Play interactive tour

Edit tour

Windows Analysis Report rzMvWQOGAE.bin

Overview

General Information

Sample Name:	rzMvWQOGAE.bin (renamed file extension from bin to exe)
Analysis ID:	513164
MD5:	d3c5b425a0e346af5bd572bbc238ccba
SHA1:	347b3921b0660986bc0ce4d1a41aa77f04377a37
SHA256:	325ecd90ce19dd8d184ffe7dfb01b0dd02a77e9eabcb587f3738bcfbd3f832a1
Tags:	exeExmatter
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Suspicious powershell command line found

Deletes itself after installation

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

rzMvWQOGAE.exe (PID: 6232 cmdline: 'C:\Users\user\Desktop\rzMvWQOGAE.exe' MD5: D3C5B425A0E346AF5BD572BBC238CCBA)

conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6648 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6696 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3084 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5956 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6832	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x280d1:$sa2: -encodedCommand 0x280fd:$sa2: -encodedCommand 0x287dc:$sa2: -EncodedCommand 0x292fd:$sa2: -EncodedCommand 0x29398:$sa2: -encodedCommand 0x15031:$sb3: -WindowStyle Hidden 0x1514d:$sb3: -WindowStyle Hidden 0x1571a:$sb3: -WindowStyle Hidden 0x4fab2:$sb3: -WindowStyle Hidden 0x71fef:$sb3: -WindowStyle Hidden 0x72798:$sb3: -WindowStyle Hidden 0x75ebf:$sb3: -WindowStyle Hidden 0x285c4:$sc2: -NoProfile 0x28605:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 6648	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xbb053:$sa2: -encodedCommand 0xbb07f:$sa2: -encodedCommand 0xbb75e:$sa2: -EncodedCommand 0xbc27f:$sa2: -EncodedCommand 0xbc31a:$sa2: -encodedCommand 0x1d99:$sb3: -WindowStyle Hidden 0x1eb5:$sb3: -WindowStyle Hidden 0x25aa:$sb3: -WindowStyle Hidden 0x292d:$sb3: -WindowStyle Hidden 0x2f78:$sb3: -WindowStyle Hidden 0x46483:$sb3: -WindowStyle Hidden 0x19db59:$sb3: -WindowStyle Hidden 0xbb546:$sc2: -NoProfile 0xbb587:$sd2: -NonInteractive

Sigma Overview

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\rzMvWQOGAE.exe' , ParentImage: C:\Users\user\Desktop\rzMvWQOGAE.exe, ParentProcessId: 6232, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;, ProcessId: 6832

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132803009861692837.6832.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: rzMvWQOGAE.exe	Metadefender: Detection: 17%			Perma Link
Source: rzMvWQOGAE.exe	ReversingLabs: Detection: 67%

Antivirus / Scanner detection for submitted sample

Show sources

Source: rzMvWQOGAE.exe

Avira: detected

Source: rzMvWQOGAE.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: rzMvWQOGAE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: sender2.pdb source: rzMvWQOGAE.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.84.147

Source: powershell.exe, 00000005.00000002.474339700.000000000080B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.480245783.0000000005713000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.475858688.00000000046B1000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.489111947.0000000004791000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.480245783.0000000005713000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rzMvWQOGAE.exe, 00000000.00000002.408159242.0000000003186000.00000004.00000001.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2
Source: rzMvWQOGAE.exe, 00000000.00000002.408159242.0000000003186000.00000004.00000001.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2I

Source: rzMvWQOGAE.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Process Memory Space: powershell.exe PID: 6832, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017411F0	0_2_017411F0
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01749685	0_2_01749685
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0174D9D8	0_2_0174D9D8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01745BF8	0_2_01745BF8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01742BE0	0_2_01742BE0
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01741C90	0_2_01741C90
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01744F40	0_2_01744F40
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01744020	0_2_01744020
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0174401B	0_2_0174401B
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01744328	0_2_01744328
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017453D8	0_2_017453D8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017453CA	0_2_017453CA
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01741267	0_2_01741267
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0174124D	0_2_0174124D
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01746550	0_2_01746550
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01740525	0_2_01740525
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01742450	0_2_01742450
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017434E8	0_2_017434E8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017434DA	0_2_017434DA
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017404CA	0_2_017404CA
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017446E8	0_2_017446E8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017446D8	0_2_017446D8
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01741870	0_2_01741870
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0174E88A	0_2_0174E88A
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0174DB48	0_2_0174DB48
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01744B30	0_2_01744B30
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_01741C80	0_2_01741C80
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE862A9	0_2_0AE862A9
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE89290	0_2_0AE89290
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE85035	0_2_0AE85035
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE829A0	0_2_0AE829A0
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE82908	0_2_0AE82908
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE8BC70	0_2_0AE8BC70
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE8AA58	0_2_0AE8AA58
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE8AA53	0_2_0AE8AA53
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE86310	0_2_0AE86310
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE84070	0_2_0AE84070
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE8B810	0_2_0AE8B810
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE80157	0_2_0AE80157
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE8A680	0_2_0AE8A680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0770AAE8	5_2_0770AAE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07709C70	5_2_07709C70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0770AAD9	5_2_0770AAD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07709C70	5_2_07709C70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07707810	5_2_07707810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07707800	5_2_07707800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB0040	5_2_07CB0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB37E8	5_2_07CB37E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB37F8	5_2_07CB37F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBE79A	5_2_07CBE79A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CC57B0	5_2_07CC57B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CC5758	5_2_07CC5758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CC0007	5_2_07CC0007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07D1EC68	5_2_07D1EC68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CC0040	5_2_07CC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07700040	5_2_07700040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07700007	5_2_07700007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07716240	8_2_07716240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07716230	8_2_07716230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0771BB40	8_2_0771BB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0771BB18	8_2_0771BB18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07744EE8	8_2_07744EE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07745E88	8_2_07745E88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07748130	8_2_07748130
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07748128	8_2_07748128
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07746F68	8_2_07746F68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07757E00	8_2_07757E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07757E00	8_2_07757E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07750040	8_2_07750040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07750007	8_2_07750007

Source: rzMvWQOGAE.exe, 00000000.00000002.405654487.0000000000F08000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesender2.exe0 vs rzMvWQOGAE.exe
Source: rzMvWQOGAE.exe	Binary or memory string: OriginalFilenamesender2.exe0 vs rzMvWQOGAE.exe

Source: rzMvWQOGAE.exe	Metadefender: Detection: 17%
Source: rzMvWQOGAE.exe	ReversingLabs: Detection: 67%

Source: rzMvWQOGAE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rzMvWQOGAE.exe 'C:\Users\user\Desktop\rzMvWQOGAE.exe'
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211101\PowerShell_transcript.960781.1yjAoh6+.20211101212951.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tmrxd4d.uxh.ps1

Jump to behavior

Source: classification engine

Classification label: mal64.winEXE@16/28@0/2

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: rzMvWQOGAE.bin

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_01

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rzMvWQOGAE.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rzMvWQOGAE.exe

Static file information: File size 1857024 > 1048576

Source: rzMvWQOGAE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rzMvWQOGAE.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4c00

Source: rzMvWQOGAE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: rzMvWQOGAE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: sender2.pdb source: rzMvWQOGAE.exe

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_00D468F5 push ds; iretd	0_2_00D46958
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_00D46922 push ds; iretd	0_2_00D46958
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_00D4BAE4 push esi; iretd	0_2_00D4BAEA
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_00D46EAE push 00000000h; ret	0_2_00D46EB0
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_00D49FB7 push edx; iretd	0_2_00D49FCA
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_017429BA push C769013Fh; ret	0_2_017429C6
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE88BCA pushad ; retf	0_2_0AE88BCB
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE88BBA pushad ; retf	0_2_0AE88BBB
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE886F5 pushad ; retf	0_2_0AE886F6
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Code function: 0_2_0AE886B0 pushad ; retf	0_2_0AE886B5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB0640 push es; ret	5_2_07CB0650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBC528 pushfd ; retf	5_2_07CBC529
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBC4D3 push eax; retf	5_2_07CBC4D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB24A3 push es; ret	5_2_07CB24B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBB21B pushfd ; retf	5_2_07CBB21D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBC120 push esp; iretd	5_2_07CBC12D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CBAFEB push esp; ret	5_2_07CBB001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CB1FE0 push es; ret	5_2_07CB1FF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CCF432 push es; ret	5_2_07CCF440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07CCE880 push B4076F1Eh; iretd	5_2_07CCE9FD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07D12558 pushfd ; iretd	5_2_07D12565
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07719620 push es; ret	8_2_07719630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07715223 pushfd ; retf	8_2_07715229
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07713E18 push esp; ret	8_2_07713E19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07715B71 push es; ret	8_2_07715B80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0774218C push eax; mov dword ptr [esp], edx	8_2_0774308C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07743078 push eax; mov dword ptr [esp], edx	8_2_0774308C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_077470D5 pushfd ; ret	8_2_077470ED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07746F68 pushfd ; ret	8_2_077470ED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07756930 push es; ret	8_2_07756940

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\rzmvwqogae.exe

Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Window / User API: threadDelayed 1111	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Window / User API: threadDelayed 880	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3485	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1507	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3165	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3983	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6112	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2194	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4350	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4668	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: powershell.exe, 00000005.00000002.478108558.0000000004D80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000005.00000002.476134424.00000000047F2000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior
Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe	Queries volume information: C:\Users\user\Desktop\rzMvWQOGAE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rzMvWQOGAE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_07715F58 CreateNamedPipeW,

8_2_07715F58

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	PowerShell1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rzMvWQOGAE.exe	17%	Metadefender		Browse
rzMvWQOGAE.exe	68%	ReversingLabs	ByteCode-MSIL.Ransomware.BlackMatter
rzMvWQOGAE.exe	100%	Avira	TR/Kryptik.uoskd

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.480245783.0000000005713000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	false		high
https://tools.ietf.org/html/rfc4253#section-4.2	rzMvWQOGAE.exe, 00000000.00000002.408159242.0000000003186000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.475858688.00000000046B1000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.489111947.0000000004791000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	false		high
https://tools.ietf.org/html/rfc4253#section-4.2I	rzMvWQOGAE.exe, 00000000.00000002.408159242.0000000003186000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.489405908.00000000048D2000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.480245783.0000000005713000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.493251636.00000000057F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
165.22.84.147	unknown	United States		14061	DIGITALOCEAN-ASNUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	513164
Start date:	01.11.2021
Start time:	21:28:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rzMvWQOGAE.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.winEXE@16/28@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 12.5% (good quality ratio 7.3%) Quality average: 32.7% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 232 Number of non-executed functions: 25
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 184.30.21.144, 20.82.209.183, 173.222.108.210, 173.222.108.226, 20.199.120.182, 80.67.82.211, 80.67.82.235, 20.199.120.85, 23.213.164.66, 20.54.110.249, 40.112.88.60, 40.91.112.76 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/513164/sample/rzMvWQOGAE.exe

Simulations

Behavior and APIs

Time	Type	Description
21:30:00	API Interceptor	133x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	JSUAd0NPag.exe	Get hash	malicious	Browse	157.230.28.192
	gqTrv5VEem.exe	Get hash	malicious	Browse	159.89.128.13
	SecuriteInfo.com.Suspicious.Win32.Save.a.4727.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.31095.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.28634.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.12010.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Malware.Heuristic.1001.8375.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.4798.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.4727.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.31095.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.28634.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.12010.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Malware.Heuristic.1001.8375.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.4798.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.6275.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.4037.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.29964.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.6275.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.4037.dll	Get hash	malicious	Browse	104.248.155.133
	SecuriteInfo.com.Suspicious.Win32.Save.a.29964.dll	Get hash	malicious	Browse	104.248.155.133

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.839308921501875
Encrypted:	false
SSDEEP:	192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
MD5:	937C6E940577634844311E349BD4614D
SHA1:	379440E933201CD3E6E6BF9B0E61B7663693195F
SHA-256:	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
SHA-512:	6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	18620
Entropy (8bit):	5.597775927141057
Encrypted:	false
SSDEEP:	384:FtpPXWzEKe7bX88ESBKnR0jul/779bLfcQ/Ic5cTY8n:h724KR0Cl5RjNu
MD5:	5E1D030CA67A33157CDB599E11A2E684
SHA1:	90F9CCD20E9157D720D19ED6656FD3752E26F0E9
SHA-256:	0FB7212A524DD3D4C6A05EC6FBD7E4D06FE7C0C6ECC76BC3DA9778473101E728
SHA-512:	579392ED74384C796E624E39106E259EF46AE583EFC7C61E144D14DDB3571670DE7D09647BF1B3084AD524F94BEC491B8D37C14C8E5D76A709DB38AF1276DB38
Malicious:	false
Preview:	@...e.....................d...~.{.....<.4............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)U.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P...............-K..s.F..*.]`.,(.....(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gegaynp.l4w.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tmrxd4d.uxh.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yos1554.31w.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pws0tqn.3me.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cocmpo00.ljs.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqnwawwy.wpo.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRQ4T5NV3HSHD639O02M.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	3.7617465135135184
Encrypted:	false
SSDEEP:	96:y50ceEwuCN9yP9SkvhkvCCtJVrZeHgyaZeHgy2:mNeE4WgJVr5ya5y2
MD5:	C92005C06D1EFF9C3C69A0E999612EE7
SHA1:	5A5FE37AE96D4CAF3EEF2E9C9D87E09248658ECB
SHA-256:	FB3AD03EC3D022C3792A59A0BE3EE06625869A2BCCA3F0BDCB9188D19C835203
SHA-512:	130F84EED060DF004BE1B0A6FBA52F0D5B1E6A64898E6FA6CE06245790857EC2E8D5917BE216C1E1E517409C3C1F2E36CCA27D3BCB3AB6D7C162D5E2CA518BA7
Malicious:	false
Preview:	...................................FL..................F.".. ...'+k.!-...V...a..\.................................:..DG..Yr?.D..U..k0.&...&........d.!-..rw.&>....SkH........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..bS.#.....Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N..bS.#.....Y....................D...R.o.a.m.i.n.g.....\.1.....>Q.z..MICROS~1..D.......N..bS.#.....Y...................._..M.i.c.r.o.s.o.f.t.....V.1.....>Qc{..Windows.@.......N..bS.#.....Y.....................I..W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..bS.#.....Y..............D.....G`..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P%v..Programs..j.......N..bS.#.....Y..............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..bS.#.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...Px......Y..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QFDFMM8ZPLCBKUCHCMRQ.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	3.7635933226544913
Encrypted:	false
SSDEEP:	96:y5keEwuCN9yP9SkvhkvCCtJVrZeHgyaZeHgy2:mkeE4WgJVr5ya5y2
MD5:	DF4E9B69DD764D99F7CF85B05CDD4ADE
SHA1:	CEE1061B8982D724AA1A7116DA9406518161F310
SHA-256:	C7C2D9E0F3520A76C5A260425F945E5AB03FA758C55C1C45B8FB44E1977B8CE2
SHA-512:	929AE2395502280404B032C34891C72EDC1345DF8665D23538C1C7C60BC5227F4B44F92FC492BF3CEEDEED7858B90F703E43871D184EA55E6EA64CC73D37A073
Malicious:	false
Preview:	...................................FL..................F.".. ...'+k.!-...V...a..\.................................:..DG..Yr?.D..U..k0.&...&........d.!-..rw.&>......J........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..bS.#.....Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N..bS.#.....Y....................D...R.o.a.m.i.n.g.....\.1.....>Q.z..MICROS~1..D.......N..bS.#.....Y...................._..M.i.c.r.o.s.o.f.t.....V.1.....>Qc{..Windows.@.......N..bS.#.....Y.....................I..W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..bS.#.....Y..............D.....G`..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P%v..Programs..j.......N..bS.#.....Y..............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..bS.#.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...Px......Y..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VCEOL5MDX8L2VA4M3TY3.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	3.76302741289499
Encrypted:	false
SSDEEP:	96:y5KeEwuCN9KP9SkvhkvCCtJVrZeHgyaZeHgy2:mKeE4OgJVr5ya5y2
MD5:	93C45B56B18A853486BCB9CC1E5ADD75
SHA1:	A63DB5831B55973ED1E1C436E9BD47C04F4F6818
SHA-256:	5F3A0DF7DD09B7FC57EEE16D07F623241920B748E1B5EAA528D30524613C8D4E
SHA-512:	2BF9B939F4F6C1CBCE02428FAE50C3AB8F08FE18F3A1079DD10B2BEE84CF098463B346D3A9A2020B3CE857E84683C0B121498342C60134A4A806CBD54C2D93DB
Malicious:	false
Preview:	...................................FL..................F.".. ...'+k.!-...V...a..\.................................:..DG..Yr?.D..U..k0.&...&........d.!-..rw.&>....H.F........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..bS.#.....Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N..bS.#.....Y....................D...R.o.a.m.i.n.g.....\.1.....>Q.z..MICROS~1..D.......N..bS.#.....Y...................._..M.i.c.r.o.s.o.f.t.....V.1.....>Qc{..Windows.@.......N..bS.#.....Y.....................I..W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..bS.#.....Y..............D.....G`..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P%v..Programs..j.......N..bS.#.....Y..............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..>Q.y.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...Px......Y..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YNPMUSIXEREMQWMKT0C4.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	3.7620548230400495
Encrypted:	false
SSDEEP:	96:y5d7eEwuCN9yP9SkvhkvCCtJVrZeHgyaZeHgy2:md7eE4WgJVr5ya5y2
MD5:	859EC29AC9F2456FFF9677DFB5386FF7
SHA1:	46EBC364EBFD516C28F015889E881367DBA23109
SHA-256:	F9B5C0512D493650E9B3A0334A937813D145D72CCD615BC32EFB044CC4463FAC
SHA-512:	5422C31AE22B2224CE3215D1EF070DC475302E8C5534EC3F4D00A87EFBB66C965C5AD9FEE34D5C3A0E8472E2CEADD050A751E2A9E66769B5C757C681BCC674AC
Malicious:	false
Preview:	...................................FL..................F.".. ...'+k.!-...V...a..\.................................:..DG..Yr?.D..U..k0.&...&........d.!-..rw.&>....1.L........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..bS.#.....Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N..bS.#.....Y....................D...R.o.a.m.i.n.g.....\.1.....>Q.z..MICROS~1..D.......N..bS.#.....Y...................._..M.i.c.r.o.s.o.f.t.....V.1.....>Qc{..Windows.@.......N..bS.#.....Y.....................I..W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..bS.#.....Y..............D.....G`..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P%v..Programs..j.......N..bS.#.....Y..............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..bS.#.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...Px......Y..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy) Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	3.7620548230400495
Encrypted:	false
SSDEEP:	96:y5d7eEwuCN9yP9SkvhkvCCtJVrZeHgyaZeHgy2:md7eE4WgJVr5ya5y2
MD5:	859EC29AC9F2456FFF9677DFB5386FF7
SHA1:	46EBC364EBFD516C28F015889E881367DBA23109
SHA-256:	F9B5C0512D493650E9B3A0334A937813D145D72CCD615BC32EFB044CC4463FAC
SHA-512:	5422C31AE22B2224CE3215D1EF070DC475302E8C5534EC3F4D00A87EFBB66C965C5AD9FEE34D5C3A0E8472E2CEADD050A751E2A9E66769B5C757C681BCC674AC
Malicious:	false
Preview:	...................................FL..................F.".. ...'+k.!-...V...a..\.................................:..DG..Yr?.D..U..k0.&...&........d.!-..rw.&>....1.L........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..bS.#.....Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N..bS.#.....Y....................D...R.o.a.m.i.n.g.....\.1.....>Q.z..MICROS~1..D.......N..bS.#.....Y...................._..M.i.c.r.o.s.o.f.t.....V.1.....>Qc{..Windows.@.......N..bS.#.....Y.....................I..W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..bS.#.....Y..............D.....G`..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P%v..Programs..j.......N..bS.#.....Y..............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..bS.#.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...Px......Y..........

