cefeac330e8b2cfd84f6179a57
Opcode Fuzzy Hash: 175b2ac2e5b4b35c100814edc6e443c068c8b8e846238b18e60502bb6cf39829
Instruction Fuzzy Hash: 71A1D271A19A4E8FEB58DF68C865BED7BE1FF95350F4202BAD009D72E6CB7428058740

Function 00007FFD9B7DE622 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

D, xrefs: 00007FFD9B7DE694
}, xrefs: 00007FFD9B7DE659

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: D$}
API String ID: 0-1468928041
Opcode ID: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction ID: ed55d0a101ca3cf80e9f3b630268c27f47b18048fb8a68c0c9d7041e1c5e5e07
Opcode Fuzzy Hash: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction Fuzzy Hash: BD21B770A0962D8FDB64DF54C854BEDB7B1FB94341F1186EAD00D922A1CB346A988F80

Function 00007FFD9B7DC97D Relevance: 1.9, Strings: 1, Instructions: 631COMMON

Download Yara Rule

Strings

JT_H, xrefs: 00007FFD9B7E588E

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: JT_H
API String ID: 0-4219234576
Opcode ID: 3c8fad8d5e4ff5126c2820ede46ad7394bf14feb9b40135c5a2449fc953a8751
Instruction ID: 4ff42095cea049c13ea89c64a135588c16227f95e2a225918c080517118257c1
Opcode Fuzzy Hash: 3c8fad8d5e4ff5126c2820ede46ad7394bf14feb9b40135c5a2449fc953a8751
Instruction Fuzzy Hash: 43021A32B0DA4E4FDBA8EB6C94649F977D1EF98315B1502BBD40DC71B6DE24E9418380

Function 00007FFD9B7DD6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MN_H, xrefs: 00007FFD9B7DD76E

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: MN_H
API String ID: 0-1998223119
Opcode ID: f464ea4b34c4173577da770eee94450a6d3157288aa889ef69766cdc2fc855ab
Instruction ID: d0646a166ff421bdff3f0877bd046e8872fcebe34ca25a7fa5c073bd5978e244
Opcode Fuzzy Hash: f464ea4b34c4173577da770eee94450a6d3157288aa889ef69766cdc2fc855ab
Instruction Fuzzy Hash: C3E15F71E19A5D8FDB68DFA8C8657BCB7A1FF98340F0542BAD01DD32A6CA346944CB40

Function 00007FFD9B7DC5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~N_^, xrefs: 00007FFD9B7DC601

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: ~N_^
API String ID: 0-1632670993
Opcode ID: 2547248aeadcc49f845dd5e0b929a272dba301f7475c885d420f967a7622c1cd
Instruction ID: 7c1f7c815d88591aab801343ab2461d4afa8c8a099ccbcc77653b1e1e8aa761e
Opcode Fuzzy Hash: 2547248aeadcc49f845dd5e0b929a272dba301f7475c885d420f967a7622c1cd
Instruction Fuzzy Hash: A8411127B0D26A4AE725BAFCA9254FC7B60EF8137AF160377D10EC50E3CE1865494290

Function 00007FFD9B7E0BA7 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

,, xrefs: 00007FFD9B7E0E65

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6f2f1b3037ddd2d51f874ead499249d1b4e0204707032f5847dfa85e7ea034d8
Instruction ID: facd88dd0a8ecfa0c6fa0e91d329e29222d9a9ef5919c7885bf76e6e5c685c87
Opcode Fuzzy Hash: 6f2f1b3037ddd2d51f874ead499249d1b4e0204707032f5847dfa85e7ea034d8
Instruction Fuzzy Hash: 63011E31E0821D8BDB28DF94C8A66EDB371FF55311F01027AD1199B6B0CB746A54CF40

Function 00007FFD9B7D1698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93088fab16dc344cc9c3d1846b6372b426ac436f51a50b44440152c584a0225
Instruction ID: 0dedca76ec801b5abe260bc1df29c5584893f924a280180941608d491ea67cc5
Opcode Fuzzy Hash: b93088fab16dc344cc9c3d1846b6372b426ac436f51a50b44440152c584a0225
Instruction Fuzzy Hash: 4A81DD31B0DB494FDB68DE5888615A977E2EFD8340B1547BEE49DC32A2DE30AD06C781

Function 00007FFD9B7DBE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730c904085a32cb3d3a5b019745c07e3d90c993619371aa2b88139aec7e71b9d
Instruction ID: 1c2f87baad96b4ad6a8e3fbaeba0db8ef94b5d4561bc2cec99576e2f01edda17
Opcode Fuzzy Hash: 730c904085a32cb3d3a5b019745c07e3d90c993619371aa2b88139aec7e71b9d
Instruction Fuzzy Hash: AD613E70E09A1D8FDB64EBA8C4656EDB7B1FF99340F41027AD00DE72A2DE346944CB40

Function 00007FFD9B7D1CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdac026b3c82c07383df9844d286a7512529da07899e668d052e1bf98ca60691
Instruction ID: 690f18597ecc4e9833a0e5c6a2fb829eb4c1f46ea7ccef808dd21535168e8bdc
Opcode Fuzzy Hash: bdac026b3c82c07383df9844d286a7512529da07899e668d052e1bf98ca60691
Instruction Fuzzy Hash: B751DC31B09B894FDB58CE5888645AA77E2FFD8341B15467EE45EC72A2CE34E8028781

Function 00007FFD9B7D3191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62673aa7c3b86a7183d2a17c1b2dbf58763980c266b0ac08ee4ca4c58f4e39e3
Instruction ID: d8df24ec912f4eb6d8165a173d453788e17047b6ffed6451537cc70ee3d9e47b
Opcode Fuzzy Hash: 62673aa7c3b86a7183d2a17c1b2dbf58763980c266b0ac08ee4ca4c58f4e39e3
Instruction Fuzzy Hash: 4A515E71E0961D8FEB64DB98D4646FDBBF1EF98340F520279D009E72B1DA386A49CB10

Function 00007FFD9B7DADFD Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218366bdc2f96c0e54b6a700a0f2b8cdb295d3a7eb95ad6d87258097bfdfb59a
Instruction ID: 979c22c8ba709a09eb12d4ce70d02559b16aa05548a27d67ff26e6252774e535
Opcode Fuzzy Hash: 218366bdc2f96c0e54b6a700a0f2b8cdb295d3a7eb95ad6d87258097bfdfb59a
Instruction Fuzzy Hash: BD519270E0961E8EEB64DBA4C4557ED77F1FF98340F0546BAD01CE72A1DA386A898B40

Function 00007FFD9B7DCA1D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf221b4685524015f15949f728dae9ebf3b6fb490abb85de675a0d48a31dfde6
Instruction ID: 4d47526ac0c56431c1efed771c8304f010db2027615ee7a97583018f621a24d8
Opcode Fuzzy Hash: bf221b4685524015f15949f728dae9ebf3b6fb490abb85de675a0d48a31dfde6
Instruction Fuzzy Hash: 5C21F437B08A6A8AD311BBBCE4192ED73E0EF84326B154677D14CC90A2DE34A1848380

Function 00007FFD9B7D33A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c0b6291b773b0e9f6bc1e94aa0ea0ce0fa5821a9c3ee8ecabce7029349773b
Instruction ID: cf9f38c971341cd971d9ef021f250d6fadc3f76cf131981e89e4ae47e5135ebe
Opcode Fuzzy Hash: 22c0b6291b773b0e9f6bc1e94aa0ea0ce0fa5821a9c3ee8ecabce7029349773b
Instruction Fuzzy Hash: 2831D73194E38E8FD753DB7488585A97FF0EF46350B1606FBD045C70B2DA28A949C721

Function 00007FFD9B7D2189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd9396850e8cc193cc1233caadd1f3924fbe78894a3365dfa037e83e6fb9d9c
Instruction ID: 0e2d91dc93f686994c6e6b79c314cde50edb80da2931f6a93da437d6a32236e5
Opcode Fuzzy Hash: 4fd9396850e8cc193cc1233caadd1f3924fbe78894a3365dfa037e83e6fb9d9c
Instruction Fuzzy Hash: FE11DF31B1D60E4FE715ABB488295A977E0EF86340F0246F6D41DC70B6EE28B6898611

Function 00007FFD9B7D084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca27cbe481a1f69695db4acadabeb1e7b26e15ce0fb35496921328bf28494c03
Instruction ID: a1f0e0e0560f1b5bf1897d1b60b3bf60cf07ca4042140137860e5a332308cef9
Opcode Fuzzy Hash: ca27cbe481a1f69695db4acadabeb1e7b26e15ce0fb35496921328bf28494c03
Instruction Fuzzy Hash: 48113630B0924E8FEB11EBB8C4789E937E0EF85304F0656B2D419DB0BBDD34A158C291

Function 00007FFD9B7D0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e62cc4afa6930f67dead1ce1e06c5724fe888324f435543bb3b9b6a646002
Instruction ID: 152676c692b67c096c26da9f940e9cdc4a1c2d6b27f0e200a324d0fc19c816ac
Opcode Fuzzy Hash: b09e62cc4afa6930f67dead1ce1e06c5724fe888324f435543bb3b9b6a646002
Instruction Fuzzy Hash: 89119031A1960E4EE750EBA884685BD77A0FF98340F8256B6D41DC60B6DE34A648C700

Function 00007FFD9B7D0EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74106c50aa566a820d76369de07c580f1e054c500ac018fe9555072bd87e5e99
Instruction ID: bb484c4fa78cc815b3d2fddd71116893e3fcf87e2ad5da375e541d39a974fd67
Opcode Fuzzy Hash: 74106c50aa566a820d76369de07c580f1e054c500ac018fe9555072bd87e5e99
Instruction Fuzzy Hash: AC215431F09A0E8BEB64DF94C464FEE77A1EB94340F115375C009D72A9DE34AA45CB80

Function 00007FFD9B7DC6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9e8d25efd332107f1ab3262318e7791e55c1cab44c5fba2e9314e7f79191c5
Instruction ID: 1e294cb2c094f808770aef6a97b023040c666366a839621b0fdb9db59cf66c88
Opcode Fuzzy Hash: 5e9e8d25efd332107f1ab3262318e7791e55c1cab44c5fba2e9314e7f79191c5
Instruction Fuzzy Hash: E9118F31A0A64E8FEB55EBB4C8695B97BB0FF55340F0106BBD41AC60B2DF346A54C750

Function 00007FFD9B7D1140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afff5a060ea6dca98dc452cbde193fe170d071b2dfb0e7bc84c3bdd36d2c2517
Instruction ID: f78c0422d389606d53409ba04704985e0cd2fd397da96ff8c1bc6e9516a202db
Opcode Fuzzy Hash: afff5a060ea6dca98dc452cbde193fe170d071b2dfb0e7bc84c3bdd36d2c2517
Instruction Fuzzy Hash: 3311E970E0960E8AEB64DBA4C4687BA77E0FF99344F00067ED41ED65F1DE356654C600

Function 00007FFD9B7D34C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acd61d669edf8dfed4f5e88e813c8636e66806857a1ebd99158feb1518fc093
Instruction ID: 7f7d84689eaafeb171017f781269b0e19e962b20fea0d74b1bfa5163f3838361
Opcode Fuzzy Hash: 0acd61d669edf8dfed4f5e88e813c8636e66806857a1ebd99158feb1518fc093
Instruction Fuzzy Hash: B0118E30A1964E8FDB54EF64C8686BE7BE0FF58304F4206BAD41AD71A2DA35A644C710

Function 00007FFD9B7DBE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae93daf5eab9dc38f7640ff2ba3ec718906b1582b52eb0fc1cd4d639fecf132
Instruction ID: bd1d422e6fc41d4afdfaf049e271fd27c540da4cd12c3739abaf8a57f3f6dd55
Opcode Fuzzy Hash: 9ae93daf5eab9dc38f7640ff2ba3ec718906b1582b52eb0fc1cd4d639fecf132
Instruction Fuzzy Hash: 5A117030E0A64E8FEB55EB6488696BD7BB0FF59300F4506BED419CB1B2DB34A654C740

Function 00007FFD9B7DC1E9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822596f7b89c731e81737f1e7d1eb787d2b63b3caa7b486e42904734c7341e22
Instruction ID: c4f50a7d7fe87afbad7b0a7b87af6f9382afb8c0031d6d0e596c782373dbd926
Opcode Fuzzy Hash: 822596f7b89c731e81737f1e7d1eb787d2b63b3caa7b486e42904734c7341e22
Instruction Fuzzy Hash: 1B11E530A0E74E8FDB59EF68C4651BA3BA1FF59300F5202BED419C60B2CA35A644C740

Function 00007FFD9B7DAF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e601486f033cd2de794d68fc2c2204d824dc88f418f1d6ecdb730f4be1e213
Instruction ID: 3f6efb0a84c403972eb26cde0ff8e2671b5076a919318dfa992feaca05d67b51
Opcode Fuzzy Hash: 88e601486f033cd2de794d68fc2c2204d824dc88f418f1d6ecdb730f4be1e213
Instruction Fuzzy Hash: 4E110370E0A62D4EDF60DBA4C455AED77F1AF98340F5147B6D40CE32A1DA389A858B50

Function 00007FFD9B7D2E31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21fbff8a65c33573ce007a7ef849b5662843dbd73675e8593555b95dcfa1c83
Instruction ID: 2a37891b090f5d98470794b1b5a3cb0b429685762edda98863f93f002cab0cba
Opcode Fuzzy Hash: f21fbff8a65c33573ce007a7ef849b5662843dbd73675e8593555b95dcfa1c83
Instruction Fuzzy Hash: 78018431E5A64E4FD751EBA4C458AAA7BE0EF59300F4246B6D40CC70B6EA34E554C700

Function 00007FFD9B7DDC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d920235da1f0ea758dc0828760b57b18e6ae5cf9deabefb38776bcb062234f
Instruction ID: e0f9edb76e6cc2d2fdb5ac8f83099ab2950fecf0041ccd75f96755dea4a99f87
Opcode Fuzzy Hash: d8d920235da1f0ea758dc0828760b57b18e6ae5cf9deabefb38776bcb062234f
Instruction Fuzzy Hash: 7E112B70E0A61D8FDB68DF90C864BADB7B2FB94341F110369D00EA72A1DB746944CB40

Function 00007FFD9B7D05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b49f00fe0fe556be4e2041fd7ae45a1c9fef86a534180b0365c215b02bcfd6
Instruction ID: da06b734a693aed83bcabe1eabd9a3e05bae32ae8920418a2896bebaf5069c30
Opcode Fuzzy Hash: b8b49f00fe0fe556be4e2041fd7ae45a1c9fef86a534180b0365c215b02bcfd6
Instruction Fuzzy Hash: C4019230A0560E8FDB69EF64C4656B977A1FF98344F61067ED40EC25F4CE31A654C740

Function 00007FFD9B7DABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9996dc2f8b39dcd32f3e779a4463e22b643fdc2eca0b325963f40cde544373de
Instruction ID: d9366b0c32cf7f43b8d1f960bf766882b6e64d1fe1f44887fd517841eb3f22ce
Opcode Fuzzy Hash: 9996dc2f8b39dcd32f3e779a4463e22b643fdc2eca0b325963f40cde544373de
Instruction Fuzzy Hash: E701C461E0EA4E4FEB61A7A884681A97BD4FF99364F420776D51CC20F1EE24A5488240

Function 00007FFD9B7DB98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70dba9fff00bfa5a092ff3add51731d9d032f2d46e8c62a41099ab054de835e4
Instruction ID: c6dfb170a4b42bb87c4db7481ad6bd6bdf55da4cf5be2a196ba0d2cef886b1af
Opcode Fuzzy Hash: 70dba9fff00bfa5a092ff3add51731d9d032f2d46e8c62a41099ab054de835e4
Instruction Fuzzy Hash: 57018C30E0964E8EEB94EF68C4A82BD7AE0FF58305F41067AD41AC62A1DE31A6448740

Function 00007FFD9B7E0AB0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b7938b3e4ba2981d9935e95b1f79fd934dc1a95c3ab1648601fc7c21364236
Instruction ID: 6c42730473f03f9df92e40627f36c2723524bc56bdeeca78847684fdc2139ea4
Opcode Fuzzy Hash: 95b7938b3e4ba2981d9935e95b1f79fd934dc1a95c3ab1648601fc7c21364236
Instruction Fuzzy Hash: 3A012C30A19A0E8FEBA4EFA8C4696BE77E0FF18305F51057AD41ED21B1DE71A690C740

Function 00007FFD9B7D280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92d94d04e365950c6553aaf3e8deb40ec1e4640e1a8edea11d071621127aa04
Instruction ID: b39e8d39e402986e5b62e96b73f4cc4d975bdc2dba50694799658e60c51c6def
Opcode Fuzzy Hash: a92d94d04e365950c6553aaf3e8deb40ec1e4640e1a8edea11d071621127aa04
Instruction Fuzzy Hash: E0018430F1A64E8FD751EBA4C4585B977F0EF99301F4246B6D418C70B6DA38E659C710

Function 00007FFD9B7DE346 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction ID: 9d6c0edf78b5942776e8e44e2b6567f00239e21fdb6e7bb5e244cc2b2e978ea7
Opcode Fuzzy Hash: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction Fuzzy Hash: 1411E930E0976E8BEF79DF44C8547ADB6B2EF94301F0543AAD00DA22A0CB346A848F41

Function 00007FFD9B7E0A91 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb4bbe5beef64583baec743009d7c6682f16043d42f89e88322629833aa2ae9
Instruction ID: 305f651651cb4f176fd829168a309255262dd0ab0953e3234d03bf80225d9520
Opcode Fuzzy Hash: adb4bbe5beef64583baec743009d7c6682f16043d42f89e88322629833aa2ae9
Instruction Fuzzy Hash: 33F06231E1A74E8FDBA49FA4882A2FE7BB0FF15305F42067BE819D21B1DB7496548740

Function 00007FFD9B7DA789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f1949aa539eece3aa54bdbdaf470adf70e02bda78795eb06dee8282d50967f
Instruction ID: 0ea6a612d497016cedf9d9fda9ad1375d5780e83d26e36a44cfa7010b9f8c64a
Opcode Fuzzy Hash: 93f1949aa539eece3aa54bdbdaf470adf70e02bda78795eb06dee8282d50967f
Instruction Fuzzy Hash: 8301D430A5E34E4FD712EB7488685A97BF4EF45310F460AF6D008CB0B6D934A648C311