C:\Users\user\Desktop\rzMvWQOGAE.exe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	12:bGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGt:n
MD5:	27D42E77774A19AA669EA688B0DBCF99
SHA1:	AE7DFD50822C31989B20FCC6A40BFA05CB46FBE6
SHA-256:	E93A2E475DA7CA7A3C01F7185E15B74262F83A79682F32DBB7046BF395DF2CD7
SHA-512:	0FE5C8DB92DA55EECDB68E21D3A20BDE8043CD2D65F3C699C168F85C433C03B1D727EF73AEED849DA37F06628323D6DBD7171CFFA795FCC2FF72CDD047B995CB
Malicious:	true
Preview:	0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0

C:\Users\user\Documents\20211101\PowerShell_transcript.960781.1yjAoh6+.20211101212951.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	5.350148850304876
Encrypted:	false
SSDEEP:	24:BxSAC7vBVL7Qcx2DOXUWRTgaW8lS5cuLWdHjeTKKjX4CIym1ZJXIagaW8lS5cuFc:BZqvTLkcoOx8aP7uidqDYB1ZgaP7uZZ2
MD5:	E947343C63628A8A64D0BB50637F3429
SHA1:	B81C50927FC7E10F642F237B2182784B6F4E2730
SHA-256:	0D112FDDEB322BA11196FDB42FBE0F472DD3270EB4D183CFFC0985E76DB0FA28
SHA-512:	B5CBD555DFDA411BD678BE4FFAD23227FEB1216A5F6BC302BA1094E8DAFE150DBC2AB9D39616AC6AB1E3B9DE8314FEE40C050D9FA304D920B9A947D4C4D969AE
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211101213013..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 960781 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Process ID: 6832..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211101213014..********************..PS>$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Proce

C:\Users\user\Documents\20211101\PowerShell_transcript.960781.5ETV8bU+.20211101213002.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	5.3515816368710345
Encrypted:	false
SSDEEP:	24:BxSATy7vBVL7Qcx2DOXUWRTgaW8lS5cuLW1HjeTKKjX4CIym1ZJXzagaW8lS5cuU:BZ+vTLkcoOx8aP7ui1qDYB1ZFaP7u9Zk
MD5:	82CF6A757334E79E94AA212F326DF5C2
SHA1:	3085CEDECF530F83E43CFED3D40C7263ABFE67F2
SHA-256:	D6B06A3080915970FD5948E6E6F8CEE5FBD05B6FD555F54CE50A3FCF9395BFC0
SHA-512:	F2ACE49581D91B67693D043EBCA8C044DE8975C51E63996E051E4A0A5747AE4884587EB254A055AA1D9924B8297467753290D096F1AD78C0643C41DB2DA8B58F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211101213004..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 960781 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Process ID: 3084..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211101213004..********************..PS>$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Proce

C:\Users\user\Documents\20211101\PowerShell_transcript.960781.MxEjtLZ+.20211101212958.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	7194
Entropy (8bit):	5.404402535175835
Encrypted:	false
SSDEEP:	192:PRsllkXJRJlkX0lk1dlk1dlkZXRi6A+96AzYtn6Z6AzYtn6Z6cYtn6P:P0eJve0mdmdwXBApAct6gAct6gXt6P
MD5:	1783F59AB25B342B36E02C5B78003B85
SHA1:	BDEB4978F3D546FDC257A878346206E2FE7F02F7
SHA-256:	948B7983F64483FD72318533CAB77EDEDDC8F53ABCD0365C61415EB0B67CE414
SHA-512:	D69536A18C0D88FBB6AC4D6828B1C9D82AF4117AB0776A6CD38D0DE77CF302471959B9A8341EBA080ED6400360F0D876D463B5D9602F9AD856411EE52A6B5C72
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211101213000..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 960781 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Process ID: 6696..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211101213000..********************..PS>$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Proce

C:\Users\user\Documents\20211101\PowerShell_transcript.960781.TkSD6WsL.20211101212959.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	5.354754558996781
Encrypted:	false
SSDEEP:	24:BxSAQ7vBVL7Qcx2DOXUWRTgaW8lS5cuLWMHjeTKKjX4CIym1ZJXIqagaW8lS5cuC:BZUvTLkcoOx8aP7uiMqDYB1ZuYaP7uZc
MD5:	876F4A66BBFC361FC396ABD6CB6B5322
SHA1:	AA87E7CEF4A0625AD8EF6DE8FDFB6E8988EA79F5
SHA-256:	5092FCDA0B1EB7EBC3450A4441DD2BEDCC2624D3AF8778EADE5D1299A01F8EBE
SHA-512:	67BC2B1000D5671A8A29E1743D2639EE93AA405241BB895669C0092ED6C9D980737724D7E88F33A57B0200AD51284E2F90EA1413E59869A7F8E6C742F90D8FCA
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211101213019..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 960781 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Process ID: 6648..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211101213019..********************..PS>$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Proce

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\rzMvWQOGAE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	5.125494385697167
Encrypted:	false
SSDEEP:	24:LgaW8lS5cuHgaW8lS5cuHgaW8lS5cuHgaW8lS5cuHgaW8lS5cuD:UaP7uAaP7uAaP7uAaP7uAaP7uD
MD5:	C87D5C270A46C3C6EDA9EAE6FF82358F
SHA1:	54E51FCEDB47A9FDA1F6BF6E0E283A1E520CBA62
SHA-256:	015A7A2266A4ACD84D6877F15153F3EBB8CBDFA721DEBD9DA9D19C18B40BB2F3
SHA-512:	B64659B73D1286BC465F337E1C58E08EC7D9B92A9608AB0CE606BAD9132540882AB0A3AA93BB6442D2005335EADC2FBCE3681700E75E88EFE07026ABF89C1A7D
Malicious:	false
Preview:	Connecting to host.....$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Connecting to host.....$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Connecting to host.....$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Connecting to host.....$path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;..Connecting to ho

Static File Info

General
File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.985282854254978
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rzMvWQOGAE.exe
File size:	1857024
MD5:	d3c5b425a0e346af5bd572bbc238ccba
SHA1:	347b3921b0660986bc0ce4d1a41aa77f04377a37
SHA256:	325ecd90ce19dd8d184ffe7dfb01b0dd02a77e9eabcb587f3738bcfbd3f832a1
SHA512:	b1734c9eec4de9abbc31f298fa87b22805f1abc09fe2912969ae8644d900ebbe78d269fe0f4851f3bda62f27ce2c63b3ee454ae405e248bb06182183d2abdac7
SSDEEP:	24576:hM1fTF/NfFqf6r7LVhpPZxT1xtbzBHf8LAeqfk:hM1h+uhXpk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6a.................L..........>j... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x5c6a3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6136E6F1 [Tue Sep 7 04:13:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c69f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c8000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1c69b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c4a44	0x1c4c00	False	0.428841972667	data	5.98622952842	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1c8000	0x596	0x600	False	0.41015625	data	4.03543885017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ca000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1c80a0	0x30c	data
RT_MANIFEST	0x1c83ac	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	sender2.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	sender2
ProductVersion	1.0.0.0
FileDescription	sender2
OriginalFilename	sender2.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2021 21:29:39.943727970 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:39.995034933 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:39.995198965 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:39.998095989 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.015163898 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.053159952 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.057837009 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.093076944 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.135803938 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.186837912 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.268105030 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.310893059 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.415189981 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:40.457933903 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.466888905 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:40.515003920 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.047002077 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.089689016 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:42.182823896 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.225402117 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:42.225425005 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:42.276473999 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.319837093 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:42.325670004 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:42.375096083 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.379676104 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:42.464000940 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:45.299113989 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:45.310061932 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:45.353990078 CET	22	49756	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:45.354228020 CET	49756	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:47.865595102 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:47.908869982 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:47.909014940 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:47.909966946 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:47.910207987 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:47.952824116 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:47.963916063 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.015625000 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.058621883 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.059591055 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.061244965 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.102359056 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.103840113 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.113482952 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.116751909 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.117671013 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.159482002 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.160288095 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.160311937 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.161353111 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.209872007 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:48.211157084 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:48.296058893 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.130707979 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.132018089 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.176006079 CET	22	49757	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.176091909 CET	49757	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.838248968 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.881103039 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.881216049 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.881653070 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.881863117 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:51.924333096 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.935101986 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:51.984755993 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.027473927 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.028686047 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.031075954 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.071460962 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.073682070 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.080348969 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.085417986 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.086658001 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.128173113 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.129173040 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.129201889 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.130695105 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.179250002 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:52.180212021 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:52.264048100 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:55.100132942 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:55.141302109 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:55.879251957 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:55.923325062 CET	22	49758	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:55.923425913 CET	49758	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.397851944 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.440350056 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.440476894 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.441811085 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.442080021 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.485502005 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.495553970 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.641355038 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.683829069 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.684743881 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.687571049 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.727153063 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.729902983 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.736495972 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.742173910 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.743704081 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.784636974 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.785967112 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.785990000 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.788405895 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.836668968 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:56.838052034 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:56.924016953 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:59.757256031 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:59.758616924 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:29:59.802778959 CET	22	49759	165.22.84.147	192.168.2.6
Nov 1, 2021 21:29:59.805816889 CET	49759	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.392874956 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.435838938 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.435941935 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.436629057 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.436974049 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.479223967 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.489541054 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.563615084 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.606229067 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.617671013 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.619060993 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.660200119 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.661346912 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.668450117 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.672394037 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.673578978 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.714989901 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.715948105 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.715976000 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.716747999 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.759255886 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.765038967 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:00.768502951 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:00.852034092 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:03.689905882 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:03.691387892 CET	49760	22	192.168.2.6	165.22.84.147
Nov 1, 2021 21:30:03.735723019 CET	22	49760	165.22.84.147	192.168.2.6
Nov 1, 2021 21:30:03.739231110 CET	49760	22	192.168.2.6	165.22.84.147

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rzMvWQOGAE.exe PID: 6232 Parent PID: 5416

General

Start time:	21:29:37
Start date:	01/11/2021
Path:	C:\Users\user\Desktop\rzMvWQOGAE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\rzMvWQOGAE.exe'
Imagebase:	0xd40000
File size:	1857024 bytes
MD5 hash:	D3C5B425A0E346AF5BD572BBC238CCBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 1236 Parent PID: 6232

General

Start time:	21:29:38
Start date:	01/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6832 Parent PID: 6232

General

Start time:	21:29:46
Start date:	01/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6860 Parent PID: 6832

General

Start time:	21:29:48
Start date:	01/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6648 Parent PID: 6232

General

Start time:	21:29:51
Start date:	01/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6500 Parent PID: 6648

General

Start time:	21:29:51
Start date:	01/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6696 Parent PID: 6232

General

Start time:	21:29:55
Start date:	01/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6508 Parent PID: 6696

General

Start time:	21:29:56
Start date:	01/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 3084 Parent PID: 6232

General

Start time:	21:29:59
Start date:	01/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5296 Parent PID: 3084

General

Start time:	21:30:00
Start date:	01/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5956 Parent PID: 6232

General

Start time:	21:30:03
Start date:	01/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden -C $path = 'C:\Users\user\Desktop\rzMvWQOGAE.exe';Get-Process \| Where-Object {$_.Path -like $path} \| Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;
Imagebase:
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rzMvWQOGAE.exe PID: 6232 Parent PID: 5416 rzMvWQOGAE.exeCOMMON

Executed Functions

Function 01749685, Relevance: 26.2, Strings: 19, Instructions: 2477COMMON

Download Yara Rule

Strings

{Z?m^, xrefs: 0174A161, 0174A166
kV, xrefs: 0174AC8C
4?, xrefs: 0174C57F
Y?m^, xrefs: 0174AD00, 0174AD05
KZ?m^, xrefs: 0174A543, 0174A548
sY?m^, xrefs: 0174B476, 0174B47B
[Z?m^, xrefs: 0174A3FD, 0174A402
kZ?m^, xrefs: 0174A2A7, 0174A2AC
cY?m^, xrefs: 0174B573, 0174B578
;Z?m^, xrefs: 0174A689, 0174A68E
d7, xrefs: 0174C27E
X?m^, xrefs: 0174BE0E, 0174BE13
P;, xrefs: 0174C3CF
D', xrefs: 0174B925
+Z?m^, xrefs: 0174A7CF, 0174A7D4
SY?m^, xrefs: 0174B667, 0174B66C
$2, xrefs: 0174C0C1
3Y?m^, xrefs: 0174B83F, 0174B844, 0174B8D1, 0174B8D6
CY?m^, xrefs: 0174B74B, 0174B750

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: $2$4?$D'$P;$d7$+Z?m^$3Y?m^$;Z?m^$CY?m^$KZ?m^$SY?m^$[Z?m^$cY?m^$kZ?m^$sY?m^${Z?m^$X?m^$Y?m^$kV
API String ID: 0-4091294026
Opcode ID: 21413620bd2fc175df85806de96e2a49c1f62031e2597cc6a6afffcd6c0ce84f
Instruction ID: 67dbc203fd875a7cd93cb21cd542447cbb2288699b16c49e0399450db7231624
Opcode Fuzzy Hash: 21413620bd2fc175df85806de96e2a49c1f62031e2597cc6a6afffcd6c0ce84f
Instruction Fuzzy Hash: 13538EB4E012298FCBA5DF28C894B9DBBB5FB89204F1041EAD50DA7350DB356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01744F40, Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

xl, xrefs: 01745038
xl, xrefs: 01744F4A
+wl, xrefs: 01744FD0
kN, xrefs: 01745030

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: +wl$xl$xl$kN
API String ID: 0-4102350168
Opcode ID: 200aafe01dfcf795f187330be0498c57c2c567c3572a098a54424ad2c22528d6
Instruction ID: 35acd0bc95a0818ed8fbbd33cec21b59a0387e0d25f34f7acef71d0f80c6a9c5
Opcode Fuzzy Hash: 200aafe01dfcf795f187330be0498c57c2c567c3572a098a54424ad2c22528d6
Instruction Fuzzy Hash: 75312730319301CB8B681ABD585933BE5965BD110CB1988BFA52FCF7A5DB71CE0962A3

Uniqueness

Uniqueness Score: -1.00%

Function 01745BF8, Relevance: 3.3, Strings: 2, Instructions: 798COMMON

Download Yara Rule

Strings

)eb, xrefs: 01746457
q', xrefs: 017460BB

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: q'$)eb
API String ID: 0-3318336680
Opcode ID: ce39066332ba75d120cae5e28694445a51068ed0585657fbd7250cd7f31d29e2
Instruction ID: 365b21e65911a623e0401c4fd65d207b9d00fd239019f2a1b79f1a7a318a2c9c
Opcode Fuzzy Hash: ce39066332ba75d120cae5e28694445a51068ed0585657fbd7250cd7f31d29e2
Instruction Fuzzy Hash: 55724B70A102688FCB65CF68C85469DF7F2BF8A304F6085EAD509AB754DB709E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0AE862A9, Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

*%p, xrefs: 0AE86960
GFz, xrefs: 0AE866D3

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: *%p$GFz
API String ID: 0-286496180
Opcode ID: 40e210e0fa988637a3ffee1ff759281d50cbef3d14d5a80a50bca9bb754a964a
Instruction ID: 794cbe2d21adb825f0bf86d9a1b6934337b6a6282e32004310cccecd94351302
Opcode Fuzzy Hash: 40e210e0fa988637a3ffee1ff759281d50cbef3d14d5a80a50bca9bb754a964a
Instruction Fuzzy Hash: 263226706042919FCB11EF68C4505AEBFF2BF85214B148A6AD49EDF796CB31EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0AE86310, Relevance: 3.0, Strings: 2, Instructions: 543COMMON

Download Yara Rule

Strings

*%p, xrefs: 0AE86960
GFz, xrefs: 0AE866D3

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: *%p$GFz
API String ID: 0-286496180
Opcode ID: f0f0764762e7b068afb57c5890f92f8a51e1a811a32fbe58a999784166a62593
Instruction ID: c825b3b65d6c9bca591a03bf4e60669716eb8462787d34c2652d233f41d67f86
Opcode Fuzzy Hash: f0f0764762e7b068afb57c5890f92f8a51e1a811a32fbe58a999784166a62593
Instruction Fuzzy Hash: B41248706042559FCB20EF78C4945AEBBF2BF85214B148A6AD45EDB791CB30ED01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01742BE0, Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

H", xrefs: 01742F9C
=$, xrefs: 01742FA3

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: H"$=$
API String ID: 0-949830636
Opcode ID: 74b46972a4b12f228a33c4adcc883600e37c309e04e533a6b696aa1e4fbfe501
Instruction ID: e26a8cb7d5f99889c31faeba6137e0d267e6ad8b0a9bcbb2d260f460b1739566
Opcode Fuzzy Hash: 74b46972a4b12f228a33c4adcc883600e37c309e04e533a6b696aa1e4fbfe501
Instruction Fuzzy Hash: 3AB10771718211CFD715CF68E489429FBA1FB85300B5686A6F906DF267C331EEA1CB89

Uniqueness

Uniqueness Score: -1.00%

Function 017411F0, Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

]vyI, xrefs: 01741950
?m^, xrefs: 017417CF

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: ]vyI$?m^
API String ID: 0-1042041263
Opcode ID: 9d04918d6350982d32508e0c9a056fb2ad8de4115fe16c42c19621cb28cbca37
Instruction ID: 175e8841e0a334e9428ba5693cd8e6d586d01a5dd073274d63a3fa2eaeef6ee3
Opcode Fuzzy Hash: 9d04918d6350982d32508e0c9a056fb2ad8de4115fe16c42c19621cb28cbca37
Instruction Fuzzy Hash: 07A15770E00214CFD704DFA8C8846AEFFBABF85310B5585AAD505AB362CB31ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80157, Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NKJ, xrefs: 0AE80DEB

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: NKJ
API String ID: 0-724169061
Opcode ID: 4acb337f75b2e80afb2bedf73b21b2ed619d09fd6a6557ba170764dda6deb2f9
Instruction ID: dd6456eb51a63cd796506ae3918173dd7a3176e51f70c5a83cbbf141bc2eb122
Opcode Fuzzy Hash: 4acb337f75b2e80afb2bedf73b21b2ed619d09fd6a6557ba170764dda6deb2f9
Instruction Fuzzy Hash: 2DE16CB4E106698FCB21EFA8D8845ADFBF2FF89314F249529D419AB245D730E846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0AE82908, Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

h#&+, xrefs: 0AE82AD0

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: h#&+
API String ID: 0-2327806509
Opcode ID: 43097346052b1551d9424efedb3e2758612e39c029f3a50667cfab637767e9db
Instruction ID: 4bc42a57442954e637efe3fbe2e6e0d918f50813496839c4858bf5d942469d81
Opcode Fuzzy Hash: 43097346052b1551d9424efedb3e2758612e39c029f3a50667cfab637767e9db
Instruction Fuzzy Hash: EAD156317002549FCB26EB7898146FE7BB2EFC6214F1485AAD65EDF291DF318C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE829A0, Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

h#&+, xrefs: 0AE82AD0

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: h#&+
API String ID: 0-2327806509
Opcode ID: bf010dd3e15e953b14755b2e2915564eef000eacb92b4698cdfcc3c04525b51d
Instruction ID: 0e202b939d31eb3f44405d4d68759d74c2d2981bb70c1ef4cdd1243ee70e6ce6
Opcode Fuzzy Hash: bf010dd3e15e953b14755b2e2915564eef000eacb92b4698cdfcc3c04525b51d
Instruction Fuzzy Hash: 26B133317002249FCB25AB7898146EF7BA7EFC9214F108969E65EDB381DF31DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8BC70, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

T/, xrefs: 0AE8BDCC

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: T/
API String ID: 0-3782959645
Opcode ID: 7cb1e0f69fdc19946f0a4677c7eacd84b2c335f4b874b3e9684baf5a0f13f8e0
Instruction ID: 6206cb51a356fcb1217ca6798c36e5f60fda374ce719bd3ad05cc6d600aaf2a2
Opcode Fuzzy Hash: 7cb1e0f69fdc19946f0a4677c7eacd84b2c335f4b874b3e9684baf5a0f13f8e0
Instruction Fuzzy Hash: A791CFB1F14219EFC714EB69C5456AEBBB5BF88604F11A066D50EFB3A0CB31ED408B91

Uniqueness

Uniqueness Score: -1.00%

Function 01742450, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9b8ed3ed11126ef74baa40be1ec1d7c0b3b4d834cbff6197bf858bb2405486
Instruction ID: cffeb36b9e5a08cce1bfcaca738bf8da111c2a47e10cc82746cdf3fd34f8483d
Opcode Fuzzy Hash: de9b8ed3ed11126ef74baa40be1ec1d7c0b3b4d834cbff6197bf858bb2405486
Instruction Fuzzy Hash: D2D12472A082118BD725CF28E88A479FFB1FF45300B5945CAF9019F563D331DAA2CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89290, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e94372ab2405c62f01cff14d150e6ad451d96a0862802dda283838aa74a0f11
Instruction ID: e9ab75930f85e1b97195d6b3fad40d9d708575923d093aed26fe118d4b5ad0fd
Opcode Fuzzy Hash: 6e94372ab2405c62f01cff14d150e6ad451d96a0862802dda283838aa74a0f11
Instruction Fuzzy Hash: F9B11770F042048FCB15EBB9D4545BEBBF6AFC9214B248569E41EEB399DF308C018B92

Uniqueness

Uniqueness Score: -1.00%

Function 0174D9D8, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a9a695a8a001a789d82656dfd67e1e99ebde1f1f7f1a5e9f04e987a390b403
Instruction ID: ca42575e08791dcfa9f95b7e3f0eb4c79f2173075427592bacd911f7854efa36
Opcode Fuzzy Hash: 16a9a695a8a001a789d82656dfd67e1e99ebde1f1f7f1a5e9f04e987a390b403
Instruction Fuzzy Hash: FAA10131B04215CFCB28DFA8C4546AEFBB6FFA8214F2544AAD446AB355DB30DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE85035, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5110475c7243c42833d8803cb0e44e765a4c72199df6fe23bfa001a3a7b51f41
Instruction ID: 2810fb9cb953e03bed6ed47fac2df2183b9d060eeba555d9be1a3a72cbbd60d8
Opcode Fuzzy Hash: 5110475c7243c42833d8803cb0e44e765a4c72199df6fe23bfa001a3a7b51f41
Instruction Fuzzy Hash: 9C61B470310701DFC774EF64C6556AAB7B6BF88208B10992E904FCB6A0DF75ED098B61

Uniqueness

Uniqueness Score: -1.00%

Function 0174DB48, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60960b9fcdbb2c8e285754b6f5afd31b2dc596b64947316e06672102a20bf38
Instruction ID: 6941bcecca6c308a3ff319c5e70364a0e351269cb6b67df100d73564e9a36959
Opcode Fuzzy Hash: a60960b9fcdbb2c8e285754b6f5afd31b2dc596b64947316e06672102a20bf38
Instruction Fuzzy Hash: 6E519D35B10205CFCB58DFA8D458AADFBF6EBA8310F1544AAD446EB354CB30DC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 01741870, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b286839530c9832323ecdb7f81e2e3bd1d0e97d2433bff916ebf0abad8f7dbb3
Instruction ID: 6a13c48c6fbc0f43875202739b2fc4b16fa0689556b3d4165f3c43518323d915
Opcode Fuzzy Hash: b286839530c9832323ecdb7f81e2e3bd1d0e97d2433bff916ebf0abad8f7dbb3
Instruction Fuzzy Hash: 5C41F271F001158FDB04DFA9C89467FFABABF88210F11816AE516FB3A0C7709E418B96

Uniqueness

Uniqueness Score: -1.00%

Function 01741C80, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7a4aa9161e032f53791c1530d5547162819c5d15b8bbea4dfdd99ada32e215
Instruction ID: 7cc7fb3681308db447de62a586a0dc9a66fd61f871a071e5133f038e3edf5c5e
Opcode Fuzzy Hash: 5d7a4aa9161e032f53791c1530d5547162819c5d15b8bbea4dfdd99ada32e215
Instruction Fuzzy Hash: 1241F475B042158FCB08DF9988905BEFBF6ABC9200F6580ABD815EB291C334DD818B54

Uniqueness

Uniqueness Score: -1.00%

Function 01741C90, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99096f2c8b3b31cfd063ebf3b310c3c48203e4ca482890d67b8182e5b6d988ce
Instruction ID: 814ef5c90dcdc4db6348fd664c33fac63654c241b270c9e18ecc81cac058a49a
Opcode Fuzzy Hash: 99096f2c8b3b31cfd063ebf3b310c3c48203e4ca482890d67b8182e5b6d988ce
Instruction Fuzzy Hash: FF31E471B002158FCB08DF9AC9915AEFAF6ABC8200F64806AE915EB381C734DD818B54

Uniqueness

Uniqueness Score: -1.00%

Function 01744F30, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

xl, xrefs: 01745038
xl, xrefs: 01744F4A
kN, xrefs: 01745030

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: xl$xl$kN
API String ID: 0-2402485412
Opcode ID: ca0c9d60797456e44c28a999e3ee7ddd179c18a2e3947a6a10140591c023060b
Instruction ID: d6a191867a13d38d5b5cec2a1ada10b1fcfd42e0ef8a17353f3952ca8da0d578
Opcode Fuzzy Hash: ca0c9d60797456e44c28a999e3ee7ddd179c18a2e3947a6a10140591c023060b
Instruction Fuzzy Hash: 1D314830318341CBCB650AB8445937BF6966F9210CB1989BF942FCB2A1DB71CE096763

Uniqueness

Uniqueness Score: -1.00%

Function 01745BE8, Relevance: 3.0, Strings: 2, Instructions: 501COMMON

Download Yara Rule

Strings

)eb, xrefs: 01746457
q', xrefs: 017460BB

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: q'$)eb
API String ID: 0-3318336680
Opcode ID: c67394118deaf7a1fd7720381c798a49fa30a9a719852f06837edb349860bfbf
Instruction ID: f4a307a58886eb9a2e32e9ad878c9dccbcd6bcc3fcd822c63985ff3f13b3465d
Opcode Fuzzy Hash: c67394118deaf7a1fd7720381c798a49fa30a9a719852f06837edb349860bfbf
Instruction Fuzzy Hash: C132E374A112288BCB64DF69C8547DDF7B2BF8A308F6080DAD509AB754DB709E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017450F8, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

w{\t, xrefs: 017452EC
A9E, xrefs: 01745229

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: w{\t$A9E
API String ID: 0-3595487219
Opcode ID: e5139ba3209adb510380494c1acff04ea199a362ef57382981449a00e8c9dbee
Instruction ID: b4136162b536dea039b803f0a0a8b60ce6b2dd334573903616eb6b2ff1a69237
Opcode Fuzzy Hash: e5139ba3209adb510380494c1acff04ea199a362ef57382981449a00e8c9dbee
Instruction Fuzzy Hash: DD51F830A182098BDB14EBB8D9641BEB775EF91208F5045AED102AF394FF309E0DC766

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8AFF8, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

#(, xrefs: 0AE8B105
6F, xrefs: 0AE8AFE1

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: #($6F
API String ID: 0-2969450899
Opcode ID: bd6ce7ce8e0dde0d3c725496245a646a6a1fb61fbc0249f41e6b0188aa200d9c
Instruction ID: 58cf0360280ad3af783dbeea4989f84505e7b78aeecc88d7a67fcaa733dacdb3
Opcode Fuzzy Hash: bd6ce7ce8e0dde0d3c725496245a646a6a1fb61fbc0249f41e6b0188aa200d9c
Instruction Fuzzy Hash: 6851F1B1B00109CFCB44EF68C5946AEBBF2AB88214F259866C50EEF351CB35DD06CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0174E427, Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

kBs_, xrefs: 0174E4D6
ha, xrefs: 0174E4B7

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: ha$kBs_
API String ID: 0-297961271
Opcode ID: 5b2c9fa2d8c274cf919a845ca6a72adea7e764bdf8354858f480d3a72ff19257
Instruction ID: 3072a201f30f3858adec39755c1a46130ba359e697c9a89f538821fcc4bd8db9
Opcode Fuzzy Hash: 5b2c9fa2d8c274cf919a845ca6a72adea7e764bdf8354858f480d3a72ff19257
Instruction Fuzzy Hash: 2341DF76E052118FCB12DFB9D4996EEFFB2FF89220B24446BD445A7251EB389C058B90

Uniqueness

Uniqueness Score: -1.00%

Function 0174E470, Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

kBs_, xrefs: 0174E4D6
ha, xrefs: 0174E4B7

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: ha$kBs_
API String ID: 0-297961271
Opcode ID: 9792cfea7d7294813a6b0e2ffafc1a50dd154fb63042e924eb4751958b60d73e
Instruction ID: 83caaf24d51d863f50a2ee61a7fe6df328967781035504d2a7f7c3c8f78fdfa5
Opcode Fuzzy Hash: 9792cfea7d7294813a6b0e2ffafc1a50dd154fb63042e924eb4751958b60d73e
Instruction Fuzzy Hash: 2521B175E002158B8B15DFA9D5845AEFBB6FB8C260B14842AE519A3340DF34AD00CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01740D2B, Relevance: 2.5, Strings: 2, Instructions: 25COMMON

Download Yara Rule

Strings

xl, xrefs: 01740D53
kN, xrefs: 01740D3B, 01740D40

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: xl$kN
API String ID: 0-3935522260
Opcode ID: 43adcb562835b11fc7caa58a6c449d82cc3d9bf2504c5314744ae5dc78325719
Instruction ID: 0380d98f0b4879975ab388e8c43df4f2c18024eeed78a1c82b107cfff7803b70
Opcode Fuzzy Hash: 43adcb562835b11fc7caa58a6c449d82cc3d9bf2504c5314744ae5dc78325719
Instruction Fuzzy Hash: A0F01774A4022ACBDB34DB24C891BFDB272AF85204F1184F9841A6BF54DB71AD85EF61

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89748, Relevance: 2.5, Strings: 2, Instructions: 19COMMON

Download Yara Rule

Strings

@[, xrefs: 0AE89752
@[, xrefs: 0AE8975C

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: @[$@[
API String ID: 0-2516757869
Opcode ID: 3822cb50fc42b711fac428824314d5c4546b8c4582f4e9f20e056b0ca2f5dd64
Instruction ID: b1bedf1c9f83cedab4534b0e44c49204c4cab7a429e959f776d270bf50f10967
Opcode Fuzzy Hash: 3822cb50fc42b711fac428824314d5c4546b8c4582f4e9f20e056b0ca2f5dd64
Instruction Fuzzy Hash: 1ED02EB2B002298F8A246E8CC4208F973ED9B8A62430060A6E00D8B322DA229C00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0AE82C11, Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