Function 00007FFD9B7D2EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fb32a7a07c697797d86be941978de871cf72a5f5826cdb35c64f6f5b072311
Instruction ID: 9975e90b26328cbc6c6d654f66fe139009f9277cea5fc96459756dd4651db3d8
Opcode Fuzzy Hash: 06fb32a7a07c697797d86be941978de871cf72a5f5826cdb35c64f6f5b072311
Instruction Fuzzy Hash: C0018431A0A74E8FE751E7B4C85D5A97BE0EF45300F460AB7D018DB0B6EA38A648C711

Function 00007FFD9B7DF1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b69d46824f516d740a1994dfa8396d3e5df7cf5e7143e380416e2e3f944723
Instruction ID: 4f2fd33b9cf0126bf7647aa0191db4938cc030a3958b1c581d7432a6b526acb0
Opcode Fuzzy Hash: 40b69d46824f516d740a1994dfa8396d3e5df7cf5e7143e380416e2e3f944723
Instruction Fuzzy Hash: 9811BE70E1965D8BDBA8DF2488657E8B6B1FF58304F4142F9915DE32A1DE342EC18F44

Function 00007FFD9B7D0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8954c9241c1e45c4340fdc93e9350069b8b77f275f82500965691e46de3c040
Instruction ID: bdfd96ad7de74750f962e86a0566ea4bd128de876d6a9ee612ca983b8f319f9f
Opcode Fuzzy Hash: b8954c9241c1e45c4340fdc93e9350069b8b77f275f82500965691e46de3c040
Instruction Fuzzy Hash: 4601D130A1560E8BEBA8EBA4C4686B973E0FF48305F500A7ED41EC21F0DE35B645CA00

Function 00007FFD9B7D0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668e4b173e94d043739cdabff8f16a002c24369cfd84ba413b57be0a243bbedd
Instruction ID: 8fc4caddc966d7c320cae4477ea784e0d5194dcce837976955988c1785f54915
Opcode Fuzzy Hash: 668e4b173e94d043739cdabff8f16a002c24369cfd84ba413b57be0a243bbedd
Instruction Fuzzy Hash: 4401D130A1960E8BEB68EBA4C4686BD77A0FF58315F100A7ED41EC21F5DE35B695CA00

Function 00007FFD9B7D1C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aece6cb90d4f6e041052d8d5d8c667f263b7cf5657fbcf0da9b71c35bafb7fa
Instruction ID: dfe9041a5faccd8d34fd7ddb45d46cd04ecaf7913c8afc7060d5eb6b89c26002
Opcode Fuzzy Hash: 8aece6cb90d4f6e041052d8d5d8c667f263b7cf5657fbcf0da9b71c35bafb7fa
Instruction Fuzzy Hash: FCF0F430A0A74E8FDB55DF2084656BA37A0FF95304F91027AE80DC75E1CB35AA64C740

Function 00007FFD9B7D05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8119ff4f15a11fd00ddf8bd7da0857200fb189c50710372c515c10d5721dadb
Instruction ID: fcb9fe86a04757e29d1bb7bd9f96406e69273e47ff8fcc2efc5a62ca8b5b00e9
Opcode Fuzzy Hash: a8119ff4f15a11fd00ddf8bd7da0857200fb189c50710372c515c10d5721dadb
Instruction Fuzzy Hash: 0CF0F630E0A64E8FEB65EF6494656FA37A0EF85308F91067AE80DC25F1CE35A654C740

Function 00007FFD9B7D2729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cabe1dd4e939340124f6f78d382327c1450f4bc99c6804fcfe011bb9da13bd5
Instruction ID: b6cdfa39b0cf7229c054d6c70bc8f565ab002e5219791b10584da8755547d3e2
Opcode Fuzzy Hash: 0cabe1dd4e939340124f6f78d382327c1450f4bc99c6804fcfe011bb9da13bd5
Instruction Fuzzy Hash: B1F0F63090E38D8FD76A9F60C8642B93BB0FF46201F410ABED419C61E2DB38A558CB00

Function 00007FFD9B7D279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1964f9d34931efb9fe158e8bad4a955b5c34fc8c66386214d8975c1b555d2682
Instruction ID: a887dcef81628a67fd8a0c68b8b9fd2b87b3ff0785d5e18611bb74c2967031e2
Opcode Fuzzy Hash: 1964f9d34931efb9fe158e8bad4a955b5c34fc8c66386214d8975c1b555d2682
Instruction Fuzzy Hash: 40F0F630A0E78E8FE7699FA484251A93BA0BF45320F4506BED509C51F2DB399558C700

Function 00007FFD9B7D4B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1910088011.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7d0000_NGtfpkeoDVuJA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: 40aec588929bac0607304cebfaf4f3bb4c06bba21e6bf962bde60a5c69440966
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 76C0E970A0A61D8AD7B4DA54C8606E872B5AB98380F5143F8D10ED71E1DD246BC55B54

Analysis Process: RuntimeBroker.exePID: 7596, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B803545 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B8035CD

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: 4d9204a1ae1681557a6eed95d39559992ef66d94e652cca2af8c90f377551d17
Instruction ID: a6dc89c2cb70c235db19ef0d8846690187133f71ef6ef4531524be4e359c1f66
Opcode Fuzzy Hash: 4d9204a1ae1681557a6eed95d39559992ef66d94e652cca2af8c90f377551d17
Instruction Fuzzy Hash: A9A1DE71A1994E8FEB98DF68C8657ED7BE1FF99344F4002BAD009D32E6DB7468028740

Function 00007FFD9B813EE8 Relevance: 1.2, Instructions: 1169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba4f5929fe5a41cfc56e39f2bba76078b6d54224534f9a40d4bad4b1cff332b
Instruction ID: b1ddbcf21a68d87cc398fc851fda8549c1a7f4591b979932da24ca26f855cd7b
Opcode Fuzzy Hash: 4ba4f5929fe5a41cfc56e39f2bba76078b6d54224534f9a40d4bad4b1cff332b
Instruction Fuzzy Hash: 5A92A531E0F68E8FE7559F7488296F97BE0FF1A300F0515BFD858C61A2DA286644CB51

Function 00007FFD9B814058 Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91c5e1c7012cb373557c6e21df0de5dca18b776e821c069a909837a9e4f9ca9
Instruction ID: d26cb818df298fa14d65b06011e1cb7bb449a7025745d9dcc7a3407365b91341
Opcode Fuzzy Hash: f91c5e1c7012cb373557c6e21df0de5dca18b776e821c069a909837a9e4f9ca9
Instruction Fuzzy Hash: 9D829430E1E68E8FEB559F6488296F97BE0FF1A300F4515BFD818C61E2DA386644CB41

Function 00007FFD9B8142AC Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1bd49424aa9ac59dbb307c4ab9b0e4757a467080300ee336db75694074e88f
Instruction ID: dc1cfa490c78d2f8eefeb1e69695d36d3462f076e31a7aceecb2a0f952f81fc4
Opcode Fuzzy Hash: 9a1bd49424aa9ac59dbb307c4ab9b0e4757a467080300ee336db75694074e88f
Instruction Fuzzy Hash: 2E529430E1E68E8FEB55DF6488296F97BE0FF1A300F0515BED818C61A2DA786644CB51

Function 00007FFD9B8133C0 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0c3fa1bda5e064b378891547042a5df45b365e490335fe0eac3df41d08780a
Instruction ID: 1fa2326338a998d0dab08e096c1608dd91a235521b2d8ae45867b3d8eb5c3e51
Opcode Fuzzy Hash: 7a0c3fa1bda5e064b378891547042a5df45b365e490335fe0eac3df41d08780a
Instruction Fuzzy Hash: DF52A330E1E68E8FEB55DF6488296F97BE0FF1A300F0515BFD818C61A2DA786644CB51

Function 00007FFD9B813398 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da45206d013569e0c2ad5810cc6883fc8d17f4034db129bd2c788dbde2579891
Instruction ID: b78780392658927d8a9c4f2fa287bdc08bc50bb23a98ea92606b862b812eec31
Opcode Fuzzy Hash: da45206d013569e0c2ad5810cc6883fc8d17f4034db129bd2c788dbde2579891
Instruction Fuzzy Hash: 5452C470E0E68E8FEB55EF64C8695B97BE0FF1A304F0605BED419C71A2DA34A644CB41

Function 00007FFD9B8143D8 Relevance: .8, Instructions: 754COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589fbc936708363ecdd560c885dd7c2152e82ac13dbf368279ca68cc8f1513b4
Instruction ID: 20017aa7d229051ad24b7dbe996a3be7a3e2fb82956c08cc2c352f60a3bbdae0
Opcode Fuzzy Hash: 589fbc936708363ecdd560c885dd7c2152e82ac13dbf368279ca68cc8f1513b4
Instruction Fuzzy Hash: 5242A530E1E68E8FEB55DF6488296F97BE0FF1A300F0515BED818C61E2DA386644CB51

Function 00007FFD9B815A31 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af820c99b97e8b781f175ae72ec3cc0a4587399dd5719a4e2c9faf82d098bb0b
Instruction ID: b4256284ac672e13a7209b09664f721b56149dbdbe7a067c3520c05741092f53
Opcode Fuzzy Hash: af820c99b97e8b781f175ae72ec3cc0a4587399dd5719a4e2c9faf82d098bb0b
Instruction Fuzzy Hash: 6CE1AE30E0A64E8FEBA5EF64C8696FA7BB1FF19300F0145BAD419C61A6DF346644CB41

Function 00007FFD9B8168B0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77290a61de3d813de3c53d60bcda0d9d4ac62e1b5cd0e6a80dddb4af300b5533
Instruction ID: 5eb3bcc1c8aa300feb077296c5eecdf8abb5fd904b65984396a547829e412f79
Opcode Fuzzy Hash: 77290a61de3d813de3c53d60bcda0d9d4ac62e1b5cd0e6a80dddb4af300b5533
Instruction Fuzzy Hash: 1AB1FEB190E68E8FDB56DF6488696A93FB0FF1A300F0640FBD489C71A3DA386645C751

Function 00007FFD9B813388 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8dbaa471fabb972cd5a560bffbd8eaee4b4187407873b6aa912c9f57c183db
Instruction ID: ea3f0230345f2476e31993abfd77daa58f841a8ac152d8325a0423cd4bd79676
Opcode Fuzzy Hash: 7a8dbaa471fabb972cd5a560bffbd8eaee4b4187407873b6aa912c9f57c183db
Instruction Fuzzy Hash: 06A1C130E0A68E8FEB55EF6484696B97BE0FF1A304F0505BED419C61A6DE386644CB41

Function 00007FFD9B80D6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MK_H, xrefs: 00007FFD9B80D76E

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: MK_H
API String ID: 0-1909568996
Opcode ID: 6bb3983e40b95a3558ca4d5043d99303f5b2b96e4c206773cc66c9bc9c0ded98
Instruction ID: 253562b8d3256a0045f1bfff03d9acfc0c0fe0937d9e312900157c74497b89a6
Opcode Fuzzy Hash: 6bb3983e40b95a3558ca4d5043d99303f5b2b96e4c206773cc66c9bc9c0ded98
Instruction Fuzzy Hash: DFE14C71E19A5D8FEBA8DFA8C4A47F8B7A1FF58340F0541BAD45D932A6CA346940CB40

Function 00007FFD9B80C5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~K_^, xrefs: 00007FFD9B80C601

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: ~K_^
API String ID: 0-1738233850
Opcode ID: 0b14807d506a93deeeeea845c9492c848649638dd837a992d9d2d37a814ec147
Instruction ID: 016cba7c38d011b4360abbe3aac18fce3bba058d3346511d95a362e49e2cd5bf
Opcode Fuzzy Hash: 0b14807d506a93deeeeea845c9492c848649638dd837a992d9d2d37a814ec147
Instruction Fuzzy Hash: 75414627F0E25A4AE765BBECB8284FC7B60EF85379B16027BD06DC50D3CE1865444A60

Function 00007FFD9B81789C Relevance: .9, Instructions: 909COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a44695aceb3ebfeb2a5c69dc58b70f4fe9cb6813c7a1a86834223a39034e79
Instruction ID: b4163e891ade42ad1201e1016035099327e1ecec961441f7d116d861bc9b02be
Opcode Fuzzy Hash: 11a44695aceb3ebfeb2a5c69dc58b70f4fe9cb6813c7a1a86834223a39034e79
Instruction Fuzzy Hash: AA519274A4B68E8FDB59EF64C8695BD7BA0FF19304F0114BEC419C61E2DA396644C701

Function 00007FFD9B814648 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8aa3243fd82f3aaa3c4f5532821b314fcd9fd986d11b5e2f0bc133218b9763a
Instruction ID: efcbd18c827f3ea5d35c8d1911a71ef0ff4fba937fd73114ac1b4da8028bfe7b
Opcode Fuzzy Hash: a8aa3243fd82f3aaa3c4f5532821b314fcd9fd986d11b5e2f0bc133218b9763a
Instruction Fuzzy Hash: 0B12A530E1E68E8FEB559F7488296F97BE0FF1A300F0515BED818C61E2DA3865448B52

Function 00007FFD9B812F38 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a184808eeebf0c209f835bfb952885ae903f2db73c65547305db4f9baa134602
Instruction ID: 82198ee7a84a30db8cf720caf934900c22db1b78a57070ddb1044acfe666bd8d
Opcode Fuzzy Hash: a184808eeebf0c209f835bfb952885ae903f2db73c65547305db4f9baa134602
Instruction Fuzzy Hash: 864129A2E0F6CA4FE766ABB84C655A97FB0FF16214B0900F7D498CB0E7ED14A5448351

Function 00007FFD9B814748 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3e07f3540b75cbdf9db6de117dfc26abfd638351cd85a0d543f4e7df233d26
Instruction ID: 4cb581654acd63b24e4e957d40ccf00d137106cc037578a6581ecd9a434605ef
Opcode Fuzzy Hash: 0e3e07f3540b75cbdf9db6de117dfc26abfd638351cd85a0d543f4e7df233d26
Instruction Fuzzy Hash: 0D02B430E1E68E8FEB55DF6488296F97BF0FF1A300F0515BED819C61E2DA3865448B51

Function 00007FFD9B812FA8 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cd79be7e2b7e35346ee84a785995979553212f38e6746ba50fb4787a395ca7
Instruction ID: 4a0a827a70f4b85764efaa1748b875571b43d607c6e1001882123868a95cfa57
Opcode Fuzzy Hash: 87cd79be7e2b7e35346ee84a785995979553212f38e6746ba50fb4787a395ca7
Instruction Fuzzy Hash: 10119661A0F7CA9FE71397B45C255697F70AF46204F0A04FBD498CB0E3E9146A54C352

Function 00007FFD9B813789 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237b9e490331ce19113c0fab0817f8ec1825923462647bf68c7dae3539a9f9b7
Instruction ID: a7dafbefcc643ecf79af75e7453305d2c5631121580d001ca9f88edcb6e04c6d
Opcode Fuzzy Hash: 237b9e490331ce19113c0fab0817f8ec1825923462647bf68c7dae3539a9f9b7
Instruction Fuzzy Hash: EBE1DB70E1A62D9EDBA4EB98C8557EDB7F1FF58300F5151BAD00DE3291DE346A848B10

Function 00007FFD9B8148F8 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258c896e23c7231c6d8f5ac367c6e31242bb2d7a5d842a67706e1a6cdb4dece3
Instruction ID: b80d567c91e6f5ea06b47362ad8b4d618832134f7ffc013f8cd9a28f0e16d38e
Opcode Fuzzy Hash: 258c896e23c7231c6d8f5ac367c6e31242bb2d7a5d842a67706e1a6cdb4dece3
Instruction Fuzzy Hash: DAD1A230E1E68E8FEB55DF6488296F97BF0FF0A300F0515BED819C61E2DA7865448B42

Function 00007FFD9B8170D1 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0804e44ba16043ae2c682de8728503eff3f565d4c11e0ea251e2d4e18c7753
Instruction ID: 275ddb2587f9e28c45a0c27fb9a8329009532ff9b75bdcbc7c331e8eb6892bb8
Opcode Fuzzy Hash: ed0804e44ba16043ae2c682de8728503eff3f565d4c11e0ea251e2d4e18c7753
Instruction Fuzzy Hash: 06D17F74E0A64E8FEB65EFA4C4646FD7BF0EF19300F4114BAE419D71A1DA38A644CB01

Function 00007FFD9B814AB0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216960bf8732fd1076f409f345a4597fb643d2a753f767a64f1c72b725536cc1
Instruction ID: d300969fe98d1fa4753072ee1e79fc377832db632f5eeae427850a7f2d85d456
Opcode Fuzzy Hash: 216960bf8732fd1076f409f345a4597fb643d2a753f767a64f1c72b725536cc1
Instruction Fuzzy Hash: 10B18E30A0A64E8FEB95EFA488696BE7BF0FF19300F0545BED419C71A6DE346644CB41

Function 00007FFD9B801698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d0385bf4e81f57dd364e462f83f03cf7a68ceb5eae54ccb71337cfac904d72
Instruction ID: 5586dd3f01e968ecdc0b27a9d83bb8746042aa6bced94370fb7aa39a08ef36cc
Opcode Fuzzy Hash: d7d0385bf4e81f57dd364e462f83f03cf7a68ceb5eae54ccb71337cfac904d72
Instruction Fuzzy Hash: B681D031B0DA4D4FDB58EF5C88615A977E2EF99760B15027EE49DC32A2DE30AD028781

Function 00007FFD9B812000 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d7ded4b8c6057fa0a5bffb36837dfeffc7992a416bc0aea228249a18051bf3
Instruction ID: 05aa601c1c7f27aaa0e711d37c244ff2d6c5d17ad6cf82a57314e73f82e69532
Opcode Fuzzy Hash: 77d7ded4b8c6057fa0a5bffb36837dfeffc7992a416bc0aea228249a18051bf3
Instruction Fuzzy Hash: A9917B30E0A64E8FEB54DFA4C4696FD7BE0FF1C308F11157AD419D21A5DA38A644CB40

Function 00007FFD9B814E08 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b6bb0b60c95f99a78a0ac8be3db5ed9f32a452dbbdc006a339378c9b0650fd
Instruction ID: 8d7997ee6fbf8416a47ef657e2a1f9175ef0237a7147bb1e163693a7d260ba3a
Opcode Fuzzy Hash: e1b6bb0b60c95f99a78a0ac8be3db5ed9f32a452dbbdc006a339378c9b0650fd
Instruction Fuzzy Hash: 0F816D30E1AA5D8FEBA4EFA8D8696ED77B1FF59300F41107AD40DD32A2DE3469448B40