0U, xrefs: 0AE82C14

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: 0U
API String ID: 0-1984268414
Opcode ID: b86c27472de3408e0763a87d98a8332bafbc7472795440fcd1e220a8a152c34e
Instruction ID: a6599c39ea96aaa0847987e5a51a37dd395eff3a8ca399ab522e8e1295bd9b01
Opcode Fuzzy Hash: b86c27472de3408e0763a87d98a8332bafbc7472795440fcd1e220a8a152c34e
Instruction Fuzzy Hash: A4712731B002599FCB26DB68DC54AEEBBB2EF89310F0086E6D55DDB291DB309D15CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0AE881F8, Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

`R , xrefs: 0AE8835A

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: `R
API String ID: 0-803502007
Opcode ID: 446e9e9371970ce0a7e8c54c3a3c2a05166d9933ae71e19f8cf5801b6eceb50b
Instruction ID: 048ac60d9dd4ccfe26027f709001b911c311a1548ecb1e2e9d29f3ca19e0c161
Opcode Fuzzy Hash: 446e9e9371970ce0a7e8c54c3a3c2a05166d9933ae71e19f8cf5801b6eceb50b
Instruction Fuzzy Hash: 9C6111B1A006159FCB24DFACC4508AEBFB2FF99250B50D96AE85DDB361C730DD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 017450E9, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

w{\t, xrefs: 017452EC

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: w{\t
API String ID: 0-3463342069
Opcode ID: 3e4534bc8d22282649bbe97d23e88a427f208fc91bde9d5c68ceab9259fb2caf
Instruction ID: 68118e99440935ca0700583bc3849582d43448106603fed1ab33a4003d7bf9c9
Opcode Fuzzy Hash: 3e4534bc8d22282649bbe97d23e88a427f208fc91bde9d5c68ceab9259fb2caf
Instruction Fuzzy Hash: 63510B30A182498BDB14EBB8D9641FEBB75EF51208F5085AED102AF294FF309E0DC756

Uniqueness

Uniqueness Score: -1.00%

Function 0AE868B1, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

*%p, xrefs: 0AE86960

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: *%p
API String ID: 0-2057801211
Opcode ID: 2e86836e5600a693c63978c46b773c363e6798249972e5f37d6e29101969da1d
Instruction ID: cd89371dfa58ebc5b9243f8b58ccbbba404c4eb69587d7ca323aaf1aa871db27
Opcode Fuzzy Hash: 2e86836e5600a693c63978c46b773c363e6798249972e5f37d6e29101969da1d
Instruction Fuzzy Hash: C14135703147609FCB22AF6894542AF7BE3AFC5208725892ED44FDB785CB35DC0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 0AE868C0, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

*%p, xrefs: 0AE86960

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: *%p
API String ID: 0-2057801211
Opcode ID: 12729a6d8a94bc65c5290a8eca4fb616bd2ec2c8959ac3114f53fb76c2b47e46
Instruction ID: 339dd08d7325909a0d06443b3e9de5417bb6fb8dd645fcc5f62966cd285cbe07
Opcode Fuzzy Hash: 12729a6d8a94bc65c5290a8eca4fb616bd2ec2c8959ac3114f53fb76c2b47e46
Instruction Fuzzy Hash: C14126703107209FCB25AF6894546AF7BE7AFC5208B25892AD40FDB785CF75DC0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81D32, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

>^, xrefs: 0AE81D51

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: >^
API String ID: 0-4180764540
Opcode ID: e88d7791e0734b4f5392aeb54ed7a79e749accf40c8f16f2dcdc5347e9bba8e5
Instruction ID: 2c5629374d78892c412119402c25e292906a61389113528ddbc01d70e80b7f6c
Opcode Fuzzy Hash: e88d7791e0734b4f5392aeb54ed7a79e749accf40c8f16f2dcdc5347e9bba8e5
Instruction Fuzzy Hash: 3A214B312082808FC7159B38E89499ABFB4DF87214B1589BBD48DCF262C2349C07C792

Uniqueness

Uniqueness Score: -1.00%

Function 0174EEDA, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

hf, xrefs: 0174EEE8

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: hf
API String ID: 0-2998370257
Opcode ID: 7e30fe8b9b53b93e901909e7d9162663bbd4eb16057a4422cafb4397643d02a1
Instruction ID: a270d242f302e5609be131d35af02ecb38b5b99f1ea7459bb884bb648cca50a9
Opcode Fuzzy Hash: 7e30fe8b9b53b93e901909e7d9162663bbd4eb16057a4422cafb4397643d02a1
Instruction Fuzzy Hash: 4CF0BE367012118FC724AF75D04807EBBA6FB886557644C5EE403CB740DF39EC028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81338, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

D&, xrefs: 0AE81367

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: D&
API String ID: 0-2586501845
Opcode ID: 6dec0bf257a62a7c380486e6881fc83bf5770b94de1f6c7f0bb8917821bb0152
Instruction ID: 4accaf42b412cc76d7ce070a83298c5d3d189d74fc77ad0022712ec3f612615f
Opcode Fuzzy Hash: 6dec0bf257a62a7c380486e6881fc83bf5770b94de1f6c7f0bb8917821bb0152
Instruction Fuzzy Hash: 6FE0D8367111192F860466EF6C6DABFBBDEEBD91A4310052AE70AD3344DE314C0183E5

Uniqueness

Uniqueness Score: -1.00%

Function 0174EF46, Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

Hrl, xrefs: 0174EF46

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: Hrl
API String ID: 0-2225770440
Opcode ID: ad25baec2a8db8e8822e8f9a0db95c6b520e780f70cf99106ccb9bc58d8a1702
Instruction ID: af668d6c78e73a59a21566cafc83fa2d2e90d082a0e9435d7d97c641244d0ad6
Opcode Fuzzy Hash: ad25baec2a8db8e8822e8f9a0db95c6b520e780f70cf99106ccb9bc58d8a1702
Instruction Fuzzy Hash: BEE092317106008FC7189F65801816EB6E3B7C5604B30893CE003DB394DF389D0A8B55

Uniqueness

Uniqueness Score: -1.00%

Function 0174E5B2, Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

@[, xrefs: 0174E5C7

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: @[
API String ID: 0-16352445
Opcode ID: f440aabc6c6135b7b26a49a8934b2b4454797ad325f2015adb7369a5f3a847f7
Instruction ID: 77c56fc0030d812b11d1effc4fc20bbed9018c6d25ebce4d4c9de42ab7a4a642
Opcode Fuzzy Hash: f440aabc6c6135b7b26a49a8934b2b4454797ad325f2015adb7369a5f3a847f7
Instruction Fuzzy Hash: 4EE086723192801FC312566DAC9881AEFD6DFC9614B5804AFF541D7355C566CC048365

Uniqueness

Uniqueness Score: -1.00%

Function 0174F041, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

M`5!, xrefs: 0174F045

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: M`5!
API String ID: 0-4004857396
Opcode ID: eac086682368648248c2ea84845aff36588ac037b23dfbe41c757926cbd17a4f
Instruction ID: 472e535f8819d7b1619707cc28932dba3b08f85594f6ca7f651e73f5676a217d
Opcode Fuzzy Hash: eac086682368648248c2ea84845aff36588ac037b23dfbe41c757926cbd17a4f
Instruction Fuzzy Hash: C2E012363055009B82256A68914857AF7B3F7CC715365485DE5438BB48CF39DD068B92

Uniqueness

Uniqueness Score: -1.00%

Function 0174ED00, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

Xe, xrefs: 0174ED14

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: Xe
API String ID: 0-4050453164
Opcode ID: 40dfc9687229cffbb243cee49e614538daaa8b02465232bcfddcc8e341de27b3
Instruction ID: 6fc4d8e095a32ebf0826fc67fc23e6cc137de358f3d77d06daa9e8fb09e41bbd
Opcode Fuzzy Hash: 40dfc9687229cffbb243cee49e614538daaa8b02465232bcfddcc8e341de27b3
Instruction Fuzzy Hash: 6AD02E233102F25BCA086E7855A802FAAD2BB801203500D7E85078B586CE689B008301

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89788, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71c9ee3c2ae4e83402eb39b0506ff32b6ea1e5972459aa186411aff1441cddf
Instruction ID: be4d9fb13353a77ed8d022e8a6d058e6d9e782b2396f7509cf0de2d1af4d6177
Opcode Fuzzy Hash: d71c9ee3c2ae4e83402eb39b0506ff32b6ea1e5972459aa186411aff1441cddf
Instruction Fuzzy Hash: 7A51C371E042258FCB55EF78C5146BEBBF2AF88214F259959C01EEB381CB399D01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0AE815C0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb01ecec2353914c48d35b908e52a5c479f00ffb5ec38f2665f3de7c9443fa
Instruction ID: fb660df74cb1b0a23dd9b3ea5442d5a8cb506f7d4e1dd7e16472b7e477f8f609
Opcode Fuzzy Hash: c7bb01ecec2353914c48d35b908e52a5c479f00ffb5ec38f2665f3de7c9443fa
Instruction Fuzzy Hash: ED4114713143408FC310AB78D85096E7BB6EFC62147294A6AD51FCB361DB31DC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 017421E0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc32fffecda69b2248cba3945f5d07d46e412d5123f762e65a50837999cd5a2b
Instruction ID: 08b0250cca150f95e237c692cabe2ae5c7e6dc72181da921e4ee4af0325362b5
Opcode Fuzzy Hash: dc32fffecda69b2248cba3945f5d07d46e412d5123f762e65a50837999cd5a2b
Instruction Fuzzy Hash: BC414931B082558FCB01CF68D8406AEFFB5FB8A324F1585ABE9519B643C7319C26CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0174DF08, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6325f079e8df5603db9dfe4a168e81df5a7ff8caaabe1424757907d715045d99
Instruction ID: c1584f5b3a45a46ae4e764bb1323e2727b00b76f4bc552611d4f5a03ec908980
Opcode Fuzzy Hash: 6325f079e8df5603db9dfe4a168e81df5a7ff8caaabe1424757907d715045d99
Instruction Fuzzy Hash: 734125317042A18FCB22CFB8C41426EBFB1AB8620470508DFD042DB696DB39DD0787A6

Uniqueness

Uniqueness Score: -1.00%

Function 0AE85378, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc817909e84c73e865568f2856c945093f8c2c129b81535c9f8dcc112fc416
Instruction ID: 6182d62a0e7253725202dc14de0fe4c14c47ff02b513fb505308e7cae888273b
Opcode Fuzzy Hash: 5bbc817909e84c73e865568f2856c945093f8c2c129b81535c9f8dcc112fc416
Instruction Fuzzy Hash: 0B31AFB4B102059FCB51DF78C84496EBBF6FF88600B14806AE90ED7355DB71DD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01742000, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ee77cdff644befcda5348ee03b50c57694e3e8f381a095dba46efbf5a6d7d9
Instruction ID: e1d8607136249f66a25c97204e2a28ddaac866788f79a130ba44d8f2e1488164
Opcode Fuzzy Hash: 70ee77cdff644befcda5348ee03b50c57694e3e8f381a095dba46efbf5a6d7d9
Instruction Fuzzy Hash: BC312631B05101CFC704DF98D6819B9F7A2BB94300BA0CA63E216DB651C770FD66CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE85388, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ceb4422625ec186c37d3e79df105451e3632d0b88f88a4711144307feca2de
Instruction ID: e3fa657a1168b8a40e827a87a9e5f5a8fda9d2af0255a62a84f37c0b42a149af
Opcode Fuzzy Hash: 19ceb4422625ec186c37d3e79df105451e3632d0b88f88a4711144307feca2de
Instruction Fuzzy Hash: 18317FB4B102099FCB54DF68C84496EB7F6FB88700B148429E90ED7355DB71ED018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80F6D, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec87ca1d80830ccd26aa11eeb5b6ca8ad3ee7d8ba14c88bc1e761fd0a29cb1a9
Instruction ID: 914aaaeee9be588bad3beec23cc180b92458d7d2f1e4587572d97f49d8a601d3
Opcode Fuzzy Hash: ec87ca1d80830ccd26aa11eeb5b6ca8ad3ee7d8ba14c88bc1e761fd0a29cb1a9
Instruction Fuzzy Hash: D831BA74700201CFCB54EF68D99499ABBF2FF8830172185AAE50ACB361D731ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0AE85E18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81773bf526910352aa72523e1d83bc5e1889dfe847b851a8a9ed2e348e58491
Instruction ID: e9d57c75a4452278a7f61caf32cb3b972eb9100dd9a8357839906abf8d5c7def
Opcode Fuzzy Hash: a81773bf526910352aa72523e1d83bc5e1889dfe847b851a8a9ed2e348e58491
Instruction Fuzzy Hash: 2421D1713242505FC305EB3C889096ABBEBEFCA61474984AAE54DDB356DE21EC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 01747B28, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abf3449d0c2edd54fc2bcb7b49e38b099a086239120b373fc52eeb20c122713
Instruction ID: 49a7fb49b6f4573afde637d25799825f5e17f30f327427d98495fc49d757eb14
Opcode Fuzzy Hash: 4abf3449d0c2edd54fc2bcb7b49e38b099a086239120b373fc52eeb20c122713
Instruction Fuzzy Hash: 0D2108703142548FC7099A78945466E7FABAFD620472988ABD905CF7A6CB31CC16C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01747A3E, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80433f0c31c42e55cabc5d49478bf09d0161adcdb049e7c86a729476e8cc2687
Instruction ID: 881e21f87ccf84253aad4abe7bbb2244de8db8de97817cfe6a616ad3a9dccef5
Opcode Fuzzy Hash: 80433f0c31c42e55cabc5d49478bf09d0161adcdb049e7c86a729476e8cc2687
Instruction Fuzzy Hash: 252138747053859FC701E7B88C646AE7FB6EFCA204B15409AD205DF39ACA319C09C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 01747B38, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f94bebac7abcb9634eef91e5b858530b9a733d57f291b6fb7f14d2059f48ec1
Instruction ID: d871a586f61c944a67913ac1195520f0ce3350b035c4152af6ef0500a89c20fa
Opcode Fuzzy Hash: 9f94bebac7abcb9634eef91e5b858530b9a733d57f291b6fb7f14d2059f48ec1
Instruction Fuzzy Hash: BB215E703142548BCB0C5E78945466E7EABAFD5204B28C87ADA05DF7AADF31CC16C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81BDA, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42b53198b9e32b0978c17804140d261df865bef16358d3c89b0090f67f932fa
Instruction ID: baf2dae3b0e61a818ce99925b0351a59f3e0fd8f02afe6aa5335aa98d266627a
Opcode Fuzzy Hash: b42b53198b9e32b0978c17804140d261df865bef16358d3c89b0090f67f932fa
Instruction Fuzzy Hash: D721FF71610641CFC718EF28C484A9ABBF2EF88314F244AA9D40ADB360DB71ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89188, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd9673595149d368278e5624c8abb1d06ef9945c4d5de092c5935214b732c7c
Instruction ID: 05d13dc03dedfb87a327520949f0be3eefa775eb0569c93a543a1f4ef9d85fdb
Opcode Fuzzy Hash: 2dd9673595149d368278e5624c8abb1d06ef9945c4d5de092c5935214b732c7c
Instruction Fuzzy Hash: 8B1156317083D04FD722A379642827E7FE69FD3228B1944AFC14ADB3A7C6358C068752

Uniqueness

Uniqueness Score: -1.00%

Function 01747A60, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739747f38f7bcf04930843947bd150ac87903a51456b505c13ead6580e7a8fc1
Instruction ID: 691ec8edb4849bb1a785d3973e0cf08bbccdde7457dc5be3ede77b71afb8a71c
Opcode Fuzzy Hash: 739747f38f7bcf04930843947bd150ac87903a51456b505c13ead6580e7a8fc1
Instruction Fuzzy Hash: 5C11AB757001159FC710A7B49858AAFBAEAEBD9258F10401DD709E7348DE719C0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8C5D8, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234875d123998d063a3240dfb87800804d8c411f148000e50155e9e7e4fcaf49
Instruction ID: 8d8558a356992fd99fe37ad0ab26919ffba63ecc1ed177c9cfc63cf27c10edfb
Opcode Fuzzy Hash: 234875d123998d063a3240dfb87800804d8c411f148000e50155e9e7e4fcaf49
Instruction Fuzzy Hash: 8911E3713101105FCA54FBA8945467E768BAFC9118721496AE20EDB748DF369C0393A2

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89198, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40824701195698dda07350b09e44a36df47b62ed615d50aee8ed99eb13b298ce
Instruction ID: a1d35edd74c9778e8fa76062d03163f792dd9c084620f178351c65aed2cc49ab
Opcode Fuzzy Hash: 40824701195698dda07350b09e44a36df47b62ed615d50aee8ed99eb13b298ce
Instruction Fuzzy Hash: 59117A3170C3904FD712A37A646822E7FE99BD3228B1944AFC14ACB397CA36CC068751

Uniqueness

Uniqueness Score: -1.00%

Function 017478B9, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a924c4fc91fd56cd963665e8a25f65387e67d30921a682a6869737e42f8f005
Instruction ID: 3b98e065b8e2104c998a66db9d011e4019d21154ee46b20ace89d083299f66a9
Opcode Fuzzy Hash: 7a924c4fc91fd56cd963665e8a25f65387e67d30921a682a6869737e42f8f005
Instruction Fuzzy Hash: D8117F346107568FCB24DB74D8549AEBBFAFF85208710492EC54AE7294EF30AD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8B998, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7f207ec6c1ed32282140d704a8a4bafb4373e10405be3f714b4a0edcbb3c77
Instruction ID: 618c0c0c89226184dfec2b4c3e371a193c1d692de75e1e500d4394328b22f653
Opcode Fuzzy Hash: 1e7f207ec6c1ed32282140d704a8a4bafb4373e10405be3f714b4a0edcbb3c77
Instruction Fuzzy Hash: F91136B1704B224FC754EBA9A89457F7BA6EFC1214310882EE11ECB791DF34DD068B85

Uniqueness

Uniqueness Score: -1.00%

Function 0AE88118, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82679e88b0828129140ba84747cbc89f54de2e6156bd0ac6ffe9628e1ba9687e
Instruction ID: 378b65bd82669096943bdcded992108610ed71dec190a6a1094b53474882ed82
Opcode Fuzzy Hash: 82679e88b0828129140ba84747cbc89f54de2e6156bd0ac6ffe9628e1ba9687e
Instruction Fuzzy Hash: 5811067231095A6BC705CA58CDC15AEBB56EBC2785BE8D63AD40DC730ACA34DD41C3E8

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81491, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85c5af6ecfb9aa96b5d999d31d6bd96d82ad93426e912e1a5de42abc311f4a6
Instruction ID: 1b212933c39f655eaa064a16dfb014e096627d0846aac062b6cb7ee5a186ecd7
Opcode Fuzzy Hash: c85c5af6ecfb9aa96b5d999d31d6bd96d82ad93426e912e1a5de42abc311f4a6
Instruction Fuzzy Hash: 31113632714251DFC704EF68E88889A7BE5FB596657114A7BE10ECB350DB74DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81B08, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594c83c0df2fb7ea603f8daaf4908e9bf28f37f2bc91e455acdad6f78e744ac8
Instruction ID: a65e2bfcf11fee865cb08cef56f9bef68eba68ce6af29414e8ef87d75a90faaa
Opcode Fuzzy Hash: 594c83c0df2fb7ea603f8daaf4908e9bf28f37f2bc91e455acdad6f78e744ac8
Instruction Fuzzy Hash: DE110A72B00125DFCF14DA9AE8414ABF7BAFBC4261B109526D50DD7250D671DD06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8B9A8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bb721e4025e5e3e7c5f3a28d52bfc4430e84b7718343af1ee11a30c2521a84
Instruction ID: ac6b70dd7a723e5231515d860f9e0785e0e0bf7fbb38b52c852fd7bd00915460
Opcode Fuzzy Hash: 88bb721e4025e5e3e7c5f3a28d52bfc4430e84b7718343af1ee11a30c2521a84
Instruction Fuzzy Hash: 88114870700B214FC754EBA9A85456F7796EFC0614310882EE61ECB390DF70DD058794

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8C090, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcb21000db9c866748adbcf6d39222ce0e2a411ac16aa62c97076e1f73f8c25
Instruction ID: 20cce0dc2356ecb2cd09ec7f58fa60ff827cb5644b90813b5760bd562093a5e1
Opcode Fuzzy Hash: efcb21000db9c866748adbcf6d39222ce0e2a411ac16aa62c97076e1f73f8c25
Instruction Fuzzy Hash: 3C114C7270C2059FD705AD79A86816FBA96D7D3380F24503BDA0ED7391CABA8C044771

Uniqueness

Uniqueness Score: -1.00%

Function 0AE85D50, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6920968b091c604611870a8e1f61072b2753671cc5466d1f48b92714059365ab
Instruction ID: 5c26e3218b4e1339ee130c478ba83fb4562c16c58a0a1da8d6921d9a20646444
Opcode Fuzzy Hash: 6920968b091c604611870a8e1f61072b2753671cc5466d1f48b92714059365ab
Instruction Fuzzy Hash: 9A015EB53106009FC755EA69C890D2FB3EAFFCC6143584469E90EC7356EF61EC028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174057E, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e522d51738df4939a2b0e2fb98fc195a23eb87c68972b5840b276db0c8fd6e28
Instruction ID: 3a13ec49c3e88b705dc44ce908bf59fed984a2df92b76797b6138a8eb1c8fdd8
Opcode Fuzzy Hash: e522d51738df4939a2b0e2fb98fc195a23eb87c68972b5840b276db0c8fd6e28
Instruction Fuzzy Hash: 90218374E00228CFCB25CF65C985ADDBBB1BB58304F2182E9D64AA7355D7709E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01740439, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb614e6f80f7f500ce7c6c407dba96fa36618c53b56ef1386e74ea5d96d59792
Instruction ID: fed14e71370647c810d9e3d28d7ba6860ea6869031a767eb90a2a9d3e68bf3a0
Opcode Fuzzy Hash: bb614e6f80f7f500ce7c6c407dba96fa36618c53b56ef1386e74ea5d96d59792
Instruction Fuzzy Hash: 1311C471D183548FDB49CB78D8845E9FBB6BB8A304F4485E6DA45EA146D3344401CF61

Uniqueness

Uniqueness Score: -1.00%

Function 017478C8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e24e95f85da5aba0fea7da5f117cae0a491e193d58f51b6cfdb8df962580187
Instruction ID: 7b6fa9f51d68219667dd124dcc28df446499a4b0338f998829b4063f9d127c9f
Opcode Fuzzy Hash: 0e24e95f85da5aba0fea7da5f117cae0a491e193d58f51b6cfdb8df962580187
Instruction Fuzzy Hash: 731151347107168FCB24EBA4D854AAFB7FAFFC4218B10492DC55A97684EF706D0987A1

Uniqueness

Uniqueness Score: -1.00%

Function 01748DA7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3538bdb52318cd846a005d6ee50ea8aad426b4607acb2598944b41c95d808327
Instruction ID: 65fc55f9cb0701401fbf2903b26e36b856ed9e00256043661d3718dacdef3620
Opcode Fuzzy Hash: 3538bdb52318cd846a005d6ee50ea8aad426b4607acb2598944b41c95d808327
Instruction Fuzzy Hash: CE01C43240A3D8AFC703EB7888A15CA7FF4AE1310876508DBC192CB153DA215D09975A

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80040, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c3309d4a9f3172732066d07c8c6a7cf374b038362d8ebe5171b3ba4815a74e
Instruction ID: b2e9be608e22c8bdce862f031587ac17d700dd7caaaf1d9911da7048bffb9eb9
Opcode Fuzzy Hash: b7c3309d4a9f3172732066d07c8c6a7cf374b038362d8ebe5171b3ba4815a74e
Instruction Fuzzy Hash: 1401BD323083548FC32496754970667BBAFDBCA624F148D2AD05FCB282D231DC458352

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8C0A0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ff50388fa14d71087fcf5b3a81543f8e7370f681872e735c8fc0c2b4a211ec
Instruction ID: 6136428544ed4c6ea8e5205b9d42612a1c73c945fc3b69fd0b9c80a00f3af067
Opcode Fuzzy Hash: b5ff50388fa14d71087fcf5b3a81543f8e7370f681872e735c8fc0c2b4a211ec
Instruction Fuzzy Hash: BA0149727082199BD7046D6A68681AFBA9797C6240F64903BDA0EDB391DABACC0447B1

Uniqueness

Uniqueness Score: -1.00%

Function 01743019, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b12aaeb4519e51c72c982a3d3127c94d51fee3842bcfee92c5a2e842df310c8
Instruction ID: 18601b5dd2696c606c2061e06ae7313a5e23f68c880c9c942e17344728b10782
Opcode Fuzzy Hash: 9b12aaeb4519e51c72c982a3d3127c94d51fee3842bcfee92c5a2e842df310c8
Instruction Fuzzy Hash: CC01F5317142619FD3488B2A984056AFBABBBD5650318C6BBD40DCB235CB34DD128B91

Uniqueness

Uniqueness Score: -1.00%

Function 01741EE0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6b3f079b784ffbf957e6642f9193aef2561f4cb131596dc1f3a11c730e59f4
Instruction ID: 135fa9b49c045f59945b1ed77ca049c82c9acc203d9bb4c6b64a2b51f2fc16ba
Opcode Fuzzy Hash: ce6b3f079b784ffbf957e6642f9193aef2561f4cb131596dc1f3a11c730e59f4
Instruction Fuzzy Hash: 3A012D3160A7918FC3189E699840055FF76BBDA1317968677D105C7552C730EC96C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80EC8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0811de2728cc1957903bb654a4b8e1481c18dc2e97133af53e87d52e13e395ad
Instruction ID: 5fa2289aa1e169cb95d512026f25c88c06a02fa0ddadcc6ccc17ce628afdb6cc
Opcode Fuzzy Hash: 0811de2728cc1957903bb654a4b8e1481c18dc2e97133af53e87d52e13e395ad
Instruction Fuzzy Hash: E20176323115209FCB01AB79A81853E3BD6EFC6628B1845AEE51BCB3D5CF31CC0A8391

Uniqueness

Uniqueness Score: -1.00%

Function 01741E30, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6839107756cf100cfd1066926ba55100907f8dcb1c91082109a33f895aba413
Instruction ID: a3bb7b15ed340d23256b0b65080c72a839f29fd2c1ba1e2055d6794263644235
Opcode Fuzzy Hash: c6839107756cf100cfd1066926ba55100907f8dcb1c91082109a33f895aba413
Instruction Fuzzy Hash: 8301F73A2442208BC3755A169A80923F6EBFBCD392BD4887BE143CBA50D770F8C18B41

Uniqueness

Uniqueness Score: -1.00%

Function 01748230, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e251af3fd566722a628e28ba49035f314f357d9b02c3aa6d0ae53d71e1f738d3
Instruction ID: fcbe9fe5f6af9b798f9daf93b31c0994b6bf5153a7c4cb4ee913247f04e1e444
Opcode Fuzzy Hash: e251af3fd566722a628e28ba49035f314f357d9b02c3aa6d0ae53d71e1f738d3
Instruction Fuzzy Hash: E2014C717146259FC745CEADBC8095ABBAAEFCA360710855BE409CB715C7728C1187D1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE823A8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d4346d6070894ec85e8ab78eeeaca594eba9869b5e7576e46a2e2265745bba
Instruction ID: be56e2a1198da05f04f03e780821262c7bc7c3c5f836461ec41561f11118a381
Opcode Fuzzy Hash: e8d4346d6070894ec85e8ab78eeeaca594eba9869b5e7576e46a2e2265745bba
Instruction Fuzzy Hash: 6D01D4B9B001159FCB04EF69D8448AEF7BAFF88360711446AE609D7361CB30ED01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01743028, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df520d7736bf4dd3a50dbae9604f4a278a95c35efa6b91d10a7e55aee7114a38
Instruction ID: 513885f64a65f55f66af5e414525cb80323c36c8b7c835bb2501afa879ef2b32
Opcode Fuzzy Hash: df520d7736bf4dd3a50dbae9604f4a278a95c35efa6b91d10a7e55aee7114a38
Instruction Fuzzy Hash: E40144313146719B930C8A2BA80062BFA8FBBC46A0318C637980DC7235DF30DE1286D5

Uniqueness

Uniqueness Score: -1.00%

Function 0174EBBD, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdd9f346d8364f7e87da398bb6a5af1fce6c0d91933c0d8ad5ad8927b650000
Instruction ID: ab4153955647ba8ffc109952fd28cd6ddedb9bee826ab4bfc99a3c9e9dea85cc
Opcode Fuzzy Hash: fbdd9f346d8364f7e87da398bb6a5af1fce6c0d91933c0d8ad5ad8927b650000
Instruction Fuzzy Hash: 1A01D2712183958FD7218E399965A6EFFB37B81210B18885BC282D76A5CB74D901CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01741EF0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9973420fcb753b3b2951be85c422cfa4fe8ab49cdcae708fb43d7c34d008f79
Instruction ID: a4c60059c6bd416192de4503a78878bd267f681a1a0b41c790438de1f7ea75ff
Opcode Fuzzy Hash: a9973420fcb753b3b2951be85c422cfa4fe8ab49cdcae708fb43d7c34d008f79
Instruction Fuzzy Hash: E4F028317066618783089E6A9840456FE9AB7D8221395863BD109C7611CB30ED92C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE800F0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554babd18ff89fd9bb490addfa395d0552c60eb339e33a203210223dcfbc94c3
Instruction ID: dae0bd3ca17b8d973add7644cb1eeda7fc886b23a7889f81e6ae7109a2d0570e
Opcode Fuzzy Hash: 554babd18ff89fd9bb490addfa395d0552c60eb339e33a203210223dcfbc94c3
Instruction Fuzzy Hash: 87F08132E002198BDB10DBB59841AEFBBF9EFC9214F2085299519B7240E730A94987E1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE89CE8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28688214d20bb9ccdd78bc3f030cb954779d5f1a173feafdfb43c6f7f524967f
Instruction ID: 8c800f370fa6afd9de621724d300c1cae04d22d7da692a582a933161c84ae229
Opcode Fuzzy Hash: 28688214d20bb9ccdd78bc3f030cb954779d5f1a173feafdfb43c6f7f524967f
Instruction Fuzzy Hash: 8FF0C2207147554BC729AA7AD4502AF7A8F5FC4204B64CE2AC04E87699DBB0DC4683D4

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8C000, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e213ce35ad210cde8ab4f59d8391c6308f3dcedaa040d179c83d57ef324bbd95
Instruction ID: e11365ff8579b0e9fd4bbe597cc84e970bb4205cb146e066e66c47ec94ffc30e
Opcode Fuzzy Hash: e213ce35ad210cde8ab4f59d8391c6308f3dcedaa040d179c83d57ef324bbd95
Instruction Fuzzy Hash: A3F08B363200009FC314A61DE97866AB2AAE7CA751B35D417E40FDF704CB75DC4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80E38, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680021f51cf39dc629a10d08db1e43538dc986ffc649fe49b835fb6ef94dec6b
Instruction ID: ba9ecc02a1d077c970a342f3b40a6e6f7e8b92985bce8c0a8926ee251632c141
Opcode Fuzzy Hash: 680021f51cf39dc629a10d08db1e43538dc986ffc649fe49b835fb6ef94dec6b
Instruction Fuzzy Hash: 9FF059323012508FC7585E3FB85951BBB9FEBD9220714887ED50ECB308CA35CC058790

Uniqueness

Uniqueness Score: -1.00%

Function 01748240, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bfe3b17cf15967597bd9fdbf1b32e1893210162eedd2e2a9c327ebed4a3108
Instruction ID: a1fb4b0f4327cbce4cc7df68eeeb0428312b0277880e55d3441fc64f7601a3e0
Opcode Fuzzy Hash: 21bfe3b17cf15967597bd9fdbf1b32e1893210162eedd2e2a9c327ebed4a3108
Instruction Fuzzy Hash: 31F02775314525ABC7489EAAAC84A5BF69FEBC9660B108127E90DC7708CBB0CC1243E1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE896D8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f7eaba0c35e2bbac68a761336b6bac6510a192a3a3d8e46e434874e7dbe8c4
Instruction ID: aab973c42b6b75d9cbed5d8bda59a602c9dfefd2199ce252a9f4bb48dfc1f4da
Opcode Fuzzy Hash: 42f7eaba0c35e2bbac68a761336b6bac6510a192a3a3d8e46e434874e7dbe8c4
Instruction Fuzzy Hash: AEF027313103414FC724A7B8985569BABEBABCA364B184D7AC249CB752CB319C0583A1

Uniqueness

Uniqueness Score: -1.00%

Function 01740C09, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0c9349ffc596b2494589ae0a7902f26d180705f15ba69fab33b121ab203781
Instruction ID: 5560c1d0cd0ebc160da375cfd2c32e2cb43a431bdd3dd5398b5efde2dbc1dccd
Opcode Fuzzy Hash: 1a0c9349ffc596b2494589ae0a7902f26d180705f15ba69fab33b121ab203781
Instruction Fuzzy Hash: 11012974D0125ECFCB25DFA4C850BEEBBB6BF44204F1044AEC50AAB658DB308941AF91

Uniqueness

Uniqueness Score: -1.00%

Function 017430C8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c37f786e100f52fe50d29a3bf3e9ccb9da49b7f2224933180aad108742f619
Instruction ID: 09b2604377c629e77d806b59411106c1b7d658f70169777e9b0bff266011ee81
Opcode Fuzzy Hash: f6c37f786e100f52fe50d29a3bf3e9ccb9da49b7f2224933180aad108742f619
Instruction Fuzzy Hash: E9F0A7367007605FC325D76998009E67BF9AFCB321715C16FE409D7651CA21AC028790