Function 00007FFD9B814AA8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd849e71e2bc8ba3bfec2e04a4e6da2efe223d03a3b0d26935699fb168c5adf
Instruction ID: 4d0d300699407a0b85f9728166994140ce35a4f8831ceff4f6a89ce85196222b
Opcode Fuzzy Hash: cfd849e71e2bc8ba3bfec2e04a4e6da2efe223d03a3b0d26935699fb168c5adf
Instruction Fuzzy Hash: 2E81B530E1A68E8FEB55DF6488296FD7BF0FF19300F4505BED819C61E2DA7865448B41

Function 00007FFD9B80C55D Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12480e5d42aa8050a2bc08890c0f4850f9441bb64776f022c8592792072f064
Instruction ID: dbf28e62a2db2b3c79a811ae209ac6a41935134fb4bdcb187d28a7d1d7f4b402
Opcode Fuzzy Hash: e12480e5d42aa8050a2bc08890c0f4850f9441bb64776f022c8592792072f064
Instruction Fuzzy Hash: 7151692BB0D56A4AE328BBACF8290FC3760EFC437AB15527BD1A8C50D3DE1875454A90

Function 00007FFD9B811C17 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683c0838ce921f7057ae743d2f95abe2e31f94496e94addd3cf0d6dacb0e3600
Instruction ID: 8986417349a5464b8200d932261118c6ac95fad2dd3d979762253ccabd40e592
Opcode Fuzzy Hash: 683c0838ce921f7057ae743d2f95abe2e31f94496e94addd3cf0d6dacb0e3600
Instruction Fuzzy Hash: F071DB70E1991D8FEB94EFA8C8A4BA8B7B1FF58305F5041B9D00DD7295DE34A981CB40

Function 00007FFD9B80BE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1973ebc396562411c2f36849ed759e5fc311f48bb128c3e2d5da4cac06e5a3f
Instruction ID: 771d6068fda6270b813a5e28f8ee9ce8a81453fcd5cbf42a3f6d1feb4f3fc9ee
Opcode Fuzzy Hash: a1973ebc396562411c2f36849ed759e5fc311f48bb128c3e2d5da4cac06e5a3f
Instruction Fuzzy Hash: 05611A70E19A1D8FEB64EBA4C4656EDB7B5FF59340F41007AD04DE72A2DE386A40CB40

Function 00007FFD9B815C80 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a6ca974d427cd5fdaf8308cea6490c575d002bc6ff26f98a741658d559a221
Instruction ID: cf18aa7d0a691a3594c8311be1079586f9efbc64310d31d6513ba3c980b61d01
Opcode Fuzzy Hash: 89a6ca974d427cd5fdaf8308cea6490c575d002bc6ff26f98a741658d559a221
Instruction Fuzzy Hash: 31711070E1A65D8FEB64EF64C8697ED76B1FF19300F0151BAD44DD22A2DB386A84CB01

Function 00007FFD9B814E88 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5535f944af204017209c3586b667b3e5155cfb606d40af66d93058d131608dc5
Instruction ID: 92f9fd5d66a4a506c899b43a183bd3129bae652b5ac8805ce255fb1b08b59af4
Opcode Fuzzy Hash: 5535f944af204017209c3586b667b3e5155cfb606d40af66d93058d131608dc5
Instruction Fuzzy Hash: 0D616D70E1A95D8FEBA4EFA8D8A5AECB7B1FF59300F40007AD40DD3291DE3469458B40

Function 00007FFD9B801CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9615f58ac5d4f0263eb5e4b05557650d5400c9f0093ccf1b9752c83a985a6477
Instruction ID: 60cdbf80267f57e9ba7fe27d2fbd5b14c4b760d62861263b1699fffae7e88814
Opcode Fuzzy Hash: 9615f58ac5d4f0263eb5e4b05557650d5400c9f0093ccf1b9752c83a985a6477
Instruction Fuzzy Hash: B351CF31B08A494FDB5CEF5888645BA77E2FF99351B15467EE49EC3291CE34E8028781

Function 00007FFD9B8122E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c29aaa88aaeaf0cbd20ee85f877d2782854662bd29162675c51e445b4218252
Instruction ID: c18f937c2024eebdb03c7f6309fdffe801609910eb1fc168de8dd248196fdcf4
Opcode Fuzzy Hash: 4c29aaa88aaeaf0cbd20ee85f877d2782854662bd29162675c51e445b4218252
Instruction Fuzzy Hash: 65618E30E1A64E8FDB55EFA4C869AEDBBB1FF58304F0101BAD009D71A6CE786941CB51

Function 00007FFD9B814B49 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459178cc790cf0eef310ff65432ea3d5f9ebd704462361ab38e9b8011c6f875c
Instruction ID: bd4ce7d69c1c3dac109af72d4cc1edd47ffc0836794aa78099d4ac29d7282aad
Opcode Fuzzy Hash: 459178cc790cf0eef310ff65432ea3d5f9ebd704462361ab38e9b8011c6f875c
Instruction Fuzzy Hash: 2951C330E1A68E8FEB55DF6488296F977B0FF0A300F4504BED819C61E2DE3865448B41

Function 00007FFD9B803191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450fcb71d36c58d541fdb2ab2ec70fa6db6eeb688ee28c68ce7f9ec0344488b3
Instruction ID: 2131699cc6b8b07ecb560856951e18901a9dc2289d327d6e99351457713e84a4
Opcode Fuzzy Hash: 450fcb71d36c58d541fdb2ab2ec70fa6db6eeb688ee28c68ce7f9ec0344488b3
Instruction Fuzzy Hash: 3C513C71E0951E8FEB64DF94C4A46EDB7F1EF5C341F510079D049E72A6DA386A44CB10

Function 00007FFD9B814F00 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd10799d767ef93db98cdb9101190ad610dfe92d7f7c6cb82a8df4f707f4ad1
Instruction ID: 54cab6982218ea093d5477a58c0a73233446319b1fb690c9698877e2efbb03db
Opcode Fuzzy Hash: 3bd10799d767ef93db98cdb9101190ad610dfe92d7f7c6cb82a8df4f707f4ad1
Instruction Fuzzy Hash: C351FB71E1991D8FEFA4EBA8D8A5BEDB7B1FF68300F41016AD00DE3295DE3469458B40

Function 00007FFD9B80ADFD Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f1a5e2c9caa9d5e05727619b6c6f816a7f1d134732950be028b8f434221851
Instruction ID: 943c14477f1a1775b41a56a00a6936da96a531e56e9fa2b24b435a1fa07f1dc9
Opcode Fuzzy Hash: 70f1a5e2c9caa9d5e05727619b6c6f816a7f1d134732950be028b8f434221851
Instruction Fuzzy Hash: 8F515E71E0A61E8EEB64DFA4C4957ED77F1EF58340F0141BAD05CE71A2DA38AA858B40

Function 00007FFD9B816BAD Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca8651f80287bdfa98755aea0be74feb785681c9ac844636d088b0a399e4f6f
Instruction ID: 7bdc0c6159fb97cb04c92ad239bc89c8a556f3dbc007cae0163f659cca416293
Opcode Fuzzy Hash: 8ca8651f80287bdfa98755aea0be74feb785681c9ac844636d088b0a399e4f6f
Instruction Fuzzy Hash: 8451EFB0E0A64E8FEB64DFA4C4646FD7BE0FF18300F0541BAD459D72A6DE38AA448751

Function 00007FFD9B8124D1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8d90d4cbb37081d268c0f349cc0c1e89e9f2c8772c4ba2b26758815bf65791
Instruction ID: 16323c6450513aebaed3de7629efb7aa8092656aa18473cfd18e62acc4642ec5
Opcode Fuzzy Hash: cc8d90d4cbb37081d268c0f349cc0c1e89e9f2c8772c4ba2b26758815bf65791
Instruction Fuzzy Hash: D441A230A0A64E8FDBA2EBA4C8686F97BF0FF5D314F0205BAD409C70A5DA34A644C711

Function 00007FFD9B814C69 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8244584ed31f9bed6b23bb773f7a4b005aa572e1d0333fa0470b71859584b0f9
Instruction ID: 1bcddcfb84f1c9f9132a21785a6f18560872ee3430fbdac162334200859884f0
Opcode Fuzzy Hash: 8244584ed31f9bed6b23bb773f7a4b005aa572e1d0333fa0470b71859584b0f9
Instruction Fuzzy Hash: 9E319030E1A64E8FEB54EB6488296FE77B0FF09300F45157ED419C61E2EE7865448B41

Function 00007FFD9B80DAF1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f46c61bc5c7133b6ddd8ec76bf076442ebdb85be1485928123dca8efad9766
Instruction ID: 4797c696e543a5ecfa304f23e8d6956063e1031bd25afe54bb028c3e250c7ae5
Opcode Fuzzy Hash: 38f46c61bc5c7133b6ddd8ec76bf076442ebdb85be1485928123dca8efad9766
Instruction Fuzzy Hash: 1C318B30A0D65E8FDFA5DF68C8607ED7BB1EF49340F0101AAD84ED72A6CA74A945CB40

Function 00007FFD9B812E49 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c7375c4c32e909a74bc4c142fea5ed422d190fb890ffb06cfa839fa91d22fd
Instruction ID: 016683160299808c35d07e2a5a80c3abfc4607e81da3d6b8c856747f79b9e13e
Opcode Fuzzy Hash: 35c7375c4c32e909a74bc4c142fea5ed422d190fb890ffb06cfa839fa91d22fd
Instruction Fuzzy Hash: 5631A66190F6CA4FE762DBF44C295A97FB0EF5A304B0940FBD494C70A7DA28A948C751

Function 00007FFD9B811ED0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b811000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17930c4856b877c01ff64a4c4056ee1b2d3517b3421bfb466233f2f54ca8306e
Instruction ID: dc11bf615d2141811a802db649926eca7ca121e96861696faeee4eb9b4f44af7
Opcode Fuzzy Hash: 17930c4856b877c01ff64a4c4056ee1b2d3517b3421bfb466233f2f54ca8306e
Instruction Fuzzy Hash: 4E219D3094E2CA4FDB569B7088655F57FB0AF0B314B0A04FAE449CA4E3DA286946C721

Function 00007FFD9B802189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010e552978e972976c2af8d23ffbf6040ac02adb0a7aa72a772b2f5bc7c9c07e
Instruction ID: 8d83017594b952bca366bd357928f1bf1ed3a12f30ab38586affcddc48bb5627
Opcode Fuzzy Hash: 010e552978e972976c2af8d23ffbf6040ac02adb0a7aa72a772b2f5bc7c9c07e
Instruction Fuzzy Hash: F611DC30A1960E8FE765EBB488695F877E0EF4A340F0104B6D45DC70E6EE78BA858601

Function 00007FFD9B80084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b4a0f77b72d9ef27d379a5dbad5316451656fac09335c092abf13ae8e41a12
Instruction ID: 3127c6b9b9f32f7a8b0c8c72e92fa17f4dab8db34f26e3efd4a7ca4e1043a0a2
Opcode Fuzzy Hash: e7b4a0f77b72d9ef27d379a5dbad5316451656fac09335c092abf13ae8e41a12
Instruction Fuzzy Hash: 1711E330B1D54E8FE711ABB8C8A89E937E0FF49348F0644B6D459CB0ABDD34A545C291

Function 00007FFD9B800A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b25b61d5f19271aaeeb564d4d4e62664d7946032b26b8b2b4222bd1eb982881
Instruction ID: ad15d5d9a6e6377af07f6ae586710a03c5f2d602d69b90b53d76331590f8d4a8
Opcode Fuzzy Hash: 0b25b61d5f19271aaeeb564d4d4e62664d7946032b26b8b2b4222bd1eb982881
Instruction Fuzzy Hash: 7511BF31E2950E8FE790EFA888595FD77E1FF58740F8105B6D45CC61A6EE38A5408700

Function 00007FFD9B800EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd4c1df80a9051f7349d290f05e0052aea78fcc0367245cfb6d9a5791f33131
Instruction ID: bcca9d7389b317c31950f478092ef0137e14628edd975955cdb4cd9a6aeba132
Opcode Fuzzy Hash: ccd4c1df80a9051f7349d290f05e0052aea78fcc0367245cfb6d9a5791f33131
Instruction Fuzzy Hash: 44215131F1990E8BEB64EB94C865AEEB7B1EF58340F114175C049D72E9DE34AA458B80

Function 00007FFD9B80C6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0539bddca83ae0815e3943a7b611eebda1fb44c13a02009f1798f3400799205b
Instruction ID: b7475a3a62e3389dad153e07a19785a6f2d7eca6669887de8d3ffb3d8163d964
Opcode Fuzzy Hash: 0539bddca83ae0815e3943a7b611eebda1fb44c13a02009f1798f3400799205b
Instruction Fuzzy Hash: 39116D30A0A64E8FEB55EF68C8695F97BB0FF19340F1105BBD459C61A2DF386A44CB50

Function 00007FFD9B801140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266ac07467b0afe22cdec6fa8a2c73b99d73846d6a2651fda1ea889ae00c4194
Instruction ID: 4e85748f6c94527a2becb7bfb482207fb7b18085bd70ffc92ebbd825860b537f
Opcode Fuzzy Hash: 266ac07467b0afe22cdec6fa8a2c73b99d73846d6a2651fda1ea889ae00c4194
Instruction Fuzzy Hash: 0A110870E1950E8EEB69EBA8C4686FA77E0FF5E354F00047EE45AD21E1DE356250C740

Function 00007FFD9B802E2A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da98d0f79f138e59c89c70dca63e32a4f317995454316142900ba541ada612a
Instruction ID: c51796c1f228d3e392c02b397af4a04fbae42646a307f24bf6d90327b947212c
Opcode Fuzzy Hash: 1da98d0f79f138e59c89c70dca63e32a4f317995454316142900ba541ada612a
Instruction Fuzzy Hash: 2C014C30E9A64E9FE751AFA484685E97BF0EF1A304F4244BBD448C70A6EA38A544C711

Function 00007FFD9B8034C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c11824d3e471a0d55ff7e3fc73a1a2f83397e79b4eed6cef815313d832e55
Instruction ID: 5e08c71e774341ef7b6ca7e2ffc4d9df696801152a3b6b93f8509e8b18eea2f4
Opcode Fuzzy Hash: ef1c11824d3e471a0d55ff7e3fc73a1a2f83397e79b4eed6cef815313d832e55
Instruction Fuzzy Hash: 0D110970A1964E8FDB95EFA4C8696FA7BA0FF1D304F4105BAD41AD61A2DA35A6408B00

Function 00007FFD9B80BE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4891d14f87fa4f6fb13a5a1d8d6877bd07f2e8133999d9a375b95de3bddf5a
Instruction ID: 96714ad5b8640c973279202008805ea3be5baaf97dc38cb3ba9eac9567d38c8d
Opcode Fuzzy Hash: 2f4891d14f87fa4f6fb13a5a1d8d6877bd07f2e8133999d9a375b95de3bddf5a
Instruction Fuzzy Hash: 17117031A0A64E8FEB95EB6488692F97BB0FF29300F1504BAD459D71A2DB34A650C740

Function 00007FFD9B80AF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5ecc0589dd1c156c6be39940ddacc4f600bdeadb935c647499dcc38acab0c3
Instruction ID: f8fcb966a3289981ab8002dced770a46d3017af07672c577861c9cb75bab4170
Opcode Fuzzy Hash: bc5ecc0589dd1c156c6be39940ddacc4f600bdeadb935c647499dcc38acab0c3
Instruction Fuzzy Hash: AA111F71E0A62D8EEFA4DFA4C455AEDB7F1AF5C340F1141B6D44CE3291DB389A858B40

Function 00007FFD9B80DC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55143c1c33fe9c48330be829ed6d778c10ea08e69c86392ca63733fd9dd058cd
Instruction ID: 326710d3c0ae86010fe97c78868faea70cf09b256a398dbb856d06253a3b61d8
Opcode Fuzzy Hash: 55143c1c33fe9c48330be829ed6d778c10ea08e69c86392ca63733fd9dd058cd
Instruction Fuzzy Hash: 21112B70E0A61D8BDB68DF90C864AFDB3B1FF58340F110269D44AA7391CB746A40CB40

Function 00007FFD9B8005D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cd587daf3d028f4759adae1a371c295a3ad048aa6567314c46dc76a45d91e7
Instruction ID: aca42ae584d2340e78d1cbc61df1bb9f16ea9862e9f30ffcd7f63d7cd7405fdd
Opcode Fuzzy Hash: 27cd587daf3d028f4759adae1a371c295a3ad048aa6567314c46dc76a45d91e7
Instruction Fuzzy Hash: 4C018030A0650E8FEB99EF64C4656F977A1EF59354F61007AE41EC21A4CE35A650C740

Function 00007FFD9B80ABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1cce4cad98c2588fbf2f14c9f36ee996f8f3e792ac0ea958a4b7680ab9fe65
Instruction ID: fba329f402c083623b7b71402b57b25e672530d518976ff80771f0ebabae3d9f
Opcode Fuzzy Hash: 2d1cce4cad98c2588fbf2f14c9f36ee996f8f3e792ac0ea958a4b7680ab9fe65
Instruction Fuzzy Hash: 1C019671E0E94E5FE761E76884A95E97BD0FF5D344F130576D499C30B1EE34A5448240

Function 00007FFD9B80B98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65eac18cb8312e661bae7370d12b4e201432a4b8fa305d19c96880763dc69e1a
Instruction ID: dea907c62f9d1a7f5f4c458363640aaca73c76a272c227e226281d32416253df
Opcode Fuzzy Hash: 65eac18cb8312e661bae7370d12b4e201432a4b8fa305d19c96880763dc69e1a
Instruction Fuzzy Hash: A0015E30E1954E8EEB94EF68C4A86FD77E0FF1C305F51047AD41AD21A2EE35A650C740

Function 00007FFD9B80280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c6e560f3eba7ff19c0ae7ec1bfe69b109b3ed154b7cc023823ecd87a151b58
Instruction ID: 8ee9457365e0c153912baa8eb5fce67962f2ebc5b0b42fb7d33c50192d94796a
Opcode Fuzzy Hash: 96c6e560f3eba7ff19c0ae7ec1bfe69b109b3ed154b7cc023823ecd87a151b58
Instruction Fuzzy Hash: 55018F31E1E60E8FE761AFA488585F977F0EF59300F4244B6D418C61B6EE38E6448710