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8A0E0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cf04b72fb518c61efe46130fe46305c975dede8cf08330b9c33b3b4fb63de4
Instruction ID: 6dd7323a7e8f8a13b4cd8438dff5c0625b370f7bc43f6cc893e021ca49893d39
Opcode Fuzzy Hash: c9cf04b72fb518c61efe46130fe46305c975dede8cf08330b9c33b3b4fb63de4
Instruction Fuzzy Hash: 66F0A0323143901BC315E6A9E852ABE3BAB9BC12647598C3ED1468B6A1DF646C0983E5

Uniqueness

Uniqueness Score: -1.00%

Function 0AE856B9, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74c623ccce1791db960e4125ed451fe91a400a48a85ec6b58df1df7c76774e3
Instruction ID: ba2bab4499cafdfc46f565222b5585ec55dbe9d51dc9012eb6b81f7c01f2d186
Opcode Fuzzy Hash: d74c623ccce1791db960e4125ed451fe91a400a48a85ec6b58df1df7c76774e3
Instruction Fuzzy Hash: 7BF08C7A3085846FC302CB18D810869BFA6DFCA22472CC0DAD8488B316DA339C43D790

Uniqueness

Uniqueness Score: -1.00%

Function 01740448, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e57d245a128188da32aad7d0b85f257f90fe4a253b3fa9bda870b24c5650ac8
Instruction ID: 5287e0e41c3a3d21a0aefe65e994671fcab954dba094e7b514b96d55dc7ee1d5
Opcode Fuzzy Hash: 9e57d245a128188da32aad7d0b85f257f90fe4a253b3fa9bda870b24c5650ac8
Instruction Fuzzy Hash: 16F08C74E1010CDFEB18DA69E844ADEFBBAF7C9325F408176EA14A3244D73465148F91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE896E8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31edd4db0ffdecdd8d655cde25b6982452f2ea7eb694a6dca49cc0933513af3
Instruction ID: 56c7cc366bb0dd275321c1e14691a636fbbea7e451e49e2070c7416cd362626c
Opcode Fuzzy Hash: a31edd4db0ffdecdd8d655cde25b6982452f2ea7eb694a6dca49cc0933513af3
Instruction Fuzzy Hash: 05E09A313102140B8324AABA989599BA6DBABC82A8714493AD209CBB06DF70EC0443F1

Uniqueness

Uniqueness Score: -1.00%

Function 0AE81CF0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc6c0bf4159fde6c0e69a894c4bc9cb7e107aef3091248560747c5553cf6ea0
Instruction ID: bafee4cf06146ae38320951308e6abedd193926b36efc733ae426b4bf623f78e
Opcode Fuzzy Hash: 0bc6c0bf4159fde6c0e69a894c4bc9cb7e107aef3091248560747c5553cf6ea0
Instruction Fuzzy Hash: B8E04F36300620AF8305AB5AE488C1ABBE9FB8D6603010169E50DC7351DE21AC01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 017430D8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97d256d9818685cb5603c48dd2ef6afe4219ea1f4b7ea2e3c9c1cf2ecdc41bb
Instruction ID: 883ab4bdaea8eeaf5e5f2a314832a7709c0f08a5d22eda21ad1bfcae42833359
Opcode Fuzzy Hash: e97d256d9818685cb5603c48dd2ef6afe4219ea1f4b7ea2e3c9c1cf2ecdc41bb
Instruction Fuzzy Hash: 20E0863670062467D314966A9804A67B7DE9FCA720B15C03DA41997744DD60AC4186D4

Uniqueness

Uniqueness Score: -1.00%

Function 0AE856C8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3fca0ab4c6566af1d617931259f88f57de8cbb8c853f899777dfd5cd1bc0e6
Instruction ID: 935520d69a603f569abd911d8c89bbdd0413c855dc8fef81a5e382f47072b557
Opcode Fuzzy Hash: 3d3fca0ab4c6566af1d617931259f88f57de8cbb8c853f899777dfd5cd1bc0e6
Instruction Fuzzy Hash: D2E04F767001086BC704DA49D844C6AFBABEBC922572CC06AE80D8B315DB33EC03D790

Uniqueness

Uniqueness Score: -1.00%

Function 0174F0ED, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474c4105181e860408c71785774c2114888640b90f634579b725d07db6a135bd
Instruction ID: c8e4ac6e14fb0e1bfbb60f470e8030bc7c5db8315ed27039ceb20f491c9f987b
Opcode Fuzzy Hash: 474c4105181e860408c71785774c2114888640b90f634579b725d07db6a135bd
Instruction Fuzzy Hash: 52F0D070A0071ACFD724DF24C540AA9BB75FB85204F1099A9D54AA7614EB319A45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0174F084, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62c4ca85802011b6f26996b5fcce4f467ade4a5056025cae5a05b98f1779a69
Instruction ID: 1be7c8b321dd8673b64cc997cd771bd8d91839ce817ec750c0512682fc9ff7d3
Opcode Fuzzy Hash: e62c4ca85802011b6f26996b5fcce4f467ade4a5056025cae5a05b98f1779a69
Instruction Fuzzy Hash: 9CF0BD70A0071ACFD734DF24D954B99BBB5FF49300F0089A9D54AA7B15EB31AA84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 017404A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db502c2a9841d5ea8ab63e9516cea3797204ed5c15f6d34a6f2e512d0488831d
Instruction ID: 5eac1ae19ffbd9ee539cadeafefc434aedf8e6bf60903a98056798630a3fadd9
Opcode Fuzzy Hash: db502c2a9841d5ea8ab63e9516cea3797204ed5c15f6d34a6f2e512d0488831d
Instruction Fuzzy Hash: 45E0E534A2015A8FCB88DFBAE8849DDB7B3BB89204F64C97AE515A7254D7309A418F14

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8A0B0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d341d410277e23d1067977fe96f9d564e9539b995b324746ec5a4d05c283db
Instruction ID: a7a84f194b0c0e884ade77d97025e3590ea57422983a6fc450e601d4700f940b
Opcode Fuzzy Hash: d8d341d410277e23d1067977fe96f9d564e9539b995b324746ec5a4d05c283db
Instruction Fuzzy Hash: DAD05E246992C14FCB4A8B7890211DA3FA6CF8B18871985D7C088CFA53C5278C4BCB66

Uniqueness

Uniqueness Score: -1.00%

Function 0AE84FF0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5de504cc9e2b72da1cfa7d7debff5bb88c9e33d6d65a92dec7bafe2628df34
Instruction ID: 9fd45642a2c7c77d369f47bb01b26e32be6de1a26ce49d4692cb0df3cba05680
Opcode Fuzzy Hash: cc5de504cc9e2b72da1cfa7d7debff5bb88c9e33d6d65a92dec7bafe2628df34
Instruction Fuzzy Hash: FCC0020A12E7C30DCB074B341821190AF25AD53649B9E32C3C1E8AE2A3D10A5956F769

Uniqueness

Uniqueness Score: -1.00%

Function 017415FD, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f307b6eda8335b34ac0180dabedaf4611b5626eeb2b0578083c4d9a30b49121
Instruction ID: e0f70583cf70a17bffd483e7348fe2b8527bcb89c6859f6eeb4ad541825bd43f
Opcode Fuzzy Hash: 2f307b6eda8335b34ac0180dabedaf4611b5626eeb2b0578083c4d9a30b49121
Instruction Fuzzy Hash: E3D0C2749013658BD7849FA4C84124ABF61AF85204700D5A6C0319F691C721D8898B82

Uniqueness

Uniqueness Score: -1.00%

Function 01748DE8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4c6f48e74b1c36099bebf85dd2f36a26f2a1400efe54c3b8a515f25cde6798
Instruction ID: 8e1d53cc73f8e7f537d6aa2d5d2e1db3f9d4cdef65434483ceda1d698db527e4
Opcode Fuzzy Hash: 9c4c6f48e74b1c36099bebf85dd2f36a26f2a1400efe54c3b8a515f25cde6798
Instruction Fuzzy Hash: 47D05B7190120CEFCB40DFE9D90555DB7F9EB45104B3049ADD409E3240DA312F00D750

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8BC50, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd9e3e3d5a29ce716f7b411dbec1a8f2afaad28857ae621e1852f66c2608ad7
Instruction ID: 19eafa4a8aeccdcbb04e0aa28a45f65af872e60274ab2e90e962e16858afa089
Opcode Fuzzy Hash: fbd9e3e3d5a29ce716f7b411dbec1a8f2afaad28857ae621e1852f66c2608ad7
Instruction Fuzzy Hash: 95C012313101244BC604975CD44499977DDAB49728B0100B6E509CB771DAA2AC4047D5

Uniqueness

Uniqueness Score: -1.00%

Function 0AE881D0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857f097e06c5821472f4efafad9737ff39918c7fc8c469f30d7b8777cd14af81
Instruction ID: fd4579511438e9d929d295226c5bba63e27785fc7d4c18df947d94e8eedeef0e
Opcode Fuzzy Hash: 857f097e06c5821472f4efafad9737ff39918c7fc8c469f30d7b8777cd14af81
Instruction Fuzzy Hash: 4CD05E712482809FCB038BB0D852EA47F716F4A240F0981D5E5488F1B3C1229805CB00

Uniqueness

Uniqueness Score: -1.00%

Function 017427BD, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313c59abaaae9e3e383a2dc5151374ddc431c4eba485258d52b14536f46cc4ba
Instruction ID: 4b72b2a93e6260b9b08caf6dea067b227731a7df0072a75c98a7ebc4a31a04cc
Opcode Fuzzy Hash: 313c59abaaae9e3e383a2dc5151374ddc431c4eba485258d52b14536f46cc4ba
Instruction Fuzzy Hash: ECE0E2B090561ACFCBA0CB78D94455AB3B1FF44329B20466DD02AA2A98D731AA02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0AE88EE0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebf37c1b780bbe2f2e3f613b96c5ecb1399eca664a4d7da236a0d45409461d3
Instruction ID: 453ec54d877ca53fc1c7f845790c4b51b48c322621d7dc4cdee5cd4f8ee587d2
Opcode Fuzzy Hash: 9ebf37c1b780bbe2f2e3f613b96c5ecb1399eca664a4d7da236a0d45409461d3
Instruction Fuzzy Hash: 18C012715043188BC7246BB9E004455BBEEDA46351B00447ED44A87721DA71AC008B84

Uniqueness

Uniqueness Score: -1.00%

Function 0174E557, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a133dcbe177b76918ea2394e8a59fc27774929a10b7007dd3e58ca06384cfc
Instruction ID: ac0dc14d1e322faef89b22655a12f052967350533181bf49bcd6d080ae40bcc6
Opcode Fuzzy Hash: f1a133dcbe177b76918ea2394e8a59fc27774929a10b7007dd3e58ca06384cfc
Instruction Fuzzy Hash: DFC01236B100088BCB00AAC8E8901DDBBB4FB88269F100976E105A3100DA315D158B90

Uniqueness

Uniqueness Score: -1.00%

Function 0174253F, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e719def9c6ccff29eedbc5f01c67710aeedff144eefa1bc1d21f18aec0471b
Instruction ID: 1a3572eddd97576179b7306b787ff62bf8d16f5643f79ca80953970e36248ed9
Opcode Fuzzy Hash: 10e719def9c6ccff29eedbc5f01c67710aeedff144eefa1bc1d21f18aec0471b
Instruction Fuzzy Hash: F5D05232A0420A8FCB04DBA4CA408AEBB7BBF88300B108A49D02362528CB31A910CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017415E0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1d4441dc53bd06743fbacf6aec8fa5708ae9e813c5d911503d82943260ebb3
Instruction ID: fb337376fb3b09770d68cb26f51cdc538100115371f614d318c2f461ac359ca5
Opcode Fuzzy Hash: fe1d4441dc53bd06743fbacf6aec8fa5708ae9e813c5d911503d82943260ebb3
Instruction Fuzzy Hash: 79C02266102662CB93405EE884C0121EA51AB8A204719C3A481229BA40CA20E4868282

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8A0C0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5fdd64fe14da59b22bcc8de44141ad6e97cab764944bbcb79c7ebd8bb2030f
Instruction ID: 89f31358973740f0b93ca1679d3cce3bbd1d2b4b6e0ee0be5c5830d953f38e3d
Opcode Fuzzy Hash: ee5fdd64fe14da59b22bcc8de44141ad6e97cab764944bbcb79c7ebd8bb2030f
Instruction Fuzzy Hash: 75C09B643D12140F0D48659970215EB37CEC7CC54C3605455D4598BF45DD25FC068BFB

Uniqueness

Uniqueness Score: -1.00%

Function 017429D4, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fb708fe767151936eaeb824f091924dcca8d22ef53e94ce9c8e1f46e4a419
Instruction ID: 146551883e347a68a098366900b9ce8337cb6d6779a86239ddc07dc62290b8ad
Opcode Fuzzy Hash: e18fb708fe767151936eaeb824f091924dcca8d22ef53e94ce9c8e1f46e4a419
Instruction Fuzzy Hash: 99D01235111300CFD3388F30D659019B7B7FF6430634048ADE40755564CB36F405CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0AE881E0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a56bc412169cc9f915765fdb9f0cc528771b7b8635fd3d5011fb8353787ff
Instruction ID: d8abab0d7c33f1d249917f08ea30253b7e1f4f8d029a52b5def4ce694fe0039d
Opcode Fuzzy Hash: f28a56bc412169cc9f915765fdb9f0cc528771b7b8635fd3d5011fb8353787ff
Instruction Fuzzy Hash: 24C04875280208AFC6009B59D945F00BBA8EB09A24F128290F6088B272C662EC51CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0AE80911, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41df17ceb0e47d8158efb4fefc658d082c32175805b8c0653c38064d46ea196a
Instruction ID: c7d67a8e3bf908fe11083e1eb4c06eec17a320f6c1048562d26136a16c6b1aee
Opcode Fuzzy Hash: 41df17ceb0e47d8158efb4fefc658d082c32175805b8c0653c38064d46ea196a
Instruction Fuzzy Hash: 7FC09B76D12114DFC7199F60E91549DB774BF44500F119437A91FF1160DB305E058E11

Uniqueness

Uniqueness Score: -1.00%

Function 0174DEF0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cea2215edd1789571566463f0a7210356b5760da27b1ca06e2123215ce36fbd
Instruction ID: 2d21f1fc1f0686ac1961f5729548f0d0cbefad63f4091762ad22b8478a6016a5
Opcode Fuzzy Hash: 6cea2215edd1789571566463f0a7210356b5760da27b1ca06e2123215ce36fbd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017446E8, Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

:]Go, xrefs: 01744889

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: :]Go
API String ID: 0-3095650097
Opcode ID: 6312a0fef57150b47e8b21bf5ba62df986df5de34caa24e6e0ca7d48465f47ff
Instruction ID: 13d8961681000011c020827cd5380f2ee3d5f64f054a82ad14558943b5497999
Opcode Fuzzy Hash: 6312a0fef57150b47e8b21bf5ba62df986df5de34caa24e6e0ca7d48465f47ff
Instruction Fuzzy Hash: 19C12234B006558BDB26CB2CC4806AAFBF2FF85305B18CA6AD157DB656D730EE04DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01744B30, Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Mv , xrefs: 01744BBF

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: Mv
API String ID: 0-2694310043
Opcode ID: 13cd7b852aea39a0e951980fd0b1a4cf21fa80ea2ee0bd73d3b31dc3f485ffaa
Instruction ID: 1739c577a3021bd8f76693313896b753e774fa7d60da3a0d756ea112a4815b9f
Opcode Fuzzy Hash: 13cd7b852aea39a0e951980fd0b1a4cf21fa80ea2ee0bd73d3b31dc3f485ffaa
Instruction Fuzzy Hash: 70B1B370A04615CBCB25CF28C490AAAFBF2FFC8304B18CA6AD5569B655D330FD44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01744328, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

mpositor-hosting-l1-2-0, xrefs: 017444F1

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: mpositor-hosting-l1-2-0
API String ID: 0-1912722331
Opcode ID: 60619a5b0a2652d3c0bea89472249d563f1d6c643d3951168ae3e4f9e54b57dd
Instruction ID: a731cc941f01e718448b7632a434dfdb57b458700512cb9019afceb72bff886a
Opcode Fuzzy Hash: 60619a5b0a2652d3c0bea89472249d563f1d6c643d3951168ae3e4f9e54b57dd
Instruction Fuzzy Hash: 95A1F330A00615CFDB15CB68C880AAEF7F2BBC5300B19CEAAD057AB659D770ED44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8AA58, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

ed_G, xrefs: 0AE8AB39

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: ed_G
API String ID: 0-3086560889
Opcode ID: 13aacd865f299fc2f7907f207cfaa358225804418f3f1ddd564f10ca5cf803dc
Instruction ID: 4bd9a494e1771f35c693d0c493bd98243a1871bd5ded6d2474d70c54ef0975e1
Opcode Fuzzy Hash: 13aacd865f299fc2f7907f207cfaa358225804418f3f1ddd564f10ca5cf803dc
Instruction Fuzzy Hash: A891A370A10245EFCB18DF98D58089DF7B2BF88344B2695B7E429AB761DB30EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8AA53, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

ed_G, xrefs: 0AE8AB39

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: ed_G
API String ID: 0-3086560889
Opcode ID: 8ab68c6e9eeab9ea9dc4b15be946d10341e5a9e6afad67fc39ab9cc29527e83f
Instruction ID: 16ef1b6d4d9680a4e23a8e0c9f1417acc7d86dabcfa4d462bb0f25001fb518bd
Opcode Fuzzy Hash: 8ab68c6e9eeab9ea9dc4b15be946d10341e5a9e6afad67fc39ab9cc29527e83f
Instruction Fuzzy Hash: E391B2B0A10245EFCB18DF58D58089DF7B2BF88344B1695B7E429AB761DB30ED45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 017434E8, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