Function 00007FFD9B80A789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80a000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0905502c63c9c62a3f94338ba8e714d2d4e0bc05532a4db3515e91cc0a7905
Instruction ID: 73d0077dd29c3579d103fd3bc82f0eb72d0ed2b9bc3077ba3ac9aea6fd5db8a4
Opcode Fuzzy Hash: 8f0905502c63c9c62a3f94338ba8e714d2d4e0bc05532a4db3515e91cc0a7905
Instruction Fuzzy Hash: F1017C30A5E64E9FE761EB6488685E97BF0EF09340F4649B6D488CB0B6DA38A5448711

Function 00007FFD9B802EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005689a0bc16ec086b02cbcfcd17ecad2fef3be39314c5c67bc2e4706fc6dfff
Instruction ID: c5bde0fb3583ea2ace470381746e4bad67ca727db9f2b407e6664c5abeb21099
Opcode Fuzzy Hash: 005689a0bc16ec086b02cbcfcd17ecad2fef3be39314c5c67bc2e4706fc6dfff
Instruction Fuzzy Hash: EF018831A4964E4FD751EBB4885D5E97BE0EF19344F0605B7D058CB0B6DA38A544C711

Function 00007FFD9B80F1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80f000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24459c42ef095e9db00b04b6952ca3e30b189cc598d82a12187dd7f23d0db8ef
Instruction ID: 176c9106f255398504ec990dc45d5fd6afc97503970c00f81eacfff548a23664
Opcode Fuzzy Hash: 24459c42ef095e9db00b04b6952ca3e30b189cc598d82a12187dd7f23d0db8ef
Instruction Fuzzy Hash: 1111FAB0E1951D8BDBA8DF2888657E8B6B1EF58304F4141FA915DE3292CE342EC18F44

Function 00007FFD9B8033DC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffeafb4352e8be0e358ff054969114431f601f3a66fd88769edda2b0bdea9e2
Instruction ID: d3416ec86eff55c58a371e2e1afda0ff1483512ab9ce894149e268fc0c615ea8
Opcode Fuzzy Hash: 9ffeafb4352e8be0e358ff054969114431f601f3a66fd88769edda2b0bdea9e2
Instruction Fuzzy Hash: DE014F31E0991E8EEB61EB68C89C5F9BBE0FF2C340F010876D419E70A5EA34A6448740

Function 00007FFD9B800608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53acc9f0ec6372e05bfdadc2cfaf0bfa3e5d651b90acd0ffbcc490e90a9623ac
Instruction ID: dc451b57c778326a5be27554dd09c31bbb7f8c00b03473a6b243b8065009e934
Opcode Fuzzy Hash: 53acc9f0ec6372e05bfdadc2cfaf0bfa3e5d651b90acd0ffbcc490e90a9623ac
Instruction Fuzzy Hash: 00016D30A1550ECAEB69EFA4C4686F973A0FF1C305F51087ED41EC61E5DE75A650CA00

Function 00007FFD9B800610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407e6e44575cdf35f16c27d26aec07c83261c4ed732af3926d988c8ddf76fbbf
Instruction ID: 4a0c2134c409c9016a0fd6ae5bd6adcb7c6d6b93da79ae7b2c3b9de5cdfd874f
Opcode Fuzzy Hash: 407e6e44575cdf35f16c27d26aec07c83261c4ed732af3926d988c8ddf76fbbf
Instruction Fuzzy Hash: A6016D30A1950ECBEB69EFA4C4686FA76A0FF1D305F51087ED81EC61E5DE75A690CA00

Function 00007FFD9B801C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2cb6d8f86e3b8defa0d31b08064d1e74dd7553aeb332614610f5d8c4e04ab3
Instruction ID: 7857656b970a157e2cb04c05502b652ca86213d97d77eea208844e01683b5246
Opcode Fuzzy Hash: 6c2cb6d8f86e3b8defa0d31b08064d1e74dd7553aeb332614610f5d8c4e04ab3
Instruction Fuzzy Hash: 9F018130A0A64E8FEB95AF54C8656FA77A4EF5A314F91007AE80CC61A1CB35E950C740

Function 00007FFD9B8005D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed02e5289efce8accfcff03491f1dbb9bf85ff26656ab96bf489abd99a3ea2c
Instruction ID: b02b09da98631b9104270db5c5e7f8539611ef075dbe171abf56ebf25a8010da
Opcode Fuzzy Hash: 3ed02e5289efce8accfcff03491f1dbb9bf85ff26656ab96bf489abd99a3ea2c
Instruction Fuzzy Hash: 3AF0C230E0A54E8FEBA5EF6494656FA37A4EF4A318F51007AF84DC21E1CE35E650C740

Function 00007FFD9B80240C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction ID: e741405b2916893e1b9c89202384be546b15521e54e357a3fe4fb9947c35eb41
Opcode Fuzzy Hash: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction Fuzzy Hash: 0B01C030A1991D8EEB74DF80C8657EDB2A1FF59344F5241B9C08ED21A1DEB82A888B00

Function 00007FFD9B8023DE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction ID: fafc255a8044dbe817d5657ccc10cae0baf29bb3eaa32a1ea600ed3dc57d6c92
Opcode Fuzzy Hash: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction Fuzzy Hash: F0F0CD30A5991D9EEB64EF80C8657FD73A1FF59341F5245B9C48ED21A1DE742A888B00

Function 00007FFD9B802729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79587bea75982eca035d71187d412736ef94a96cda315c8cb973caf0196f3324
Instruction ID: c5e3c7ab90b506b78e52d13f8c4d64655e82c9484f0e0e0f95f45102ea61df35
Opcode Fuzzy Hash: 79587bea75982eca035d71187d412736ef94a96cda315c8cb973caf0196f3324
Instruction Fuzzy Hash: A6F0963094E38E8FD76A9F6488782F93BB0FF06204F4504BED459C61E2DB799554C701

Function 00007FFD9B80279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0e6694ee0a19303222cec5c5a5447a7de958b4230ea4e5e7414e7e10e7205e
Instruction ID: 5063daca6c51c40e8c92879073c6025c50358349b4721e1ed99a1dc99b95c8f3
Opcode Fuzzy Hash: 0f0e6694ee0a19303222cec5c5a5447a7de958b4230ea4e5e7414e7e10e7205e
Instruction Fuzzy Hash: A2F0F030A0E78ECFEB699FA488251E93BA0BF49310F4104BAD849C60E2DB79A554CB00

Function 00007FFD9B80FCCB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80f000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b8fd2be9deb6a7a98a815e191bc76a339df64e276144464be20823289dac27
Instruction ID: 7a52775f59f790f05f96e9cba116ddcf40ec45b0c88517065b15d80515467463
Opcode Fuzzy Hash: f2b8fd2be9deb6a7a98a815e191bc76a339df64e276144464be20823289dac27
Instruction Fuzzy Hash: 28F0B271E4A52D8EEBA0DF58D864BEDB7B0FF58351F4140EAD04DE2291CB349A908F40

Function 00007FFD9B80FC48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B80F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B80F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b80f000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction ID: a42e92cc93f68f4f1aee33dbfe0468c0d5e1901a841af95efeba4bfe703d5320
Opcode Fuzzy Hash: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction Fuzzy Hash: 53F0AC70E0862E8FDB69DF49C8507E9B6B5EF98301F0141B6905DA2295CA345B809F41

Function 00007FFD9B804B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1911896273.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9b800000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: 6c58f700beed9b8f8166b7c2625dca0e4f785a308159963a6af8f4f521526993
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 61C0E970A4A52D8AD7B4DB9884607F862B5AF5C280F5140B8D14ED7191CD246BC15B54

Analysis Process: RuntimeBroker.exePID: 7652, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E3545 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B7E35CD

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: 902d2deb7f7f986717da917fefbe17b6cdc38a19082422e5888357ee89d5e523
Instruction ID: ac63b4e5af6b620685c696393ee790013772c876ef0f59f584710133fafe2504
Opcode Fuzzy Hash: 902d2deb7f7f986717da917fefbe17b6cdc38a19082422e5888357ee89d5e523
Instruction Fuzzy Hash: 7BA1C271A1994E8FEB99DF68C8657ADBBE1EF95304F4102BAD00DD72EADB7424018740

Function 00007FFD9B7ED6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MM_H, xrefs: 00007FFD9B7ED76E

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: MM_H
API String ID: 0-1969015126
Opcode ID: 32f9f3b368a1f7a286d0b2deff21026af533bc89e8c201783fdcc4698810e9ec
Instruction ID: 946b048566db93fcbfdae00a3fd271975ce0049ae98f26f4e49c1b9ee47dadf0
Opcode Fuzzy Hash: 32f9f3b368a1f7a286d0b2deff21026af533bc89e8c201783fdcc4698810e9ec
Instruction Fuzzy Hash: 74E13E71E19A5D8FDB68DF98C8A47BCB7A1FF58300F4501BAD01DE72A6CA346940CB41

Function 00007FFD9B7EC5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~M_^, xrefs: 00007FFD9B7EC601

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: ~M_^
API String ID: 0-1662397256
Opcode ID: 7e85c348f5650722bff92a4ff28ec5bb3032c8ab7b566e1d72e55929fa0321ac
Instruction ID: 1439b65dad38af65197798614b0aa738d08769f5b078b8db48882a3cf9593883
Opcode Fuzzy Hash: 7e85c348f5650722bff92a4ff28ec5bb3032c8ab7b566e1d72e55929fa0321ac
Instruction Fuzzy Hash: AA41162BB0D35E4AE725BABCB9254FD7B60EF8133AB1A02B7D10DC50F3CE1865454260

Function 00007FFD9B7F2F38 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a868eeb9297e12775736c72a58fa3eebb68e6696a3beed29fa5a3b867b5919b3
Instruction ID: ee9a761470d59dead1898cae0983e026b48e58f7662e89e291185ffd85a97401
Opcode Fuzzy Hash: a868eeb9297e12775736c72a58fa3eebb68e6696a3beed29fa5a3b867b5919b3
Instruction Fuzzy Hash: B641F352E0F7CA4EE712E7B888691A97FB0AF06214B4A46F7D098CB0F7EC1465048396

Function 00007FFD9B7F2FA8 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1165001fa5aa82f49429c052c0f69a9869e509faf2cf3fd7e396e1b3fe9fc513
Instruction ID: f1e9e0396cbfd2064d20e449829d051c7318c04e84b9587372eeebc65bda8c4c
Opcode Fuzzy Hash: 1165001fa5aa82f49429c052c0f69a9869e509faf2cf3fd7e396e1b3fe9fc513
Instruction Fuzzy Hash: 35115461A0E7CA8FE75397B44C255A97FB0AF52204B4A05F7D498CB0F3E9186A14D362

Function 00007FFD9B7F3805 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfa96b4a863f6f2751ceda6b805119ac9c004b343a5e8144be0c701552e1327
Instruction ID: 39038c89eb7737f7bbdd6b12183e19ec11f363838645cded85dd6932fc6ea1a4
Opcode Fuzzy Hash: 6dfa96b4a863f6f2751ceda6b805119ac9c004b343a5e8144be0c701552e1327
Instruction Fuzzy Hash: 62D1B970E1962D8EDBA4EB98C8A57ECBBF1FF58300F5141A9D00DE72A1DF345A848B54

Function 00007FFD9B7E1698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2420f0523f38ab89cc718ca76cc2591474922638cc25121cacfb5b043fc2bfa5
Instruction ID: e79df68125193f4f8245083b36b8969c05c367275d4e44a04070f09410f2c09d
Opcode Fuzzy Hash: 2420f0523f38ab89cc718ca76cc2591474922638cc25121cacfb5b043fc2bfa5
Instruction Fuzzy Hash: 9F81C031B0DB494FDB58DE5C88665A977E2EF98304B15027AE45DC32B2DE34AD028781

Function 00007FFD9B7EC55D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c084af052dee6f7ae4370c9fd4bbad6fa1cb4ce31be35476ac26d719669e07d
Instruction ID: 37fcf13f561c5615c94bd6c033410e0ceaf214af0e7680d9ead6148dcdb126e3
Opcode Fuzzy Hash: 3c084af052dee6f7ae4370c9fd4bbad6fa1cb4ce31be35476ac26d719669e07d
Instruction Fuzzy Hash: E551282FB0D66A8AE325BBBCB8254FD7760EF80336B1946B7D109C50F3CE18754646A0

Function 00007FFD9B7F1C17 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20fd21976f54e9520a534d2655b716d41c8ce4623a3b0025f0f96db55c49d00
Instruction ID: fd3233e7ef3c8a484e3912be4228d5a99beb4fb5c5f3a0eda4d86d045796c902
Opcode Fuzzy Hash: b20fd21976f54e9520a534d2655b716d41c8ce4623a3b0025f0f96db55c49d00
Instruction Fuzzy Hash: 29710E70E09A1D8FDB94EF68C4A4BA8B7B1FF58305F5141B9D00DE72A5CE34A941CB40

Function 00007FFD9B7EBE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e316d574bff14430731975de31865ad55f8528e9f1fcc8cea76cb634a055b9dc
Instruction ID: 12325667f84a403bbca3eafa8b777d6268ee7f7ce2408506670d46f56c4cc7cf
Opcode Fuzzy Hash: e316d574bff14430731975de31865ad55f8528e9f1fcc8cea76cb634a055b9dc
Instruction Fuzzy Hash: 1861FC74E1961D8FDB64EBA8C8A56EDBBB1FF59300F51027AD00DD72B2DE3869408B40

Function 00007FFD9B7E1CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d2b52982fb1fef5901df64a8779d29bf83c2c131d5b5712895c563b06c8e
Instruction ID: 293ce3a4bfb979f757d5d8bf1e230b16c3c8ac17dfb72b289afabd356ee81b97
Opcode Fuzzy Hash: 57a1d2b52982fb1fef5901df64a8779d29bf83c2c131d5b5712895c563b06c8e
Instruction Fuzzy Hash: 4051DD31B09B494FDB58DE5888655BA73E2FF98301B15427EE45EC72A2CE34ED028781

Function 00007FFD9B7F4EED Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c595c3674173d4264b2ef25d0993072e1d900a1e8bcc68a130a352205c1c8e
Instruction ID: 32cd5005319827c80f2090081cde0d7198834a3f145e090c0c1d6a7269733e04
Opcode Fuzzy Hash: c7c595c3674173d4264b2ef25d0993072e1d900a1e8bcc68a130a352205c1c8e
Instruction Fuzzy Hash: 72511071E19A1D8FDFA4EBA8D4A5BACBBF1FF58301F41016AD00DD72A5DE3469418B80

Function 00007FFD9B7E3191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92a6bc635a333cddda7d8080530cc8aaed2b86a5814b58505c009fb9828e753
Instruction ID: 7aade2d246e0fae8f95b06994b0c5eb9618747c6c2f9ba00b1e436b4f036665a
Opcode Fuzzy Hash: d92a6bc635a333cddda7d8080530cc8aaed2b86a5814b58505c009fb9828e753
Instruction Fuzzy Hash: 0D511C71E0961D8FEB65DB94C464AEDBBF1EF58300F52027AD009E72B5DA386A44CB50

Function 00007FFD9B7F4F00 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be0bda77be04bc92d9408017074c3bfa29fbd0bc767f38a36e8f98db0ab4599
Instruction ID: f35da3a7906c2c13ac0776f02ee7972097036f0d779ab74091b3f6c87dbe6e3a
Opcode Fuzzy Hash: 6be0bda77be04bc92d9408017074c3bfa29fbd0bc767f38a36e8f98db0ab4599
Instruction Fuzzy Hash: 7051F071E19A1D8FDFA4EBA8D855BADBBF1FF58301F41016AD00DE32A5DE3469418B80

Function 00007FFD9B7F72C5 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67abed173af2f488bccea082520e64648dc6da54a544dc4e4a8edac12f69c3
Instruction ID: 7111999c6c8b3a2ba41bf5d45834fbbca11871c0d8e15239054675db4a6ea1d5
Opcode Fuzzy Hash: 4b67abed173af2f488bccea082520e64648dc6da54a544dc4e4a8edac12f69c3
Instruction Fuzzy Hash: 5B514F70F0A35E9FEB65DFA4C4A46FD7BF0AF04310F12457AE409A62B1DA386A44CB45

Function 00007FFD9B7EADFD Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091a7153e4af92504ad50f83d6e1808090238ccf1e4165cecbfdc16255591e59
Instruction ID: 9d4ff466477e2a74b2d5b35729b44eb89b5759e8af92d37007d5532d439dd6dd
Opcode Fuzzy Hash: 091a7153e4af92504ad50f83d6e1808090238ccf1e4165cecbfdc16255591e59
Instruction Fuzzy Hash: 9F515171E0A61E8EEB64DFA4C4957ED77F1EF58300F0142B6D01DE72B1DA386A858B50

Function 00007FFD9B7F5D85 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ada5453ff4e4b36390411b96b18e616979f02661d49d4c9e88addb2aaf35aba
Instruction ID: 270bed0ab035c322bc7593306508a11ac5e68b02fb9ed325b21976ef4d4abbc9
Opcode Fuzzy Hash: 9ada5453ff4e4b36390411b96b18e616979f02661d49d4c9e88addb2aaf35aba
Instruction Fuzzy Hash: 8F51EC70E0961D8FEB68EB54C8657A9BAB1FF54301F1142BAD00EE32A1DF346A84CF45

Function 00007FFD9B7F237D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887e5d4630eebcc6d263ddeac74124115c43a4beec550d76ee7e13e3523bfb8c
Instruction ID: 13f4ba45a3fa1251f97fca20729670bc1a8beef805b86aacb93a02b87fbbbb75
Opcode Fuzzy Hash: 887e5d4630eebcc6d263ddeac74124115c43a4beec550d76ee7e13e3523bfb8c
Instruction Fuzzy Hash: E5415D30E1965D8FDB54EBE8C865AEDB7B1FF48300F410279E019E32A6CE3469418B81