=>z#, xrefs: 01743546

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: =>z#
API String ID: 0-2051528692
Opcode ID: a5fd84a24c8a3199e83b97980aa902be999579233401bbbe2b7d02675ba22aef
Instruction ID: 07baddfa3a0776dbaacb608b5901cb8dcf07554706e1df59fae174021b740209
Opcode Fuzzy Hash: a5fd84a24c8a3199e83b97980aa902be999579233401bbbe2b7d02675ba22aef
Instruction Fuzzy Hash: F541F472718226CFD714CA79C985A6AFBF2FB84350B24C86AD11EDBA50E334E941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8A680, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

6ti , xrefs: 0AE8A7EC

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: 6ti
API String ID: 0-682445003
Opcode ID: 2374f46a0ccde004f4ed083ef0ef01498ff9ed090af7361442dbb49382941761
Instruction ID: d74bb4933f0d8cad21e2f14b0ea99cb83bcfc9062d32ed1f0d8dfc12416afa83
Opcode Fuzzy Hash: 2374f46a0ccde004f4ed083ef0ef01498ff9ed090af7361442dbb49382941761
Instruction Fuzzy Hash: 2C412AB1A05105DFC725EFA9D5486BDB7B6EB856C0F12A43BE00EEB350CB318C41AB41

Uniqueness

Uniqueness Score: -1.00%

Function 0174E88A, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

ha, xrefs: 0174E807

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: ha
API String ID: 0-9937857
Opcode ID: 9156301627b3a84cf3cd69e33da1416c4befe620fc261bf3f276d9b429bfcb04
Instruction ID: 11712aacd0079d0ffea1feaa58dbba7f477ee57ee35f4d0dbb566f52fcf32103
Opcode Fuzzy Hash: 9156301627b3a84cf3cd69e33da1416c4befe620fc261bf3f276d9b429bfcb04
Instruction Fuzzy Hash: 95315536B48201CBEF558BA9988007FF7BEBBC4130B1254A7D515D7396DF388D018792

Uniqueness

Uniqueness Score: -1.00%

Function 017453D8, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1c494923b99dd761211d43e59995c7d55ee47a12d51dc6defe296646b8a30d
Instruction ID: 0cf085729440493533f503dfb9daccab5d0d5d9f01160d001d1f2fd02f25830d
Opcode Fuzzy Hash: 3a1c494923b99dd761211d43e59995c7d55ee47a12d51dc6defe296646b8a30d
Instruction Fuzzy Hash: D1C11535614651CFD716CB6CC8808BAFBF6AF85300B28CA7AD456DB65AD730ED04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017446D8, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acb3846f3b4abf3f1268a3ad4b35dbd085711fd055ec3d6963155ac106d9394
Instruction ID: 039c1ad1de24c9b3f700058ba3aee99067d44c6ba9570bca8591b82829074f06
Opcode Fuzzy Hash: 3acb3846f3b4abf3f1268a3ad4b35dbd085711fd055ec3d6963155ac106d9394
Instruction Fuzzy Hash: 1AB1DF34B002658FDB15CB68C580AAAFBF2EF85305B18CA6AD457DB755C730EE04DB94

Uniqueness

Uniqueness Score: -1.00%

Function 017453CA, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caaa1e44fd31c22304eaa1b89ead6f289c9e7a03a232d27bc8ca9c78a4bfa9c9
Instruction ID: cdb5a449fc0524d10a20aaa2d94687e29972ff03534c2012092cb095b6f9afb8
Opcode Fuzzy Hash: caaa1e44fd31c22304eaa1b89ead6f289c9e7a03a232d27bc8ca9c78a4bfa9c9
Instruction Fuzzy Hash: E4B1E235B10655CFC716CB6CC4808AEFBF3AF84301B28CA6AD4569B666D730ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01746550, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e142f73187f00b37f86da667fbda45c609559ce0c4f6ccfc043fc3131a70c8
Instruction ID: 0938c3241d3283d5c77a76ce95c825906477b943c7b9d83b9cca3a53f12fa006
Opcode Fuzzy Hash: 84e142f73187f00b37f86da667fbda45c609559ce0c4f6ccfc043fc3131a70c8
Instruction Fuzzy Hash: E3A10870B002558FE715CF68C5805AEF7F6AFCA304B14CA6AE4269B259D730FD08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017404CA, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c49a42b8b90e7297743ffe98df1210f41304d34d823d104edb64d66479b9b2c
Instruction ID: b4cac514dae84beef717a4f95b66c608551715fd09b93b11e55c3a6fee13e193
Opcode Fuzzy Hash: 3c49a42b8b90e7297743ffe98df1210f41304d34d823d104edb64d66479b9b2c
Instruction Fuzzy Hash: 71810470E04240CFE725EB68D444AAAFFF1AF46304F98C5AAD6549B263D331E886CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01740525, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e66e25a379c1cce6d774b721eb56aff31f428fa02fa50c6402ca600a6a3ed0a
Instruction ID: bfbb633170ab23ccc7551df21672851a71d8b59cf6bc32b59d623a2a561c114f
Opcode Fuzzy Hash: 0e66e25a379c1cce6d774b721eb56aff31f428fa02fa50c6402ca600a6a3ed0a
Instruction Fuzzy Hash: 4861D370A042448BD755DF68D484AAAFFF1BB46300F99C5AAD651AB262D331E886CB11

Uniqueness

Uniqueness Score: -1.00%

Function 017434DA, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddc060ab7d878bd1e23e964fa6ab1cec1242800fe73952783d06aeaa73028e1
Instruction ID: 9d4daa959900798b075ab0215af331fdb60ea295078f4c8aa9793b329c702d33
Opcode Fuzzy Hash: eddc060ab7d878bd1e23e964fa6ab1cec1242800fe73952783d06aeaa73028e1
Instruction Fuzzy Hash: BD41D671618222CFD754CB79C985A6AFBF2FB85350B24886AD01EDBA60E334E941CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0AE84070, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c80bde309040c0f1af3c300d985bf941baa2bc51dece10b3aa2bb8b458ff191
Instruction ID: c73d75f801135edaf2ff7de4fae8e08376fc3222463af16888e43f6b88991685
Opcode Fuzzy Hash: 1c80bde309040c0f1af3c300d985bf941baa2bc51dece10b3aa2bb8b458ff191
Instruction Fuzzy Hash: FE41F2605093D12FDB13AB7A58A41DB7FE65E872B03691BEBC0F4DB4E3C9059899C301

Uniqueness

Uniqueness Score: -1.00%

Function 01744020, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2177f998268c90ecac76d153dc158ce50ba2d4b44a085a56e1f4c1d04a4dd5fe
Instruction ID: 385b45f3b8fa61557951f4b8625950d808a40f417805bed8ba8e45e66950a7a5
Opcode Fuzzy Hash: 2177f998268c90ecac76d153dc158ce50ba2d4b44a085a56e1f4c1d04a4dd5fe
Instruction Fuzzy Hash: A041A031F5021A8F8B40CE68CD856AEF6F5BB99200F1584A2D917EB361D334DD119B91

Uniqueness

Uniqueness Score: -1.00%

Function 0174401B, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712812490bf56aecb0466a2fa4412e036347b250a3fa541465e0430d7420538c
Instruction ID: 12a800083c4549fc05fe2c6cb200328c67d0df7e6fe96ceb4f49a08a7084d77d
Opcode Fuzzy Hash: 712812490bf56aecb0466a2fa4412e036347b250a3fa541465e0430d7420538c
Instruction Fuzzy Hash: 0E41AE31F5021A8F8B40CF68CD81AAEFBF5BB99200F1584A6D817EB361D374DD119B91

Uniqueness

Uniqueness Score: -1.00%

Function 0AE8B810, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f73edfe2f0481e4916ca10e18b1bfcc1ec3b371b97ffbfabecda40d33f0cfc7
Instruction ID: 0abd3f40a7411bf755c01776b1fa54e9c57a0a9265046c7c027b7c332063c296
Opcode Fuzzy Hash: 0f73edfe2f0481e4916ca10e18b1bfcc1ec3b371b97ffbfabecda40d33f0cfc7
Instruction Fuzzy Hash: E03137B1E24216EBCB14DFA5C5816AEB7A6BB88310F25E43AC40EEB350D770DD04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01741267, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39b2d8f8c2cc3252027d3bfc2dea8c747066f12ad8fb1885c3a0f9152a923d3
Instruction ID: dc462b1f210542fa52b111aedf54e3d053f382513b25ac0daf18cef015222d38
Opcode Fuzzy Hash: d39b2d8f8c2cc3252027d3bfc2dea8c747066f12ad8fb1885c3a0f9152a923d3
Instruction Fuzzy Hash: DF21F1B4A00304CFC709CF94D181A5AFBE2BB85300B90C6BAD464DF366C730EC898B52

Uniqueness

Uniqueness Score: -1.00%

Function 0174124D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54914ab7cca416f90439055d2ed1e28ec18e818816469ae7fc82a0603c5fb4f0
Instruction ID: aaa33e2924b2f31e8d583b2e8ceff9b8256a2223951dd7768a5a413929ccd39b
Opcode Fuzzy Hash: 54914ab7cca416f90439055d2ed1e28ec18e818816469ae7fc82a0603c5fb4f0
Instruction Fuzzy Hash: 82219F74E01204CFD749DF98E181A6AFBF2BB85300B90C6BAD565DB365C730ED858B12

Uniqueness

Uniqueness Score: -1.00%

Function 0AE86AD9, Relevance: 7.7, Strings: 6, Instructions: 200COMMON

Download Yara Rule

Strings

TS, xrefs: 0AE86B48
PT, xrefs: 0AE86C65
8W, xrefs: 0AE86C2A
,<, xrefs: 0AE86BEF
lb, xrefs: 0AE86CF1
tZ, xrefs: 0AE86D2C

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: ,<$8W$PT$TS$lb$tZ
API String ID: 0-3827978649
Opcode ID: 880375d62b0d63b2f35cb100f55a233e6688627d456861f7eb962e7da9a1b487
Instruction ID: 2e4589d145f3fdbe4dc2dc3f9bb4a250664dcd25e63bae76921f1bdaadcd1233
Opcode Fuzzy Hash: 880375d62b0d63b2f35cb100f55a233e6688627d456861f7eb962e7da9a1b487
Instruction Fuzzy Hash: B1912834A002198FCB05EFE4D4955DEBBB6FF88308F20986AD116AB3A4DB349E45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0AE86AE8, Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

TS, xrefs: 0AE86B48
PT, xrefs: 0AE86C65
8W, xrefs: 0AE86C2A
,<, xrefs: 0AE86BEF
lb, xrefs: 0AE86CF1
tZ, xrefs: 0AE86D2C

Memory Dump Source

Source File: 00000000.00000002.411678451.000000000AE80000.00000040.00000001.sdmp, Offset: 0AE80000, based on PE: false

Similarity

API ID:
String ID: ,<$8W$PT$TS$lb$tZ
API String ID: 0-3827978649
Opcode ID: e2e2fbf3b3e515545d5ef16e39848d965acfaf8c833fce5dca47bf12ce88723a
Instruction ID: 6e60ed28b3159c7bc2612cf87b03cbb2f4b427a20c1f32eae6e9c566692c7c2a
Opcode Fuzzy Hash: e2e2fbf3b3e515545d5ef16e39848d965acfaf8c833fce5dca47bf12ce88723a
Instruction Fuzzy Hash: F9812A34A002199FCB05EFE4D4955DEBBB6FF88308F20982AD516AB364DB349E45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0174E600, Relevance: 7.7, Strings: 6, Instructions: 189COMMON

Download Yara Rule

Strings

|?, xrefs: 0174E765
d-l, xrefs: 0174E644
d-l, xrefs: 0174E627
ha, xrefs: 0174E813
d-l, xrefs: 0174E6E4
ha, xrefs: 0174E807

Memory Dump Source

Source File: 00000000.00000002.407374674.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID:
String ID: d-l$d-l$d-l$ha$ha$|?
API String ID: 0-2595073435
Opcode ID: 253374167f874c36557dfeffc246edc7eb7ce34054af11305f105dc19ab9a2d1
Instruction ID: 4c02012a3311f56d745248f700a95ea619c008a5917827fba567ea00fe1dc2d2
Opcode Fuzzy Hash: 253374167f874c36557dfeffc246edc7eb7ce34054af11305f105dc19ab9a2d1
Instruction Fuzzy Hash: A951F3307103118FC714EBB8C4556AFBBABBFD02287258C6AC1069B755DF749D0A87E2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6832 Parent PID: 6232 powershell.exeCOMMON

Executed Functions

Function 0770AAD9, Relevance: 33.2, Strings: 25, Instructions: 1931COMMON

Download Yara Rule

Strings

D!l, xrefs: 0770C11C
\l, xrefs: 0770BB6E
D!l, xrefs: 0770C84C
D!l, xrefs: 0770B639
D!l, xrefs: 0770C183
D!l, xrefs: 0770AD75
D!l, xrefs: 0770B587
\l, xrefs: 0770C7C2
\l, xrefs: 0770C9EE
D!l, xrefs: 0770C1B1
D!l, xrefs: 0770C039
D!l, xrefs: 0770C092
D!l, xrefs: 0770C064
D!l, xrefs: 0770AF52
D!l, xrefs: 0770B7A9
D!l, xrefs: 0770B365
D!l, xrefs: 0770CC7E
D!l, xrefs: 0770C0C0
D!l, xrefs: 0770C0EE
D!l, xrefs: 0770BBF8
\l, xrefs: 0770CB3B
D!l, xrefs: 0770B06A
D!l, xrefs: 0770C155
D!l, xrefs: 0770B143
D!l, xrefs: 0770B9D6

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID: D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$\l$\l$\l$\l
API String ID: 0-1815554298
Opcode ID: 21e54e121a11aa2708b051010b3429a0f0cd77ba66a51529c56f79903812fa8b
Instruction ID: 0d37d8f89ac9cb847015a4b614e8ffa83d0c615b6bb7f7202152b150af1f1b27
Opcode Fuzzy Hash: 21e54e121a11aa2708b051010b3429a0f0cd77ba66a51529c56f79903812fa8b
Instruction Fuzzy Hash: 7A033E7191015CCFCB25DFA4C895BDE7BBAAF85308F2045E9910A6B368CF309E859F91

Uniqueness

Uniqueness Score: -1.00%

Function 0770AAE8, Relevance: 33.2, Strings: 25, Instructions: 1919COMMON

Download Yara Rule

Strings

D!l, xrefs: 0770C11C
\l, xrefs: 0770BB6E
D!l, xrefs: 0770C84C
D!l, xrefs: 0770B639
D!l, xrefs: 0770C183
D!l, xrefs: 0770AD75
D!l, xrefs: 0770B587
\l, xrefs: 0770C7C2
\l, xrefs: 0770C9EE
D!l, xrefs: 0770C1B1
D!l, xrefs: 0770C039
D!l, xrefs: 0770C092
D!l, xrefs: 0770C064
D!l, xrefs: 0770AF52
D!l, xrefs: 0770B7A9
D!l, xrefs: 0770B365
D!l, xrefs: 0770CC7E
D!l, xrefs: 0770C0C0
D!l, xrefs: 0770C0EE
D!l, xrefs: 0770BBF8
\l, xrefs: 0770CB3B
D!l, xrefs: 0770B06A
D!l, xrefs: 0770C155
D!l, xrefs: 0770B143
D!l, xrefs: 0770B9D6

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID: D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$D!l$\l$\l$\l$\l
API String ID: 0-1815554298
Opcode ID: aca780502220129f4f9d255a7e2766ac29520d49ee912348bcca58d7b0c79184
Instruction ID: c84fe53996ac84f6c7fe4e85d4d26559a10bfd4ee2472ca2f34fce655420fd0c
Opcode Fuzzy Hash: aca780502220129f4f9d255a7e2766ac29520d49ee912348bcca58d7b0c79184
Instruction Fuzzy Hash: 9F033E7191015CCFCB25DFA4C895BDE7BBAAF85308F2045E9910A6B368CF309E859F91