Function 00007FFD9B7F6C39 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8d22d4933bd0a082a7e8f5ef9eb84d830082ce4ab14030bed493fac5b142db
Instruction ID: 20a8cdef527ed094264b780f0b9c53667947e3b1935a27d372fb51b116b8ff53
Opcode Fuzzy Hash: da8d22d4933bd0a082a7e8f5ef9eb84d830082ce4ab14030bed493fac5b142db
Instruction Fuzzy Hash: 0541C870B0A64E8AEB649BA4C8646ED7AE0EF14310F11027AD459C62F2CE38AA44C795

Function 00007FFD9B7F6B15 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871c9db3967682a693b4254070342a727baf3ed6ee9c74a23f42dbe4f469fa27
Instruction ID: d9c13072ef3bc4b4f83b3d84f993da0785c047b71781da88b46c2c3ae2ad1efb
Opcode Fuzzy Hash: 871c9db3967682a693b4254070342a727baf3ed6ee9c74a23f42dbe4f469fa27
Instruction Fuzzy Hash: 6721D131B0E64E8BEB69EFA488762B93BA0FF14300F0141BED41DC61B2DE35A550C781

Function 00007FFD9B7F7151 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13926747246aa0345102f21a8fd4ee1200b3ce64e8deaa9458d6c2eb9803ec4e
Instruction ID: ba6d2ac5b6b22c60871cd72609d976feb4847c9a649e813693c16af7f66b14a7
Opcode Fuzzy Hash: 13926747246aa0345102f21a8fd4ee1200b3ce64e8deaa9458d6c2eb9803ec4e
Instruction Fuzzy Hash: 56214F30F0A60E9FEBA4EFA888696BD7BF0FF58300F41057AD419C61A1DB34A6548780

Function 00007FFD9B7F1ED0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424a34724cee0793671b9b2e17018ab67b762f519b4c0b5de3d64eba8227559e
Instruction ID: d0dcfd890fe7d56d3c202bdd18578e9925eaae4d40d91b1055f298e68cde5eaf
Opcode Fuzzy Hash: 424a34724cee0793671b9b2e17018ab67b762f519b4c0b5de3d64eba8227559e
Instruction Fuzzy Hash: BF219F30A4E3CA4FD7569B7088655E57FF0AF07314F0A05FAD449CA4A3DA286946C751

Function 00007FFD9B7E2189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc52f85abee502c0a022bba46a1f7a8ebb87110454fca198ead224f3a24e535
Instruction ID: 969f9730ad3efee7b9333867a447bf3efdd4edf0523774be1e9f1f948a5880ca
Opcode Fuzzy Hash: 1fc52f85abee502c0a022bba46a1f7a8ebb87110454fca198ead224f3a24e535
Instruction Fuzzy Hash: 6711DF30B1960E4FE715ABB488699A877E0EF45300F0145B6E41DC70B6EE38AA858601

Function 00007FFD9B7F7259 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144c47d1d25bd7ca9e6eb0bd543a9ec926ab1695930ab930c4232a14332f5a0a
Instruction ID: 16cbd833c4aacc9418bf10cef5114fba173ecf6581b63b8cb4a4234eda986b6b
Opcode Fuzzy Hash: 144c47d1d25bd7ca9e6eb0bd543a9ec926ab1695930ab930c4232a14332f5a0a
Instruction Fuzzy Hash: 0C218330F0A64E9FEB61EB6488695FD7BF0FF19304F410A76E418C60B5EE34A6548741

Function 00007FFD9B7F797D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445e6d00623871f5a9068f507ffdf3dd564bf6ac570704033a30171307a0ac3a
Instruction ID: 61cb4a6038460cba416277904be3f37145363c67217de942d46b1771a20ca85f
Opcode Fuzzy Hash: 445e6d00623871f5a9068f507ffdf3dd564bf6ac570704033a30171307a0ac3a
Instruction Fuzzy Hash: 8721B031A4E78E9FEB69DF6488656BE7FA0EF05304F0205BED419C60F2DE346654C681

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7F69D1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69241cbee6a1f39724a3f8ddc5e9d8898fdfad2a6440481a8faeae587ea07f2e
Instruction ID: ba52cfd21f3ab1e4848d3ab844ef1a2aa239ee85b700274cc6a6d3bb49801783
Opcode Fuzzy Hash: 69241cbee6a1f39724a3f8ddc5e9d8898fdfad2a6440481a8faeae587ea07f2e
Instruction Fuzzy Hash: 3E11B170E0964E8FEB98EF6484692BD3BA1FF58300F0141BAD41DC61B5DE35A540C780

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2acf11fa8d8cd52715501ebd176e7256f7b4c7e278642ba3f994c6fda87dd3e
Instruction ID: ccaf08c6f7d5b45d20b5c651a84140fb8ff95c5a5cb909941d44bf38db7def58
Opcode Fuzzy Hash: e2acf11fa8d8cd52715501ebd176e7256f7b4c7e278642ba3f994c6fda87dd3e
Instruction Fuzzy Hash: 40119130E1960E8FEB90EFA8C85A5BD77E1FF58700F4146B6D41CC61B6EE34A5448740

Function 00007FFD9B7E0EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11866858181d256b7f4783e98e80ee9a2c80bb8a6f172d9a50dab346f05aab76
Instruction ID: c8765f6b73e02b69046cd0aa1f0c23bb1eaf7ae84c27e28696dab9499535ecc1
Opcode Fuzzy Hash: 11866858181d256b7f4783e98e80ee9a2c80bb8a6f172d9a50dab346f05aab76
Instruction Fuzzy Hash: B5212431F09A0E8BEB64DB94C865FEEB7B1EF54300F114275D009DB2B9DE34A9458B80

Function 00007FFD9B7F2E49 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e040a96ef224cc53c2d93eebf84246bc72ccc6d510b703da6ef09b202c1b1e
Instruction ID: 251ab89eae59735944102b681a79e055024b8f18fc96853bf91622c0a308f802
Opcode Fuzzy Hash: f0e040a96ef224cc53c2d93eebf84246bc72ccc6d510b703da6ef09b202c1b1e
Instruction Fuzzy Hash: 9B21D531A0E68A8FE752EBB4886C6E97FF1FF5A300F1505F6E448C7172DA286644C751

Function 00007FFD9B7F20E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94182054105ca92d64308dccc6870d2807112c4f0313fc384b13f68e77c2e3b9
Instruction ID: c478bea09b290c29d7d6fd0aa78f3cf0788ef0bf20607f2e370efbf9d5d7bb66
Opcode Fuzzy Hash: 94182054105ca92d64308dccc6870d2807112c4f0313fc384b13f68e77c2e3b9
Instruction Fuzzy Hash: 3111BE30A0924D8FDB59DF68C4A55F93FE0FF59304F5202AEF84A832A1DA34A540CB84

Function 00007FFD9B7F6A75 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27e311ed50a98cc65b72684550dc3f0c9904cb0465759dbb140270211fa9ff7
Instruction ID: 013ff00d881c4579a215f0647eed92bbb053f7fbf5444ffe385eda572705e664
Opcode Fuzzy Hash: b27e311ed50a98cc65b72684550dc3f0c9904cb0465759dbb140270211fa9ff7
Instruction Fuzzy Hash: 8C11B130E0964E8FDB58EFA884696BD3BA0FF68300F0542BAD41DC61B6DE34A540C781

Function 00007FFD9B7F43C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21db55df2f9101068357edfa52c3d17ef63d6378c34d983888f15cfae96ab1f
Instruction ID: b5d9d5cf3e93720672cfe91986895eb1802eeae84bf3023e7b996c009abfc445
Opcode Fuzzy Hash: d21db55df2f9101068357edfa52c3d17ef63d6378c34d983888f15cfae96ab1f
Instruction Fuzzy Hash: 0411A270E0D64E8FEB59EF6884692B97BE0FF58301F0201BED419D61B1DA346550C780

Function 00007FFD9B7F4329 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5341bbbb2b7fc823e6816eaf2b68aa5614f68f51d7ff705af262c953ff46bd6d
Instruction ID: fc580afce288e3764ae5094fe41cbf9483b9f597b0c1ed5971836e7c26ed6a51
Opcode Fuzzy Hash: 5341bbbb2b7fc823e6816eaf2b68aa5614f68f51d7ff705af262c953ff46bd6d
Instruction Fuzzy Hash: 37219D30A0D78E8FEB59EFA484652B97BA1FF59301F0602BED419D61A6DA34A540C781

Function 00007FFD9B7F48E5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb720a565a679409863b7ef4f7313d5362a3b5a2c20f3a8305bca27d120dc54
Instruction ID: 329db558a0138cf4df528fdc3c2c2552688b26d1a64d3162e89c9d78d1557e71
Opcode Fuzzy Hash: 0cb720a565a679409863b7ef4f7313d5362a3b5a2c20f3a8305bca27d120dc54
Instruction Fuzzy Hash: 6311D071B0EB8A8BEB69DBA488B52B87AD0EF55304F0601BED01D865F2DE256510C641

Function 00007FFD9B7EC6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c4d0d9a2f784049087e8ca746d017fae9497f7327800bfc13745860fbc7c57
Instruction ID: 62c8a6f287aae0e5bfce910ea1179d5901dee1663a88113c1839a3bd2de1c70a
Opcode Fuzzy Hash: c4c4d0d9a2f784049087e8ca746d017fae9497f7327800bfc13745860fbc7c57
Instruction Fuzzy Hash: 05116D34A0A74E8FEB59EB7488695B93BB0FF15304F0205BBD419D61B2DE386A44C710

Function 00007FFD9B7F4C59 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf45ae9e55bbbb295ede5463a8c176d8466b68d8e3bff9bfd5a83a63995e7f4
Instruction ID: ec6e41dd1bdabac23c0bf1617c46a70b2a79f0ee1899c6af046a72ce5b562dea
Opcode Fuzzy Hash: adf45ae9e55bbbb295ede5463a8c176d8466b68d8e3bff9bfd5a83a63995e7f4
Instruction Fuzzy Hash: F911DD30E0A68E8FEB65EBA488696B97BB0FF19304F0105BED419CA1F2DE346540C741

Function 00007FFD9B7F24D1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dca6dd68e5fecfffa00727ffc66e861230a9550a530da44098773b1d451ce8
Instruction ID: 360c32a84bf310932ca15cdf40b4e4106c8eabbbdfc93fdec5f6437d122ffc1a
Opcode Fuzzy Hash: 11dca6dd68e5fecfffa00727ffc66e861230a9550a530da44098773b1d451ce8
Instruction Fuzzy Hash: B111C470E0D65E8FE752ABB488685F97FE4EF1A300F0505B2E418C70B6EA34A644C741

Function 00007FFD9B7F6BAD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e621cf0eca817504e741c2beeb95de4bb5d69504da230bb840c913e4b2ccc71b
Instruction ID: 60efbb94df65f8b21b643469143a26453e694b80367193de72ee4f06d648d86d
Opcode Fuzzy Hash: e621cf0eca817504e741c2beeb95de4bb5d69504da230bb840c913e4b2ccc71b
Instruction Fuzzy Hash: AD112070B0A64E8FEB68EFA4C4656B93BE0EF28300F1102BAD41DC61F2CE34A540C781

Function 00007FFD9B7F70D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4f1584378570c3312eebbd928d3a1d934b00d6f1f0fff2ce50b92861ac66bd
Instruction ID: 85c902f9b8df714dd43abd9c9e0bf2c172106198488518d42e81584815a508d4
Opcode Fuzzy Hash: bd4f1584378570c3312eebbd928d3a1d934b00d6f1f0fff2ce50b92861ac66bd
Instruction Fuzzy Hash: 4C118E31A0A64E9FEB61EFA4C8586A97BF4FF19300F0509B6D419C70B1DA38A644C790

Function 00007FFD9B7E1140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction ID: 3662f187c08f0301d37186b3c001a57f64c1fc2552c126a858981d742ed6893a
Opcode Fuzzy Hash: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction Fuzzy Hash: CA11E570E0960E8AEB68EBA8C4697BE77E0FF59304F00057EE41AD65F1DE356650C740

Function 00007FFD9B7F4BCD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c63e041fd6f0280a36c198b080321e56c4871193f355b3675c5bb7bcb38380
Instruction ID: 53dea1c79a67ec8ab9cf462f3d5a54c5f76e80ceefd18db18d87547af0291c3d
Opcode Fuzzy Hash: 92c63e041fd6f0280a36c198b080321e56c4871193f355b3675c5bb7bcb38380
Instruction Fuzzy Hash: 3111CE31A0968E8FEB58EBA488696B97BE0FF18304F0105BED41EC61E2DE346540C740

Function 00007FFD9B7F5CF9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b190659d05249c2b400efc6b20dab803bbc9e0afc681adbc5fbe2624b3b44d
Instruction ID: b576c882993442bc51c96a95fa22d80f1b56160befd8451cc1dafd0ee22d9e00
Opcode Fuzzy Hash: c2b190659d05249c2b400efc6b20dab803bbc9e0afc681adbc5fbe2624b3b44d
Instruction Fuzzy Hash: 7D119131E0E68E8FE751AB7488AD5A97FF0EF19300F0606B2D40CCA0B6DA34A544C751

Function 00007FFD9B7F4A0D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1d27f65bf572a954087f9b796d38a98b15a8a21291c59e9e2aa149e2704290
Instruction ID: f190844f2621dd13785291efed2afe44b77ce3ba9255f534feeffe00de6f20cb
Opcode Fuzzy Hash: ff1d27f65bf572a954087f9b796d38a98b15a8a21291c59e9e2aa149e2704290
Instruction Fuzzy Hash: 0D11DD70E0E68E8FEBA8EB6488692BD7AA0FF18300F0105BED019C61B2DE346540CB45

Function 00007FFD9B7E2E2A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac077ef2e8b03eb16c2dda5bfe15233a44aa4efbba73b89106cd5c3cca71567
Instruction ID: 41cbc15229d988a1d08097fcf74f7df235266c54f4b20e5874b80576920892b1
Opcode Fuzzy Hash: 5ac077ef2e8b03eb16c2dda5bfe15233a44aa4efbba73b89106cd5c3cca71567
Instruction Fuzzy Hash: 52019230E5E79E9FD751EBA484589A97BF0EF06300F0145BBD408C70B2DA38A544C701

Function 00007FFD9B7E34C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction ID: 0ea4e29a4c0d0e1dce4da760db3ad5755ae372c0ff49500bf658117d26439517
Opcode Fuzzy Hash: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction Fuzzy Hash: 9F113C70A1964E8FDB55EF64C8696BA77B0FF18304F4205BED419C61B1DA35A540CB10

Function 00007FFD9B7EBE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404e2d308da1ac9b3dcf5305aa201686634a765f29ed4ec48a54c896fdfd568b
Instruction ID: 3045e498a18f452ee4a3736bb909e16804f4a877b83ac672d3cc2e6374b2b53f
Opcode Fuzzy Hash: 404e2d308da1ac9b3dcf5305aa201686634a765f29ed4ec48a54c896fdfd568b
Instruction Fuzzy Hash: 8D117030A0A74E8FEB55EB6488A96B97FF0FF19300F0505BAD419C61B2DB35A650C740

Function 00007FFD9B7EAF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1453604abc50ea8ff3782cd3fac86bdfa3f2b1568faa17eb60b66d6bd8b61991
Instruction ID: 8110c7fd6c0a74223f50f19c1903416467959f3c217f77dfabfe939018c79a2c
Opcode Fuzzy Hash: 1453604abc50ea8ff3782cd3fac86bdfa3f2b1568faa17eb60b66d6bd8b61991
Instruction Fuzzy Hash: 77111571E0A62D8EDFA0DBA4C455AED77F1AF58300F1142B6D40DE32B1DB38AA858B40

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction ID: 75a94b7efd98b69b9b066d1c2c60441150caf154f7b2776d669f7cb7dcee7c51
Opcode Fuzzy Hash: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction Fuzzy Hash: 99018030A0560E8FDB59EF64C4666B977A1EF58304F61057AD41EC25F4CA31A650C740

Function 00007FFD9B7EDC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3c03ee38776e8312f4cb0178fefd55c8cbcdb8fd12732f8e34e8946b420d20
Instruction ID: 13d9d3009776089c77d7c52d8d3194376b75f73957abe80091c6691e59e37726
Opcode Fuzzy Hash: cb3c03ee38776e8312f4cb0178fefd55c8cbcdb8fd12732f8e34e8946b420d20
Instruction Fuzzy Hash: A9111C70E1A61D8FDB68DF94C8A4ABDB3B2FF58340F11427AD40AA72B1DB746940CB44

Function 00007FFD9B7F3789 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b334cfcc304f31290eef243238d9d2a221fd787d4ca72b54b6d42dda8ab2f198
Instruction ID: e8d28c55fdcc9e77be1030d0e8517c38352a178b47d924d593bdeb7158ae200e
Opcode Fuzzy Hash: b334cfcc304f31290eef243238d9d2a221fd787d4ca72b54b6d42dda8ab2f198
Instruction Fuzzy Hash: D3019671F1964E9EEB51FBB488A85B97AF0FF18310F020676E41CC71B5EE34A6808761

Function 00007FFD9B7EABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27740b078acc9a473131c06b082be79a2acf15b819fab3991e4f1091160339c4
Instruction ID: 4484cdc67889e673804d6d5d3af29921cddab47dc562219dfeb4b5b25fad3478
Opcode Fuzzy Hash: 27740b078acc9a473131c06b082be79a2acf15b819fab3991e4f1091160339c4
Instruction Fuzzy Hash: 9701B971E0EB4E4FE761E76884A81B97BD0FF59314F1206B6D45AC30F2EE34A5448240

Function 00007FFD9B7EB98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b496b33f10078b24d891343983edb5555544f99b89664ba9383c845374512e0b
Instruction ID: c263cec0ad0fdb37fac6f57deea5c8a213233ac8cb3397d0507a6377a420d682
Opcode Fuzzy Hash: b496b33f10078b24d891343983edb5555544f99b89664ba9383c845374512e0b
Instruction Fuzzy Hash: DB014030A1964E8EEB54EF68C4A82BD7BE0FF18305F51057AD41AD22B1DE3566508740

Function 00007FFD9B7E280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction ID: e481ae0e336800f2b9303de39e94c6d04b775eac9d1173a9721bc28f653af0b1
Opcode Fuzzy Hash: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction Fuzzy Hash: B9018F30E5A60E8FE761EBA488595B977F0EF59300F4245B6D418C60B6EE38E654C710

Function 00007FFD9B7F7909 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7f1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0fdea374931b6cfe2bd9e0adb20b4918f8591a1d423700aa42ceb561c3aa47
Instruction ID: 5e40c717ff1fd04e97fb0aa8329df8fe05652b5ed0461a2c83fd8d55f5ec93a6
Opcode Fuzzy Hash: 6d0fdea374931b6cfe2bd9e0adb20b4918f8591a1d423700aa42ceb561c3aa47
Instruction Fuzzy Hash: 70016D31A4E68E9FDB59DB6488656BD7FA0EF15304F0205BED009C60E2DA25A654C741

Function 00007FFD9B7E2EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction ID: c3f639ea0485c816fc75c7695c9fb249511a910a272efa67aa92abc2db058b7c
Opcode Fuzzy Hash: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction Fuzzy Hash: BA018431A0A74E9FE751E7B4885D5A97BE0EF05304F460AB3D018CB0B6EB38A654C711

Function 00007FFD9B7EA789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ea000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8b6f58777cbf62a111a66123871fbc914ab7c190a57ebad19aaf5980ed6678
Instruction ID: c37e4298879f7e11eccf94436b0c592ef3fd3f6774df4f6814efe933988e4199
Opcode Fuzzy Hash: 5e8b6f58777cbf62a111a66123871fbc914ab7c190a57ebad19aaf5980ed6678
Instruction Fuzzy Hash: 4B017C30A5E74E8FE752EB6888685A97BF0EF19300F4649B6D409CB0B6EA38A5448711

Function 00007FFD9B7E33DC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction ID: 84b419b225b9ea2a6a09a7aefb02d41830ed0d710f6432af186c0b7d396212e6
Opcode Fuzzy Hash: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction Fuzzy Hash: E4014431E1991E8EEB52EB68C4585B9BBE0FF19304F020576D419D70B5DA34E5448750

Function 00007FFD9B7EF1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ef000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd231af7372be9a9c096781b0605d19ae88aecec76c95c8e5f223781a63cf2f
Instruction ID: 0f8389fe71f3c57751201f23b7562f05d397e448e88f5c544174a22b4f50e42b
Opcode Fuzzy Hash: 9fd231af7372be9a9c096781b0605d19ae88aecec76c95c8e5f223781a63cf2f
Instruction Fuzzy Hash: AE11BE70E1965D8BDBA8DF2488657E8B6B1EF58304F4141F9915DE32A1DF342EC18F44

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction ID: f31e1c7207844b9d830d083f79ad5afc88e9fc18d39795919b65d12913244a19
Opcode Fuzzy Hash: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction Fuzzy Hash: 95018130A1560E8BEB69EBA4C4686B973E0FF18305F5109BED41ED61F5DE35B690CA00

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction ID: fbf07ceec4f330f2b46aca7980fac30786f209bad93175c5fdcf7f17ae895dbe
Opcode Fuzzy Hash: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction Fuzzy Hash: 17018130A1960E8BEB68EBA4C4686BD77A0FF19305F51097ED41ED61F5DE35B690CA00

Function 00007FFD9B7E1C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction ID: f1a32bcb6caf1a653441f840fffb17786255f923c5487ee1eedfda296e87d001
Opcode Fuzzy Hash: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction Fuzzy Hash: 86018130A0A64E8FDB559F5484666BA37A0FF55304F51057AE80DC65F1CB35A950C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction ID: 1f91c7b488d209ebef7cc993ba3dcf1b4c0887a4c5bbb2886d72d846ef9a4963
Opcode Fuzzy Hash: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction Fuzzy Hash: C2F0C230E0A64E8FEB65EF6494666FA37A0EF45308F51057AE80EC25F1CE35A690C740

Function 00007FFD9B7E2729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction ID: 0b2516705c18dee6b01dd89ee505a2a40ef71aa701d7e9377aff3c071adec39a
Opcode Fuzzy Hash: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction Fuzzy Hash: 13F0963191E38E8FD76A9F6488652B93BB0FF06204F4505BAD419C61F2DB78A554CB41

Function 00007FFD9B7E279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction ID: 389e4183e63f0a5e99ea6db9ca7025e633bf78f457688b438f52f598e5a0ed24
Opcode Fuzzy Hash: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction Fuzzy Hash: 38F02B3091E78E8FE7699FA484251BD3BA0FF06310F4105BED509C50F2DB399554C700

Function 00007FFD9B7EFCCB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ef000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5a71ea54bb4006919fdbdc31a384dae9b85e67216692e749e055e125d70b2
Instruction ID: d694b8c259115e6115da2382a5e51b0631a547a98d7d14e1b5770e4311ce3ae3
Opcode Fuzzy Hash: 01a5a71ea54bb4006919fdbdc31a384dae9b85e67216692e749e055e125d70b2
Instruction Fuzzy Hash: C4F0B770E4A62D8EEBA0DF58D854BEDB7B0FF18310F0105E9D00DD22A1CB345A908F40

Function 00007FFD9B7EFC48 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7ef000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction ID: bf77bb29d4743f302f75a41dba5088eabd4ac11d78829419a50478674670e6ff
Opcode Fuzzy Hash: aa91ee89ef2ef130b2e401cfa6cb330d08b3668cc17d18171191f8e9bafbbabe
Instruction Fuzzy Hash: DCF0AC70E0862E8BDBA9DF49C8507ADB7B5EF94300F0141B6901D922A5CA345B809F41

Function 00007FFD9B7E4B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1908022232.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: a717ae1a23a0a560ef16894fa7a97f3d479d0fe9e6229c6c9a1565600b65f01c
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 9EC0C970A0A61D8AD7B0DA4888606E872B5AF08300F1141F8D10ED31F1CD242BC14B54

Analysis Process: WinStore.App.exePID: 7692, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E3545 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

X_H, xrefs: 00007FFD9B7E35CD

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: X_H
API String ID: 0-215283271
Opcode ID: 09984decbc1d9e699c1c875a12b4f26efd07cdfd9265d4ca847a104d289e1c88
Instruction ID: 984695c68fcdf90f8f469b227034d1d3dbfa3b5c86dbe5b9dea3d1fb816b5adc
Opcode Fuzzy Hash: 09984decbc1d9e699c1c875a12b4f26efd07cdfd9265d4ca847a104d289e1c88
Instruction Fuzzy Hash: DDA1C171A19A4E8FEB59DF68C865BAD7BE1EF99304F4102BAD009D72E6DF7428018740

Function 00007FFD9B7EE622 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B7EE659
D, xrefs: 00007FFD9B7EE694

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: D$}
API String ID: 0-1468928041
Opcode ID: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction ID: fefec2d4e80b7d5238ae1319dc057950002a508514532e5244dc2207b85eb62e
Opcode Fuzzy Hash: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction Fuzzy Hash: E521B470A0962D8FEBA4DF54C854BEDB7B1FF54301F1086EAD00D962A5CB345A848F80

Function 00007FFD9B7EC97D Relevance: 1.9, Strings: 1, Instructions: 633COMMON

Download Yara Rule

Strings

JS_H, xrefs: 00007FFD9B7F588E

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: JS_H
API String ID: 0-4264787861
Opcode ID: e75c2ae7aa95ebcd6d868fbad3140a70297398fa35f7757edb806fceb90b97d3
Instruction ID: 1d7be9032514985e950842b2920a48781c8afa0dd9c9936fea4b2f7150d0bc95
Opcode Fuzzy Hash: e75c2ae7aa95ebcd6d868fbad3140a70297398fa35f7757edb806fceb90b97d3
Instruction Fuzzy Hash: 76023A32B0DE4E4FDBA8EB6CE464AF977D1EF98311B1502BBD40DC71A6DD24A9458380

Function 00007FFD9B7ED6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MM_H, xrefs: 00007FFD9B7ED76E

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: MM_H
API String ID: 0-1969015126
Opcode ID: a43be1ddb23272c7678d36a1bfae511e880a39989919539001f460d183fda4bf
Instruction ID: 946b048566db93fcbfdae00a3fd271975ce0049ae98f26f4e49c1b9ee47dadf0
Opcode Fuzzy Hash: a43be1ddb23272c7678d36a1bfae511e880a39989919539001f460d183fda4bf
Instruction Fuzzy Hash: 74E13E71E19A5D8FDB68DF98C8A47BCB7A1FF58300F4501BAD01DE72A6CA346940CB41

Function 00007FFD9B7EC5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~M_^, xrefs: 00007FFD9B7EC601

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: ~M_^
API String ID: 0-1662397256
Opcode ID: b84a43818bbfff5787789730dbb63a962711e113f594be2cd8deb29db89f5c40
Instruction ID: 1439b65dad38af65197798614b0aa738d08769f5b078b8db48882a3cf9593883
Opcode Fuzzy Hash: b84a43818bbfff5787789730dbb63a962711e113f594be2cd8deb29db89f5c40
Instruction Fuzzy Hash: AA41162BB0D35E4AE725BABCB9254FD7B60EF8133AB1A02B7D10DC50F3CE1865454260

Function 00007FFD9B7F0BA7 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

,, xrefs: 00007FFD9B7F0E65

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8ba33569b1b75c684aa71b3f1d509ce7f236605c0ffd2ae1bbf59d153646bcdd
Instruction ID: 77e40b00ff93165a6a9522185809a3339588c960de5208728f405f02324602b1
Opcode Fuzzy Hash: 8ba33569b1b75c684aa71b3f1d509ce7f236605c0ffd2ae1bbf59d153646bcdd
Instruction Fuzzy Hash: FD011E35F0821D8BDB28DF94C8A56EDB771FB55311F01027AC1199B6A0CB745A44CF84

Function 00007FFD9B7E1698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60894890dfa916056407633e90df44757924f7dcc99d9dfa61920bb618d36bf0
Instruction ID: e79df68125193f4f8245083b36b8969c05c367275d4e44a04070f09410f2c09d
Opcode Fuzzy Hash: 60894890dfa916056407633e90df44757924f7dcc99d9dfa61920bb618d36bf0
Instruction Fuzzy Hash: 9F81C031B0DB494FDB58DE5C88665A977E2EF98304B15027AE45DC32B2DE34AD028781

Function 00007FFD9B7EC55D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336255bc077875add2a07e20e3d814dc6f96a2a20bf59b27eb3607687d33ee18
Instruction ID: 37fcf13f561c5615c94bd6c033410e0ceaf214af0e7680d9ead6148dcdb126e3
Opcode Fuzzy Hash: 336255bc077875add2a07e20e3d814dc6f96a2a20bf59b27eb3607687d33ee18
Instruction Fuzzy Hash: E551282FB0D66A8AE325BBBCB8254FD7760EF80336B1946B7D109C50F3CE18754646A0

Function 00007FFD9B7EBE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ba86e60ba7451f72cdb08b71ace55cce9e3b352370302aa788c9a65ee04fed
Instruction ID: 12325667f84a403bbca3eafa8b777d6268ee7f7ce2408506670d46f56c4cc7cf
Opcode Fuzzy Hash: 36ba86e60ba7451f72cdb08b71ace55cce9e3b352370302aa788c9a65ee04fed
Instruction Fuzzy Hash: 1861FC74E1961D8FDB64EBA8C8A56EDBBB1FF59300F51027AD00DD72B2DE3869408B40

Function 00007FFD9B7E1CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efa5047c36f30b9ff323ef25519aefaf30fb7c4b05c9e92ba011449ecfcc78c
Instruction ID: 293ce3a4bfb979f757d5d8bf1e230b16c3c8ac17dfb72b289afabd356ee81b97
Opcode Fuzzy Hash: 0efa5047c36f30b9ff323ef25519aefaf30fb7c4b05c9e92ba011449ecfcc78c
Instruction Fuzzy Hash: 4051DD31B09B494FDB58DE5888655BA73E2FF98301B15427EE45EC72A2CE34ED028781

Function 00007FFD9B7F4F00 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6adc9ba764ebec5babe4c437b92bc5e53d128785980400a5a5b83326ac6640
Instruction ID: c333105e2fce9d207c8e320ab5359f0cd9dd591bc353d6b43212656d9cbf8aeb
Opcode Fuzzy Hash: 9c6adc9ba764ebec5babe4c437b92bc5e53d128785980400a5a5b83326ac6640
Instruction Fuzzy Hash: 60510171E19A1D8FDFA4EBA8D455BADBBF1FF68301F41016AD00DE32A5DE3469418B80

Function 00007FFD9B7E3191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce94e140fc0eef377245889a604c540058d30cbdec24d137da344f5c3764325
Instruction ID: fb01d6202916a1114d830aafecd2e102df4fbbd3aa136c7200e996c532432d06
Opcode Fuzzy Hash: fce94e140fc0eef377245889a604c540058d30cbdec24d137da344f5c3764325
Instruction Fuzzy Hash: 7F513C70E0961D8FEB65DB98C464AEDB7F1EF58301F52017AD009E72B1DE38AA44CB50

Function 00007FFD9B7EADFD Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bea94b53ee66f450b2dd0afe31636db105797cf92e98343091749dc43dbd9ec
Instruction ID: eaf87e487c4c236aa457d5cd95bde8398682b299b59f9d870eed6cc68e8c9ddc
Opcode Fuzzy Hash: 5bea94b53ee66f450b2dd0afe31636db105797cf92e98343091749dc43dbd9ec
Instruction Fuzzy Hash: 1C515271E0A61E8EEB64DFA4C4957ED77F1EF58300F0142B6D01DE72B1DA386A858B50

Function 00007FFD9B7ECA1D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37b7fb8c742be7f348b1616d32d76ad5d6f37b12cea4239677f31b3191cc4ff
Instruction ID: aa636b80d278db331e01dd7af91fb8fccc30229fad3884d3678dbe45412dc3df
Opcode Fuzzy Hash: b37b7fb8c742be7f348b1616d32d76ad5d6f37b12cea4239677f31b3191cc4ff
Instruction Fuzzy Hash: 2221F437B09A1A8AD311BFBCE4196FD77E0EF85326B2547B7E058C51A2DE34A1858780

Function 00007FFD9B7E2189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1772e0d2ed039ec8823727f2ed8f54a969b1ffee03221c1de7c1b2099d1e617
Instruction ID: 8f3758754231561cb40d79f8ab1284fe8cc8ce5d0e1614d3c468366802d8e533
Opcode Fuzzy Hash: f1772e0d2ed039ec8823727f2ed8f54a969b1ffee03221c1de7c1b2099d1e617
Instruction Fuzzy Hash: 4D11B130F1960E4FE715EBB488699B977E0EF46304F0145F6E41DC70B6EE38AA858751

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: 23d076ab6a8bddd30c588a0c05312e5cc69d2a948b747f9f18e48aab0842a9a9
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d942331695201b3b58f5ca47f916d35e27a642f149493fc059cda65b7761fdf
Instruction ID: 446714126017faff6be8945175a5a4ba86b260d53f4ad205161583de6162d19d
Opcode Fuzzy Hash: 4d942331695201b3b58f5ca47f916d35e27a642f149493fc059cda65b7761fdf
Instruction Fuzzy Hash: 02119130E1960E8FEB50EFA8C85A5BD77E1FF58700F4146B6D41CC61B6EE34A5448740

Function 00007FFD9B7E0EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39b47918ed282c3409c9f897ea7e8457cb3f0227d5b399b78ecc9bcde9d4ca5
Instruction ID: d71401d65548828516e999d338ca221de6236f1a5c3952254475f7c89d2afc52
Opcode Fuzzy Hash: b39b47918ed282c3409c9f897ea7e8457cb3f0227d5b399b78ecc9bcde9d4ca5
Instruction Fuzzy Hash: 54212431F09A0E8BEB64DB94C865FEEB7B1EF54300F114275D009DB2B9DE34A9458B80

Function 00007FFD9B7EC6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219d68b2587e58b46c8690904454daf1b1cfa51e63441bb61d13207d2cf7d656
Instruction ID: 62c8a6f287aae0e5bfce910ea1179d5901dee1663a88113c1839a3bd2de1c70a
Opcode Fuzzy Hash: 219d68b2587e58b46c8690904454daf1b1cfa51e63441bb61d13207d2cf7d656
Instruction Fuzzy Hash: 05116D34A0A74E8FEB59EB7488695B93BB0FF15304F0205BBD419D61B2DE386A44C710

Function 00007FFD9B7E1140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction ID: 3662f187c08f0301d37186b3c001a57f64c1fc2552c126a858981d742ed6893a
Opcode Fuzzy Hash: fbf7c77ba3bb7031308d9f201166358a122af64fdbda0e08385f9f0d2b7c1430
Instruction Fuzzy Hash: CA11E570E0960E8AEB68EBA8C4697BE77E0FF59304F00057EE41AD65F1DE356650C740

Function 00007FFD9B7E34C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction ID: 0ea4e29a4c0d0e1dce4da760db3ad5755ae372c0ff49500bf658117d26439517
Opcode Fuzzy Hash: fc6aa613daba8b0963965d3b78f7ed6649a19b3d60d4544aa6c9732c5c0c87a0
Instruction Fuzzy Hash: 9F113C70A1964E8FDB55EF64C8696BA77B0FF18304F4205BED419C61B1DA35A540CB10

Function 00007FFD9B7EBE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f92610a1c55c65f407a16fc879ca4acf34061a423266c23684389c0d94bcf11
Instruction ID: 3045e498a18f452ee4a3736bb909e16804f4a877b83ac672d3cc2e6374b2b53f
Opcode Fuzzy Hash: 7f92610a1c55c65f407a16fc879ca4acf34061a423266c23684389c0d94bcf11
Instruction Fuzzy Hash: 8D117030A0A74E8FEB55EB6488A96B97FF0FF19300F0505BAD419C61B2DB35A650C740

Function 00007FFD9B7EAF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa3bad194dd9e973fcde4d4c888999833b5d71348f61c8d4f3ebec203892e9f
Instruction ID: 0d28fc9b1f7fe58508c2ae2e03cb4e2fb33b86ae32945f39e20605044680ee23
Opcode Fuzzy Hash: 4fa3bad194dd9e973fcde4d4c888999833b5d71348f61c8d4f3ebec203892e9f
Instruction Fuzzy Hash: 06111570E0A62D8EDF60DBA4C455AED77F1AF58300F1142B6D40DE32B1DF38AA858B40

Function 00007FFD9B7E2E31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fd50d2d1be3c0a3a46886e8a05c8d5640c109ca26c02374e7d74768c0d9030
Instruction ID: b9822aa60a2cf1f9bd42d47f2acf137c549acd1a0512c36a7f707f2b046d5dd7
Opcode Fuzzy Hash: 60fd50d2d1be3c0a3a46886e8a05c8d5640c109ca26c02374e7d74768c0d9030
Instruction Fuzzy Hash: A0018F30E1A75E8FE761EBA484599AA77E0EF19300F4245B6D40CCB0B6EE38E540C700

Function 00007FFD9B7EDC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1ce25571a69331f37c5cb6611c6c3e581821b868b1a263e9a9aab4436e4194
Instruction ID: 13d9d3009776089c77d7c52d8d3194376b75f73957abe80091c6691e59e37726
Opcode Fuzzy Hash: cc1ce25571a69331f37c5cb6611c6c3e581821b868b1a263e9a9aab4436e4194
Instruction Fuzzy Hash: A9111C70E1A61D8FDB68DF94C8A4ABDB3B2FF58340F11427AD40AA72B1DB746940CB44

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction ID: 75a94b7efd98b69b9b066d1c2c60441150caf154f7b2776d669f7cb7dcee7c51
Opcode Fuzzy Hash: 9ebb6c21e234a0a3bdbd8299dd427ecf642d165cd474ac3ed06ed359e77b97e9
Instruction Fuzzy Hash: 99018030A0560E8FDB59EF64C4666B977A1EF58304F61057AD41EC25F4CA31A650C740

Function 00007FFD9B7EABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9337064cd70c246f9f44e4ea475da0f52ce319b611d2c4a6915b8f8563fdf0b8
Instruction ID: 4484cdc67889e673804d6d5d3af29921cddab47dc562219dfeb4b5b25fad3478
Opcode Fuzzy Hash: 9337064cd70c246f9f44e4ea475da0f52ce319b611d2c4a6915b8f8563fdf0b8
Instruction Fuzzy Hash: 9701B971E0EB4E4FE761E76884A81B97BD0FF59314F1206B6D45AC30F2EE34A5448240

Function 00007FFD9B7EB98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8b1fd76eb4a31bb32cd4929c174680b1ca3fc0d3fd1dd837ce63e91837abc2
Instruction ID: c263cec0ad0fdb37fac6f57deea5c8a213233ac8cb3397d0507a6377a420d682
Opcode Fuzzy Hash: 0b8b1fd76eb4a31bb32cd4929c174680b1ca3fc0d3fd1dd837ce63e91837abc2
Instruction Fuzzy Hash: DB014030A1964E8EEB54EF68C4A82BD7BE0FF18305F51057AD41AD22B1DE3566508740

Function 00007FFD9B7F0AB0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d555ce3934be822e78ec59475be171347e84d35af17581b01b78ecf666f5f2ca
Instruction ID: f9f4b5e834876cf0039a07885bc47f1d42bb1584cc891d23d4e220ed0a139680
Opcode Fuzzy Hash: d555ce3934be822e78ec59475be171347e84d35af17581b01b78ecf666f5f2ca
Instruction Fuzzy Hash: 23011E30A1960E8EDB94EFA4C4696BE7BE0FF18305F51057AD42ED21A1DA75A650C740

Function 00007FFD9B7E280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction ID: e481ae0e336800f2b9303de39e94c6d04b775eac9d1173a9721bc28f653af0b1
Opcode Fuzzy Hash: 9824186c9d70eb8f167e58466353529c5cfbf21c6330658250eaab760f00126d
Instruction Fuzzy Hash: B9018F30E5A60E8FE761EBA488595B977F0EF59300F4245B6D418C60B6EE38E654C710

Function 00007FFD9B7EE346 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction ID: f2f7b930114ad3b2c621d5061a7b594510c976d0b07d04decd2bfb26c3163a27
Opcode Fuzzy Hash: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction Fuzzy Hash: 5E11D070E0976E8BEBB8DF44C8547EDB7B2EF55311F1142BAD00A922B4CB345A848F41

Function 00007FFD9B7F0A91 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3843b607bb93cc9f58b3bc240d991ccb25488d85f0f751a5b4ababb8cc8de5b
Instruction ID: 14206c2b6805ec67e2cbddcd72325affbf62f527446f0a8f200e038f72815fa5
Opcode Fuzzy Hash: b3843b607bb93cc9f58b3bc240d991ccb25488d85f0f751a5b4ababb8cc8de5b
Instruction Fuzzy Hash: 92F0C230E0A74E8FDB949FA488292FE3BB0FF15301F42067BE819D21B1DB3496548740

Function 00007FFD9B7EA789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56fad8ec5f0d72c0213428c2a0e6fbe9c14077766a1364db8625f2a7bc095a2
Instruction ID: c37e4298879f7e11eccf94436b0c592ef3fd3f6774df4f6814efe933988e4199
Opcode Fuzzy Hash: b56fad8ec5f0d72c0213428c2a0e6fbe9c14077766a1364db8625f2a7bc095a2
Instruction Fuzzy Hash: 4B017C30A5E74E8FE752EB6888685A97BF0EF19300F4649B6D409CB0B6EA38A5448711

Function 00007FFD9B7E2EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction ID: c3f639ea0485c816fc75c7695c9fb249511a910a272efa67aa92abc2db058b7c
Opcode Fuzzy Hash: 18f6fcea65e3a9392a890c785f0d8f8cf22957da4a6b1eb3017db2430638ba89
Instruction Fuzzy Hash: BA018431A0A74E9FE751E7B4885D5A97BE0EF05304F460AB3D018CB0B6EB38A654C711

Function 00007FFD9B7E33DC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction ID: 84b419b225b9ea2a6a09a7aefb02d41830ed0d710f6432af186c0b7d396212e6
Opcode Fuzzy Hash: 25a98c84106bceea0117548fd5c39f342b08180e43798a410bb540ac8d61ef67
Instruction Fuzzy Hash: E4014431E1991E8EEB52EB68C4585B9BBE0FF19304F020576D419D70B5DA34E5448750

Function 00007FFD9B7EF1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30974bc1cbc93b62949f0c1c0edabcf0bba6d01077bafe0205eb7f1de353bbd2
Instruction ID: 0f8389fe71f3c57751201f23b7562f05d397e448e88f5c544174a22b4f50e42b
Opcode Fuzzy Hash: 30974bc1cbc93b62949f0c1c0edabcf0bba6d01077bafe0205eb7f1de353bbd2
Instruction Fuzzy Hash: AE11BE70E1965D8BDBA8DF2488657E8B6B1EF58304F4141F9915DE32A1DF342EC18F44

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction ID: f31e1c7207844b9d830d083f79ad5afc88e9fc18d39795919b65d12913244a19
Opcode Fuzzy Hash: 2469da2b1b5b331aca3516ff07bdcf0069a1b71c8f46cab5cf328a6dbf443f02
Instruction Fuzzy Hash: 95018130A1560E8BEB69EBA4C4686B973E0FF18305F5109BED41ED61F5DE35B690CA00

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction ID: fbf07ceec4f330f2b46aca7980fac30786f209bad93175c5fdcf7f17ae895dbe
Opcode Fuzzy Hash: 50602c6836d913753d5f0e015b917dda75ed3fdfeec32aac098747b6c796c3d0
Instruction Fuzzy Hash: 17018130A1960E8BEB68EBA4C4686BD77A0FF19305F51097ED41ED61F5DE35B690CA00

Function 00007FFD9B7E1C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction ID: f1a32bcb6caf1a653441f840fffb17786255f923c5487ee1eedfda296e87d001
Opcode Fuzzy Hash: 6ca43ae2bc8fce26392e4503d2010c4342df58ec46a90bf9b36a6409a0686620
Instruction Fuzzy Hash: 86018130A0A64E8FDB559F5484666BA37A0FF55304F51057AE80DC65F1CB35A950C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction ID: 1f91c7b488d209ebef7cc993ba3dcf1b4c0887a4c5bbb2886d72d846ef9a4963
Opcode Fuzzy Hash: 64156607bf7c18ab93df52d05987002ddc3717e33942b7614c437cfd0f5e5652
Instruction Fuzzy Hash: C2F0C230E0A64E8FEB65EF6494666FA37A0EF45308F51057AE80EC25F1CE35A690C740

Function 00007FFD9B7E240C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction ID: e4b771a4add17d1d00e1f37439792e42959b4bdae21016c118425390f03861c1
Opcode Fuzzy Hash: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction Fuzzy Hash: 7201CC30A0961D8EEB74EB80C8657EDB3A1FF56301F5142B9C04ED21B1DF782A888F00

Function 00007FFD9B7E23DE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction ID: e5164c7f1db9cc9dcaa34ee9d25554a0cf7cdfc0fdc8de8d5c1b3e433b02ce32
Opcode Fuzzy Hash: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction Fuzzy Hash: 46F0CD31A4961D9EEB64EB80C8657ED73A1FF56301F5146B9C44ED21B1DE742A848F00

Function 00007FFD9B7E2729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction ID: 0b2516705c18dee6b01dd89ee505a2a40ef71aa701d7e9377aff3c071adec39a
Opcode Fuzzy Hash: 8c8adaf80777166e91bc59d1d22c71e2190fa742f148b4dd1049314cd21b74a9
Instruction Fuzzy Hash: 13F0963191E38E8FD76A9F6488652B93BB0FF06204F4505BAD419C61F2DB78A554CB41

Function 00007FFD9B7E279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction ID: 389e4183e63f0a5e99ea6db9ca7025e633bf78f457688b438f52f598e5a0ed24
Opcode Fuzzy Hash: 874ac0021208f742ed06b03225ae6e969f84421b1763e5a7c83014f911a85599
Instruction Fuzzy Hash: 38F02B3091E78E8FE7699FA484251BD3BA0FF06310F4105BED509C50F2DB399554C700

Function 00007FFD9B7E4B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1904497769.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7e0000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: a717ae1a23a0a560ef16894fa7a97f3d479d0fe9e6229c6c9a1565600b65f01c
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 9EC0C970A0A61D8AD7B0DA4888606E872B5AF08300F1141F8D10ED31F1CD242BC14B54

Analysis Process: WinStore.App.exePID: 7744, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B803545 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B8035CD

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: f244896bb4d4ba8671a7b70e1691bd28a3d76c9ac9bf98c94043cfb677f5de24
Instruction ID: 3e47a1d4e405bc05f1fe983b678ac8f78fb6983bc142bca1e49427e34547cf4b
Opcode Fuzzy Hash: f244896bb4d4ba8671a7b70e1691bd28a3d76c9ac9bf98c94043cfb677f5de24
Instruction Fuzzy Hash: F9A1CF71A1994E8FEB98DF68C865BED7BE1FF99344F4101BAD049D32EADB7428018740

Function 00007FFD9B80E622 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

D, xrefs: 00007FFD9B80E694
}, xrefs: 00007FFD9B80E659

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: D$}
API String ID: 0-1468928041
Opcode ID: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction ID: b890761ee5a3a401d38e360e370daf72dca65c288c451db8565d82a0b49dfbb5
Opcode Fuzzy Hash: df837ae35575288543cc23feb6e94fa75cc9abedae94cae018d7da156a11d6c4
Instruction Fuzzy Hash: AE21B571E0962D8FDBA4DF54C865BEAB7B1FF58342F1085EAD44DA2291CB345E848F80

Function 00007FFD9B80C97D Relevance: 1.9, Strings: 1, Instructions: 636COMMON

Download Yara Rule

Strings

JQ_H, xrefs: 00007FFD9B81588E

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: JQ_H
API String ID: 0-4256672763
Opcode ID: aae5b7280c20e593f9f07e0b42ea4992c43607c82998e397dd463c64b88f6ac0
Instruction ID: 65aed3aa990458012d46a4719a3f3af0dfa4c8b8de008b50f02f63620a08463e
Opcode Fuzzy Hash: aae5b7280c20e593f9f07e0b42ea4992c43607c82998e397dd463c64b88f6ac0
Instruction Fuzzy Hash: D7023932B1E94E4FEBA8EB6CE4649F977D1EF98310B1506BBD40DC7196DE24E9418380

Function 00007FFD9B80D6B9 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

MK_H, xrefs: 00007FFD9B80D76E

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: MK_H
API String ID: 0-1909568996
Opcode ID: 7e61ce17b7c42ac215b07992acfd724184f5d8ec41df721ed50a201fee32ce4a
Instruction ID: 253562b8d3256a0045f1bfff03d9acfc0c0fe0937d9e312900157c74497b89a6
Opcode Fuzzy Hash: 7e61ce17b7c42ac215b07992acfd724184f5d8ec41df721ed50a201fee32ce4a
Instruction Fuzzy Hash: DFE14C71E19A5D8FEBA8DFA8C4A47F8B7A1FF58340F0541BAD45D932A6CA346940CB40

Function 00007FFD9B80C5FB Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

~K_^, xrefs: 00007FFD9B80C601

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: ~K_^
API String ID: 0-1738233850
Opcode ID: ad631983505aff488711fc07ee9a4bfb2993d19d8c239e52873ee8cb09f7110e
Instruction ID: 016cba7c38d011b4360abbe3aac18fce3bba058d3346511d95a362e49e2cd5bf
Opcode Fuzzy Hash: ad631983505aff488711fc07ee9a4bfb2993d19d8c239e52873ee8cb09f7110e
Instruction Fuzzy Hash: 75414627F0E25A4AE765BBECB8284FC7B60EF85379B16027BD06DC50D3CE1865444A60

Function 00007FFD9B810BA7 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

,, xrefs: 00007FFD9B810E65

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: c09e77616c3f7f5ace6bf383a3d0f8f91f176cf92a62d019adc3f84189d68326
Instruction ID: 5996f5a82c19bbabbdcb9bc8b3cb5471806f3403e08415d4474d31ee232b8a45
Opcode Fuzzy Hash: c09e77616c3f7f5ace6bf383a3d0f8f91f176cf92a62d019adc3f84189d68326
Instruction Fuzzy Hash: 01012131E0922DCBDB28EF94C8A56FDB371FB55311F01157AC1199B294CB745A44CF40

Function 00007FFD9B801698 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d0385bf4e81f57dd364e462f83f03cf7a68ceb5eae54ccb71337cfac904d72
Instruction ID: 5586dd3f01e968ecdc0b27a9d83bb8746042aa6bced94370fb7aa39a08ef36cc
Opcode Fuzzy Hash: d7d0385bf4e81f57dd364e462f83f03cf7a68ceb5eae54ccb71337cfac904d72
Instruction Fuzzy Hash: B681D031B0DA4D4FDB58EF5C88615A977E2EF99760B15027EE49DC32A2DE30AD028781

Function 00007FFD9B80C55D Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5b29ae49b9f9b8685a85a3045b77b5eb37153de93eb95dad85e98cee39df76
Instruction ID: dbf28e62a2db2b3c79a811ae209ac6a41935134fb4bdcb187d28a7d1d7f4b402
Opcode Fuzzy Hash: 4b5b29ae49b9f9b8685a85a3045b77b5eb37153de93eb95dad85e98cee39df76
Instruction Fuzzy Hash: 7151692BB0D56A4AE328BBACF8290FC3760EFC437AB15527BD1A8C50D3DE1875454A90

Function 00007FFD9B80BE89 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a1a2f968921fb95517262f118658dc860f8e947e1180ba50dccbdae12b44f8
Instruction ID: 771d6068fda6270b813a5e28f8ee9ce8a81453fcd5cbf42a3f6d1feb4f3fc9ee
Opcode Fuzzy Hash: f2a1a2f968921fb95517262f118658dc860f8e947e1180ba50dccbdae12b44f8
Instruction Fuzzy Hash: 05611A70E19A1D8FEB64EBA4C4656EDB7B5FF59340F41007AD04DE72A2DE386A40CB40

Function 00007FFD9B801CED Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9615f58ac5d4f0263eb5e4b05557650d5400c9f0093ccf1b9752c83a985a6477
Instruction ID: 60cdbf80267f57e9ba7fe27d2fbd5b14c4b760d62861263b1699fffae7e88814
Opcode Fuzzy Hash: 9615f58ac5d4f0263eb5e4b05557650d5400c9f0093ccf1b9752c83a985a6477
Instruction Fuzzy Hash: B351CF31B08A494FDB5CEF5888645BA77E2FF99351B15467EE49EC3291CE34E8028781

Function 00007FFD9B803191 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a377dd70d23b22802d3e842389bf144cc3c5de3b4978487b799c86fa292298
Instruction ID: 48f44fd50c933b1dcf02cd39f9d4451be14f941f447e929e053429ffb925c967
Opcode Fuzzy Hash: 62a377dd70d23b22802d3e842389bf144cc3c5de3b4978487b799c86fa292298
Instruction Fuzzy Hash: D5513A70E0951E8FEB64DF98D4A4AEDBBF1EF1C341F51007AD049E72A6DA386A44CB10

Function 00007FFD9B80ADFD Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abfb0403b29fa802012f3670041bebe848abdcb707be3a8d0afed6f085c755c
Instruction ID: 989aa5b7164d7a51f00709d2e29fc521763cfdd08119b1587aa94881d37936f2
Opcode Fuzzy Hash: 8abfb0403b29fa802012f3670041bebe848abdcb707be3a8d0afed6f085c755c
Instruction Fuzzy Hash: DC515071E0A61E8EEB64DFA4C4957ED77F1EF58340F0141BAD05CE71A2DA38AA858B40

Function 00007FFD9B80DAF1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613c7191ed9219acd91d9ef1df603e2e089e9d56ab4d9e538551e4ee9f0caf9
Instruction ID: 4797c696e543a5ecfa304f23e8d6956063e1031bd25afe54bb028c3e250c7ae5
Opcode Fuzzy Hash: a613c7191ed9219acd91d9ef1df603e2e089e9d56ab4d9e538551e4ee9f0caf9
Instruction Fuzzy Hash: 1C318B30A0D65E8FDFA5DF68C8607ED7BB1EF49340F0101AAD84ED72A6CA74A945CB40

Function 00007FFD9B80CA1D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4a6ba1c3bbf8bf5de610135431226060f2eb5f883385fb0227e1aa741f110e
Instruction ID: 352bdda04d9c5666136026357eaee359bf99f3349a784e0095f7391d5198df98
Opcode Fuzzy Hash: 8b4a6ba1c3bbf8bf5de610135431226060f2eb5f883385fb0227e1aa741f110e
Instruction Fuzzy Hash: D221F437B0991A8AE315FFBCE4192ED77E0FF8832AB154677D458C5093DE34A1848780

Function 00007FFD9B802189 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101f7c453d6ab76c8de7ba30a94df0c569e7f8812bf56f012fb20df37013107f
Instruction ID: c0295cb6a28d43be26abb521cd4cb3e09a7cf0247fef360b6486ae40530b8e7b
Opcode Fuzzy Hash: 101f7c453d6ab76c8de7ba30a94df0c569e7f8812bf56f012fb20df37013107f
Instruction Fuzzy Hash: B311DC30A1960E8FE765EBB888695E877E0EF0A340F0104B6D45DC70A6EE78BA818601

Function 00007FFD9B80084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b4a0f77b72d9ef27d379a5dbad5316451656fac09335c092abf13ae8e41a12
Instruction ID: 3127c6b9b9f32f7a8b0c8c72e92fa17f4dab8db34f26e3efd4a7ca4e1043a0a2
Opcode Fuzzy Hash: e7b4a0f77b72d9ef27d379a5dbad5316451656fac09335c092abf13ae8e41a12
Instruction Fuzzy Hash: 1711E330B1D54E8FE711ABB8C8A89E937E0FF49348F0644B6D459CB0ABDD34A545C291

Function 00007FFD9B800A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe5b7bb35c1078fedc2e64ee56e9623dcc12334d1ab0539d4546067a9079826
Instruction ID: a2b0b79d63ce122a7b4b3cb2a918793d3aac971171e2dfee80c62d32012a093f
Opcode Fuzzy Hash: 0fe5b7bb35c1078fedc2e64ee56e9623dcc12334d1ab0539d4546067a9079826
Instruction Fuzzy Hash: 7511BF71E2990E8FE790EFA888595FD77E1FF58740F8205B6D45CC61A6EE38A6408700

Function 00007FFD9B800EFD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683df5d1d2f28c3027b716a3d076941dd8650dd46bd677bfa3c5241a005f34ee
Instruction ID: 0ab5d9b96fd5be2c7d3206f7679cd70504dd27545487d53283f93b8c5278ae14
Opcode Fuzzy Hash: 683df5d1d2f28c3027b716a3d076941dd8650dd46bd677bfa3c5241a005f34ee
Instruction Fuzzy Hash: D3215131F1990E8BEB64EB94C865AEEB7B1EF58340F114175C049D72A9CE34AA418B80

Function 00007FFD9B80C6C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671ef0dd99f814c4a22e326544f4f1aa49343bd46c65e7dc47ae97aaaaefb0c2
Instruction ID: b7475a3a62e3389dad153e07a19785a6f2d7eca6669887de8d3ffb3d8163d964
Opcode Fuzzy Hash: 671ef0dd99f814c4a22e326544f4f1aa49343bd46c65e7dc47ae97aaaaefb0c2
Instruction Fuzzy Hash: 39116D30A0A64E8FEB55EF68C8695F97BB0FF19340F1105BBD459C61A2DF386A44CB50

Function 00007FFD9B801140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266ac07467b0afe22cdec6fa8a2c73b99d73846d6a2651fda1ea889ae00c4194
Instruction ID: 4e85748f6c94527a2becb7bfb482207fb7b18085bd70ffc92ebbd825860b537f
Opcode Fuzzy Hash: 266ac07467b0afe22cdec6fa8a2c73b99d73846d6a2651fda1ea889ae00c4194
Instruction Fuzzy Hash: 0A110870E1950E8EEB69EBA8C4686FA77E0FF5E354F00047EE45AD21E1DE356250C740

Function 00007FFD9B802E2A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da98d0f79f138e59c89c70dca63e32a4f317995454316142900ba541ada612a
Instruction ID: c51796c1f228d3e392c02b397af4a04fbae42646a307f24bf6d90327b947212c
Opcode Fuzzy Hash: 1da98d0f79f138e59c89c70dca63e32a4f317995454316142900ba541ada612a
Instruction Fuzzy Hash: 2C014C30E9A64E9FE751AFA484685E97BF0EF1A304F4244BBD448C70A6EA38A544C711

Function 00007FFD9B8034C5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c11824d3e471a0d55ff7e3fc73a1a2f83397e79b4eed6cef815313d832e55
Instruction ID: 5e08c71e774341ef7b6ca7e2ffc4d9df696801152a3b6b93f8509e8b18eea2f4
Opcode Fuzzy Hash: ef1c11824d3e471a0d55ff7e3fc73a1a2f83397e79b4eed6cef815313d832e55
Instruction Fuzzy Hash: 0D110970A1964E8FDB95EFA4C8696FA7BA0FF1D304F4105BAD41AD61A2DA35A6408B00

Function 00007FFD9B80BE09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4ea07ad4675aa25a04a0db385508175e269953762f7b47316f7bc35c5e6ffb
Instruction ID: 96714ad5b8640c973279202008805ea3be5baaf97dc38cb3ba9eac9567d38c8d
Opcode Fuzzy Hash: 2a4ea07ad4675aa25a04a0db385508175e269953762f7b47316f7bc35c5e6ffb
Instruction Fuzzy Hash: 17117031A0A64E8FEB95EB6488692F97BB0FF29300F1504BAD459D71A2DB34A650C740

Function 00007FFD9B80C1E9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16726d3f40424604ef403554eba054a8bfc27a50f025b01355d09b5f60686a3
Instruction ID: 7f6f4d72be522a74f6fa9a1675eb2e3ccd4223f41f817b49290ddee08deb1249
Opcode Fuzzy Hash: d16726d3f40424604ef403554eba054a8bfc27a50f025b01355d09b5f60686a3
Instruction Fuzzy Hash: 8E11E530A0A64E8FDB59DF68C4691F93BA1FF19300F5100BED419C64A2CA39A640CB40

Function 00007FFD9B80AF1E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061eae41ec6caee2100b323dc85369871130b9edb10052085a41dfe66f77fcb1
Instruction ID: 2bfa90d80c31f0a3d22bf57131a418510c1ebd18efca73a8cc36cd35b7b0992d
Opcode Fuzzy Hash: 061eae41ec6caee2100b323dc85369871130b9edb10052085a41dfe66f77fcb1
Instruction Fuzzy Hash: B7111F70E0A62D8EEFA4DFA4C455AEDB7F1AF5C340F1145B6D44CE3251DB389A858B40

Function 00007FFD9B80DC15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec4f281e0039b08f029aec1f254eebd65a1e09e82491799f12eb0b9ca727798
Instruction ID: 326710d3c0ae86010fe97c78868faea70cf09b256a398dbb856d06253a3b61d8
Opcode Fuzzy Hash: 1ec4f281e0039b08f029aec1f254eebd65a1e09e82491799f12eb0b9ca727798
Instruction Fuzzy Hash: 21112B70E0A61D8BDB68DF90C864AFDB3B1FF58340F110269D44AA7391CB746A40CB40

Function 00007FFD9B8005D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cd587daf3d028f4759adae1a371c295a3ad048aa6567314c46dc76a45d91e7
Instruction ID: aca42ae584d2340e78d1cbc61df1bb9f16ea9862e9f30ffcd7f63d7cd7405fdd
Opcode Fuzzy Hash: 27cd587daf3d028f4759adae1a371c295a3ad048aa6567314c46dc76a45d91e7
Instruction Fuzzy Hash: 4C018030A0650E8FEB99EF64C4656F977A1EF59354F61007AE41EC21A4CE35A650C740

Function 00007FFD9B80ABFA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c28a89d26d42f77d178f3eebf76e0b67d7c3c9f919929145e51c70b6d41716
Instruction ID: fba329f402c083623b7b71402b57b25e672530d518976ff80771f0ebabae3d9f
Opcode Fuzzy Hash: 74c28a89d26d42f77d178f3eebf76e0b67d7c3c9f919929145e51c70b6d41716
Instruction Fuzzy Hash: 1C019671E0E94E5FE761E76884A95E97BD0FF5D344F130576D499C30B1EE34A5448240

Function 00007FFD9B80B98C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c96bedcc7a0a64cf57683c7398c6b9a5d2956ac7f640b4157351c371a61dbd6
Instruction ID: dea907c62f9d1a7f5f4c458363640aaca73c76a272c227e226281d32416253df
Opcode Fuzzy Hash: 7c96bedcc7a0a64cf57683c7398c6b9a5d2956ac7f640b4157351c371a61dbd6
Instruction Fuzzy Hash: A0015E30E1954E8EEB94EF68C4A86FD77E0FF1C305F51047AD41AD21A2EE35A650C740

Function 00007FFD9B810AB0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876ddc273dd3be3b6459087ecbf9f48e83bbfb18e1df889752ee61f7e4f37582
Instruction ID: c6552ab1269d2df71739364c534b27deaa49f47e6e2bee60e862dfa05d1c3dba
Opcode Fuzzy Hash: 876ddc273dd3be3b6459087ecbf9f48e83bbfb18e1df889752ee61f7e4f37582
Instruction Fuzzy Hash: 37012130A5A50E8FDB94EFA4C8696BE77E1FF1C305F51047AD41ED21A1DE71A650C740

Function 00007FFD9B80280D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c6e560f3eba7ff19c0ae7ec1bfe69b109b3ed154b7cc023823ecd87a151b58
Instruction ID: 8ee9457365e0c153912baa8eb5fce67962f2ebc5b0b42fb7d33c50192d94796a
Opcode Fuzzy Hash: 96c6e560f3eba7ff19c0ae7ec1bfe69b109b3ed154b7cc023823ecd87a151b58
Instruction Fuzzy Hash: 55018F31E1E60E8FE761AFA488585F977F0EF59300F4244B6D418C61B6EE38E6448710

Function 00007FFD9B80E346 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction ID: 43762adb4c820de661018c570d91fdee87099d62c5f44cd4292fe1776883f05c
Opcode Fuzzy Hash: 0783fc9f3e96adaa4f54cfc247f1bfb90cce35d183bbb664bad25aa74adb53dc
Instruction Fuzzy Hash: D111FB70E0966E8FEB78DF44C8647EEB7B1EF58301F0141FAD049A22A0CB345A848F41

Function 00007FFD9B810A91 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2984ee16b60ca2e97caaff47fe785351c3a6959b10526a1366601ded3356f13b
Instruction ID: 7d66502ba61473742e6bca5d2034e4784f75424bd14051c4fb4b87c9aadb5bb5
Opcode Fuzzy Hash: 2984ee16b60ca2e97caaff47fe785351c3a6959b10526a1366601ded3356f13b
Instruction Fuzzy Hash: 24F0C230E1B64E8FDB94AFA48C292FE3BB0FF19300F42057BE818D21A1DB3496548700

Function 00007FFD9B80A789 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c84a031afa425272af81927ad5d1d63e11e6e17b152fe1cd8a399cd33f339a
Instruction ID: 73d0077dd29c3579d103fd3bc82f0eb72d0ed2b9bc3077ba3ac9aea6fd5db8a4
Opcode Fuzzy Hash: c6c84a031afa425272af81927ad5d1d63e11e6e17b152fe1cd8a399cd33f339a
Instruction Fuzzy Hash: F1017C30A5E64E9FE761EB6488685E97BF0EF09340F4649B6D488CB0B6DA38A5448711

Function 00007FFD9B802EA9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005689a0bc16ec086b02cbcfcd17ecad2fef3be39314c5c67bc2e4706fc6dfff
Instruction ID: c5bde0fb3583ea2ace470381746e4bad67ca727db9f2b407e6664c5abeb21099
Opcode Fuzzy Hash: 005689a0bc16ec086b02cbcfcd17ecad2fef3be39314c5c67bc2e4706fc6dfff
Instruction Fuzzy Hash: EF018831A4964E4FD751EBB4885D5E97BE0EF19344F0605B7D058CB0B6DA38A544C711

Function 00007FFD9B8033DC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffeafb4352e8be0e358ff054969114431f601f3a66fd88769edda2b0bdea9e2
Instruction ID: d3416ec86eff55c58a371e2e1afda0ff1483512ab9ce894149e268fc0c615ea8
Opcode Fuzzy Hash: 9ffeafb4352e8be0e358ff054969114431f601f3a66fd88769edda2b0bdea9e2
Instruction Fuzzy Hash: DE014F31E0991E8EEB61EB68C89C5F9BBE0FF2C340F010876D419E70A5EA34A6448740

Function 00007FFD9B80F1C9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54967fb1e0a35117338f0de1e32e68cc99ee014694eaab494e2ecd2268d146d7
Instruction ID: 176c9106f255398504ec990dc45d5fd6afc97503970c00f81eacfff548a23664
Opcode Fuzzy Hash: 54967fb1e0a35117338f0de1e32e68cc99ee014694eaab494e2ecd2268d146d7
Instruction Fuzzy Hash: 1111FAB0E1951D8BDBA8DF2888657E8B6B1EF58304F4141FA915DE3292CE342EC18F44

Function 00007FFD9B800608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53acc9f0ec6372e05bfdadc2cfaf0bfa3e5d651b90acd0ffbcc490e90a9623ac
Instruction ID: dc451b57c778326a5be27554dd09c31bbb7f8c00b03473a6b243b8065009e934
Opcode Fuzzy Hash: 53acc9f0ec6372e05bfdadc2cfaf0bfa3e5d651b90acd0ffbcc490e90a9623ac
Instruction Fuzzy Hash: 00016D30A1550ECAEB69EFA4C4686F973A0FF1C305F51087ED41EC61E5DE75A650CA00

Function 00007FFD9B800610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407e6e44575cdf35f16c27d26aec07c83261c4ed732af3926d988c8ddf76fbbf
Instruction ID: 4a0c2134c409c9016a0fd6ae5bd6adcb7c6d6b93da79ae7b2c3b9de5cdfd874f
Opcode Fuzzy Hash: 407e6e44575cdf35f16c27d26aec07c83261c4ed732af3926d988c8ddf76fbbf
Instruction Fuzzy Hash: A6016D30A1950ECBEB69EFA4C4686FA76A0FF1D305F51087ED81EC61E5DE75A690CA00

Function 00007FFD9B801C6D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2cb6d8f86e3b8defa0d31b08064d1e74dd7553aeb332614610f5d8c4e04ab3
Instruction ID: 7857656b970a157e2cb04c05502b652ca86213d97d77eea208844e01683b5246
Opcode Fuzzy Hash: 6c2cb6d8f86e3b8defa0d31b08064d1e74dd7553aeb332614610f5d8c4e04ab3
Instruction Fuzzy Hash: 9F018130A0A64E8FEB95AF54C8656FA77A4EF5A314F91007AE80CC61A1CB35E950C740

Function 00007FFD9B8005D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed02e5289efce8accfcff03491f1dbb9bf85ff26656ab96bf489abd99a3ea2c
Instruction ID: b02b09da98631b9104270db5c5e7f8539611ef075dbe171abf56ebf25a8010da
Opcode Fuzzy Hash: 3ed02e5289efce8accfcff03491f1dbb9bf85ff26656ab96bf489abd99a3ea2c
Instruction Fuzzy Hash: 3AF0C230E0A54E8FEBA5EF6494656FA37A4EF4A318F51007AF84DC21E1CE35E650C740

Function 00007FFD9B80240C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction ID: e741405b2916893e1b9c89202384be546b15521e54e357a3fe4fb9947c35eb41
Opcode Fuzzy Hash: e753fe402ed265a0732180e15034657216e26f1319b54b203ce91eb937cb9178
Instruction Fuzzy Hash: 0B01C030A1991D8EEB74DF80C8657EDB2A1FF59344F5241B9C08ED21A1DEB82A888B00

Function 00007FFD9B8023DE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction ID: fafc255a8044dbe817d5657ccc10cae0baf29bb3eaa32a1ea600ed3dc57d6c92
Opcode Fuzzy Hash: ef52b49906195a7d7d11b063c63d888ed273ae6d6eaf4d1802e9e753937d9349
Instruction Fuzzy Hash: F0F0CD30A5991D9EEB64EF80C8657FD73A1FF59341F5245B9C48ED21A1DE742A888B00

Function 00007FFD9B802729 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79587bea75982eca035d71187d412736ef94a96cda315c8cb973caf0196f3324
Instruction ID: c5e3c7ab90b506b78e52d13f8c4d64655e82c9484f0e0e0f95f45102ea61df35
Opcode Fuzzy Hash: 79587bea75982eca035d71187d412736ef94a96cda315c8cb973caf0196f3324
Instruction Fuzzy Hash: A6F0963094E38E8FD76A9F6488782F93BB0FF06204F4504BED459C61E2DB799554C701

Function 00007FFD9B80279D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0e6694ee0a19303222cec5c5a5447a7de958b4230ea4e5e7414e7e10e7205e
Instruction ID: 5063daca6c51c40e8c92879073c6025c50358349b4721e1ed99a1dc99b95c8f3
Opcode Fuzzy Hash: 0f0e6694ee0a19303222cec5c5a5447a7de958b4230ea4e5e7414e7e10e7205e
Instruction Fuzzy Hash: A2F0F030A0E78ECFEB699FA488251E93BA0BF49310F4104BAD849C60E2DB79A554CB00

Function 00007FFD9B804B8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1909413997.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b800000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction ID: 6c58f700beed9b8f8166b7c2625dca0e4f785a308159963a6af8f4f521526993
Opcode Fuzzy Hash: 29a62d0e45861a6616a1b15f344f0830dda966e8bb525cf26cad9e9d8ed721a2
Instruction Fuzzy Hash: 61C0E970A4A52D8AD7B4DB9884607F862B5AF5C280F5140B8D14ED7191CD246BC15B54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gqIYXW7GfB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Media Player\en-US\71ebdaf38118f9

C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe

C:\Program Files (x86)\Windows Media Player\en-US\NGtfpkeoDVuJA.exe:Zone.Identifier

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\71ebdaf38118f9

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\NGtfpkeoDVuJA.exe:Zone.Identifier

C:\Program Files\Microsoft Office 15\ClientX64\71ebdaf38118f9

C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe

C:\Program Files\Microsoft Office 15\ClientX64\NGtfpkeoDVuJA.exe:Zone.Identifier

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\56085415360792

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\wininit.exe:Zone.Identifier

C:\Program Files\Windows Mail\71ebdaf38118f9

C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe

C:\Program Files\Windows Mail\NGtfpkeoDVuJA.exe:Zone.Identifier

C:\Program Files\Windows Media Player\71ebdaf38118f9

Windows Analysis Report
gqIYXW7GfB.exe