Uniqueness

Uniqueness Score: -1.00%

Function 07CC57B0, Relevance: 3.1, Strings: 1, Instructions: 1871COMMON

Download Yara Rule

Strings

l2Cl, xrefs: 07CC5A0C

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID: l2Cl
API String ID: 0-3893073900
Opcode ID: b18b481e550bf50f94407f6505436e2cb73b5644397fc37a7e2a0052bec0266c
Instruction ID: aa5f1833bfdb5725dbe64586f91db778bb53d888b764bdfa465f8ba81f02fa74
Opcode Fuzzy Hash: b18b481e550bf50f94407f6505436e2cb73b5644397fc37a7e2a0052bec0266c
Instruction Fuzzy Hash: C4134A74A20218CFDB54DBA4D890BDE7BB6EF84309F1084A9D60AAB794CF316E45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07709C70, Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cef271063cc09d297edcd2e9deb184b8cd1dcd26df41933fc72eb5c1ce1fab1
Instruction ID: 36753109f623b8de8355e6777cafbdbaf56cb36d30644877802925488ebbaac4
Opcode Fuzzy Hash: 0cef271063cc09d297edcd2e9deb184b8cd1dcd26df41933fc72eb5c1ce1fab1
Instruction Fuzzy Hash: 46526DB0600219DFDB24DF64C850B9D73F2AF85349F1188A9D90AAB7A1DB31ED45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CB0040, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a729cc1b34fd68c6f1518bb982e34c615127e2c0818748b06319b52d476895f
Instruction ID: 05161deef3deba0e7547cbb5c9061450150650553669e43b0b0c1090c800bf9f
Opcode Fuzzy Hash: 5a729cc1b34fd68c6f1518bb982e34c615127e2c0818748b06319b52d476895f
Instruction Fuzzy Hash: 13E17070A10219DFCB24DFA4C884ADEBBF6FF88305F148969E905AB354DB34AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCCE28, Relevance: 7.8, Strings: 6, Instructions: 331COMMON

Download Yara Rule

Strings

{ f^, xrefs: 07CCCF1B
K f^, xrefs: 07CCD023
; f^, xrefs: 07CCD07B
k f^, xrefs: 07CCCF73
[ f^, xrefs: 07CCCFCB
+ f^, xrefs: 07CCD0D3

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID: + f^$; f^$K f^$[ f^$k f^${ f^
API String ID: 0-1600987521
Opcode ID: 260d2e99bd666ed4407b005511493871fedae4d9a847b27c5a47fb383e221527
Instruction ID: a7345628c83534b0a7b64c09596ea69c69392755ba90e3d019b0d2b1ebefce45
Opcode Fuzzy Hash: 260d2e99bd666ed4407b005511493871fedae4d9a847b27c5a47fb383e221527
Instruction Fuzzy Hash: 9CD1D2B0710304AFD744DB64D8917DEB7A2EB84208F109A6DD50A9B795DF71BD09CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 07CC9710, Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

d, xrefs: 07CC9963

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e03123374d88cdd3b01de612c0d2aa743f729c239c5be9c070fae27fbffff85f
Instruction ID: 14f12683b5d53ac9f065656670af2650e5470ea5c327cfa7fa44e6d9f000bc5c
Opcode Fuzzy Hash: e03123374d88cdd3b01de612c0d2aa743f729c239c5be9c070fae27fbffff85f
Instruction Fuzzy Hash: 1C1279B0B006068FDB14DF59C4849AAB7F6FF88314B25CA69D45A9B761DB30FD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA8F0, Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

+Kf^, xrefs: 07CCAB7D

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID: +Kf^
API String ID: 0-3390027306
Opcode ID: 0d390c1cdece4ed9059ce2c349d7a95a1db1fe6db4b07484dddc55f94734aabf
Instruction ID: 7196d110c236682a7cca4d3a3e9dcc9296f3560907ed714353201df8157f3a0d
Opcode Fuzzy Hash: 0d390c1cdece4ed9059ce2c349d7a95a1db1fe6db4b07484dddc55f94734aabf
Instruction Fuzzy Hash: C9C15BB0A00249CFDB15CFA8C488BADBBB2BF85305F158469D8069F795DB35ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07CC65B8, Relevance: 1.1, Instructions: 1094COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe3b1c77819dbb94b6bee790dd2414653621b9862e9baf342001a16cc8cef8f
Instruction ID: 1d289ddf28d8caecd0e927a868083c800b6681fe53f53f18928b0e29427d1f5e
Opcode Fuzzy Hash: ebe3b1c77819dbb94b6bee790dd2414653621b9862e9baf342001a16cc8cef8f
Instruction Fuzzy Hash: 99B24C74620218CBD714EBA0D891BDE7BB7EF88309F1085A9DA0A6B794CF316E45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD590, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc5ffe847e3ec911afa112e5f291d29fa0c4e9600801c816c5a0c329979656a
Instruction ID: 4885109822d85f05d951ad1108ea5894dbef43dc91beb65beae088fa3606e600
Opcode Fuzzy Hash: 5dc5ffe847e3ec911afa112e5f291d29fa0c4e9600801c816c5a0c329979656a
Instruction Fuzzy Hash: 8DA1E274B103449FCB05DFB4D854AAEBFB6EF89304F1484AAE9069B795CB359D02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF580, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16eb29d785508aec52f1421ac791e949b1dcf861f1aa3b13239769e3c3b27e9
Instruction ID: 752ec4ec9afe50ae88d68cfd50686411d3ca77efdb61fae8d46f8ea0f9fb19a3
Opcode Fuzzy Hash: e16eb29d785508aec52f1421ac791e949b1dcf861f1aa3b13239769e3c3b27e9
Instruction Fuzzy Hash: FDA19F75F003058FDB04DFB9C5546EEBBB2AF89314F14816AE912AB390DB709D46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCB710, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b49763523504b25bf15c294f506fb299f171899066ffc682751c4e797f4ce0
Instruction ID: 795a3d414ca8a09f2149bf5625f8bcc8cbc56d59da399d0f84c754b73d8301fe
Opcode Fuzzy Hash: 88b49763523504b25bf15c294f506fb299f171899066ffc682751c4e797f4ce0
Instruction Fuzzy Hash: 17A15BB4B00205CFD718DFA8D499AADB7B6EF89315F10846DE8069B7A0CB35ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2640, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c8b5bc4362444424db420a5e5f33f84ec3802ac9b1b5b6007725ba10080369
Instruction ID: 5f276f770e01600221706fe484e7a6c2e35421b0285ba390cf0aa44a2a5ce65a
Opcode Fuzzy Hash: 74c8b5bc4362444424db420a5e5f33f84ec3802ac9b1b5b6007725ba10080369
Instruction Fuzzy Hash: DC91C1B1B103018FDB259BB8C4546EEBBB2FF89315F04846AE806EB390DB75D945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07708CF6, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3625a3ac69dacf8f85073f7f79ac5a824b78647ba49a14ab4b5706c3a230a11
Instruction ID: 0525362790bce295af429bd67a0fd1e882ac1bb47e6c5e691fc002f878e6d096
Opcode Fuzzy Hash: c3625a3ac69dacf8f85073f7f79ac5a824b78647ba49a14ab4b5706c3a230a11
Instruction Fuzzy Hash: 45916971B00215CFEB24DB64D844BAEB7F6FF88215F1485A9D90AA7391DB30AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07705729, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42dc818b9b72fd25c894ad5ced80d298b385214a86da4ec27fe551ed9480652
Instruction ID: 0cecab5fc3b44fa5c65d5aef042d660a81905d91ee5dae9eea96bba670c9fdaa
Opcode Fuzzy Hash: a42dc818b9b72fd25c894ad5ced80d298b385214a86da4ec27fe551ed9480652
Instruction Fuzzy Hash: C571C531B101589BDF15DBA4D854BEEBBFBEB88304F108429E506A7798CF359D019BE1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCBE58, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f45f8146c8b27dd6de664d44445ca4e5f5ee5a476cc76fe9ebe55ebf5582810
Instruction ID: 610db59b6154288b4d5bfec72142327cd00861aef5205a13515cbb139b4c8c3a
Opcode Fuzzy Hash: 8f45f8146c8b27dd6de664d44445ca4e5f5ee5a476cc76fe9ebe55ebf5582810
Instruction Fuzzy Hash: C1918B70A102499FDB14DFA4C584A9EBBF2FF89304F148468E906AF795CB74AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCAFE0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640e934ef2866a607e9bdf54ca48179d37213a3bc263a2cc7521087e2767b190
Instruction ID: c733e0aa84140297dffb0202a23ed1affbeba6b01736e023dd6f449045766d3f
Opcode Fuzzy Hash: 640e934ef2866a607e9bdf54ca48179d37213a3bc263a2cc7521087e2767b190
Instruction Fuzzy Hash: 0271AFB0A002499FDB18DFA4D495BDEBBF6EF89314F244829D406AB790DB70AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07706C18, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dca3c7b8d3a932ff5dc9ab8d2a9eef46e155efe5c3569792fc81177259f4012
Instruction ID: 585944fbbef27ab7501a806ba2b9a8eb6761e3fd21b536207142a6b83e1e2dbf
Opcode Fuzzy Hash: 8dca3c7b8d3a932ff5dc9ab8d2a9eef46e155efe5c3569792fc81177259f4012
Instruction Fuzzy Hash: 3E8138B0E10219CFDB14DFA8C554BAEBBF2BF88304F248469D404AB390DB75AD55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2D28, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8bacff7a21c03a7098786e94011b6fb477b0c7f4eef74637dd0f5759e210b
Instruction ID: f7273f53b614d2b038ac6211f5f0af8ee6f8ae82de293ab4e52a582b3567f1db
Opcode Fuzzy Hash: c1e8bacff7a21c03a7098786e94011b6fb477b0c7f4eef74637dd0f5759e210b
Instruction Fuzzy Hash: C17148B4A102259FCB28DFA9D8809DDBBF2FF89314F148969E405AB360DB31ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07705788, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222f03777c0ae979af5366f5f3761dc9cee96d56573c7c62d5f68c38853de704
Instruction ID: 3b8fecf9bb2b7dcb470dc000fb095eef3842da45f0a5549e487aa045c8ee94c0
Opcode Fuzzy Hash: 222f03777c0ae979af5366f5f3761dc9cee96d56573c7c62d5f68c38853de704
Instruction Fuzzy Hash: E3518535B101589BDF05DBE4D850BEEBBFBEB88304F208429E505A7798CF359D019B95

Uniqueness

Uniqueness Score: -1.00%

Function 07705798, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7183a2c1a2b0435d99b1a8cc875227f06fb77eb6caceae335da32ab1c690eb
Instruction ID: ea7769ce38e76b72c6f5a941d2a1b3b0c21913d5279461c4dda8c15669acaa1f
Opcode Fuzzy Hash: dc7183a2c1a2b0435d99b1a8cc875227f06fb77eb6caceae335da32ab1c690eb
Instruction Fuzzy Hash: 9C519634B101589BDF15DBE4C850BEEBAFBEB88304F108425E605A7798CF359D019BD5

Uniqueness

Uniqueness Score: -1.00%

Function 07CCE5F8, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623659a33f25ea62736af58b087b318c8e3503291e3c5a3761ffe82f5dee03ab
Instruction ID: 38bb0c5e9cdbefa4453dd0cdce710f9a7d16e997e29bc29beecc24100fe0c1d6
Opcode Fuzzy Hash: 623659a33f25ea62736af58b087b318c8e3503291e3c5a3761ffe82f5dee03ab
Instruction Fuzzy Hash: 3351B270210701DFD3109F79D8457997BA6EB85325F10CA2DD62A8BBC1CF75E806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCE608, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ec7a51c011007c92a240c8767db79d287aed47f80fcbca9e0b34d08ba2a874
Instruction ID: c9bfd93f29abf39167505bf8830d6de64a5e3b062ab98afbf6cfe8475343450c
Opcode Fuzzy Hash: 59ec7a51c011007c92a240c8767db79d287aed47f80fcbca9e0b34d08ba2a874
Instruction Fuzzy Hash: 8F518E70210701DFD3249F79D84576A7BA6EB85325F20CA2CD62A8BBD4DB75E8028B90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA589, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13baca06eb92e0156b49be2c3c3029b9357468a5fea38a0c322e92aa01fb28f8
Instruction ID: 51fe277bcfb7eb5c1e1d11d766aa1181bdaa0b0072fe48836a0adb2810b33ba6
Opcode Fuzzy Hash: 13baca06eb92e0156b49be2c3c3029b9357468a5fea38a0c322e92aa01fb28f8
Instruction Fuzzy Hash: 165128B4A11209CFDB24DFA9D59DBADBBB2FF48705F14842CE402AB690DB74AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07CCDEB8, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebf8ae972877c913dbe6a97e0bf2be31de2c8ab254ee6bd0a0bc06e11b12b1e
Instruction ID: cbf10220829c93824fa64aff3035b704f74a7e2433fa5106787c4becea7b9c44
Opcode Fuzzy Hash: 6ebf8ae972877c913dbe6a97e0bf2be31de2c8ab254ee6bd0a0bc06e11b12b1e
Instruction Fuzzy Hash: 084123B1711301AFEB049F6598546AF7BEAEF84209F04846DE907CB381DB75ED068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CB0CE4, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56035cc976d132f3580851d088d85b659a472f490a5bccadbbb001b9fdc91f3c
Instruction ID: c463c4471a303000329a8ece66d4536419961f79e27b8fdf071c79d69a0cc488
Opcode Fuzzy Hash: 56035cc976d132f3580851d088d85b659a472f490a5bccadbbb001b9fdc91f3c
Instruction Fuzzy Hash: 3E516D70610345AFDB25CFA5C890BEEBBB2BF8C310F118429E9469B794DB71AD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2630, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766df2e796e9534bdb29cdbe550cf950e88249a46b54ecc6f56ac3088450a6f5
Instruction ID: c6b55f005d1c9759afd404fba7769d54d996dfca37bd8876a971fad1dadab48d
Opcode Fuzzy Hash: 766df2e796e9534bdb29cdbe550cf950e88249a46b54ecc6f56ac3088450a6f5
Instruction Fuzzy Hash: 15518AB4A002058FCB24DFA9D484AEDBBF2FF88314F14842AE815BB350EB31A945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 07CB0EC8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7b9aa5ce76d16fddbbea2c6a0b6b81a8bf84522f62fb69aba0d983da7343dc
Instruction ID: 6fc59862095d48b2e9623286deb8862b6065880c24392ab061c557cd10fd8009
Opcode Fuzzy Hash: 3b7b9aa5ce76d16fddbbea2c6a0b6b81a8bf84522f62fb69aba0d983da7343dc
Instruction Fuzzy Hash: 6441B5B1B0025A9FDB24CFA5D480AEFB7F5EF88310F148466E915E7240D731EA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CB0CE0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e753d3477e0175195c502435d16e3eb49dd5523aacd2551683d771c3c9e7cb
Instruction ID: 9372979cad46c74a934fb9a7972052d114d0aaa4be3b591cbaeffa174412af7a
Opcode Fuzzy Hash: a0e753d3477e0175195c502435d16e3eb49dd5523aacd2551683d771c3c9e7cb
Instruction Fuzzy Hash: 9741A0707103459FDB25CFA5C890BEFBBB2AF88310F118429E9469B794DB71AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCAD18, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0331dda52b3ab851d93a98ca583e4c444745f86026472b3528dab16206620657
Instruction ID: 3e3d0311620cdc1ca869e65f988d085eefef6ba20ac042bb2a48fa5fa57b0a32
Opcode Fuzzy Hash: 0331dda52b3ab851d93a98ca583e4c444745f86026472b3528dab16206620657
Instruction Fuzzy Hash: D941AC707107468FC740EBA4C495A9EBBB6FF84309B208E69C50A8F665EB70BD05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCEBC9, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0a6f65167b7c4e8a13999881bed6db118c4ad679d1e6053584bc170904eef9
Instruction ID: 7b94a95d48df094405c9cbbaefbac1a53a2b2c031fee948a4ae4743f0b735ff3
Opcode Fuzzy Hash: 4e0a6f65167b7c4e8a13999881bed6db118c4ad679d1e6053584bc170904eef9
Instruction Fuzzy Hash: 1741A4B0E007599BDB15CFA5C8807DEBBF2AF85304F14482ED805AB794DB74AD49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCEBD8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427ca8fc689a483947fb46f3a4ba6f96d42300377a6843cd73a101c320882cf0
Instruction ID: ec8874a162e08e4035d199bb908af1ec6d23f1f728ec8835224fe630544207f6
Opcode Fuzzy Hash: 427ca8fc689a483947fb46f3a4ba6f96d42300377a6843cd73a101c320882cf0
Instruction Fuzzy Hash: 2B41A6B0E0075A9BDB15DFA5C4847DEBBF2AF85304F24482ED805AB394DB74AD49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB104A, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3184bbde5b2c33c8f02c47d4d9531c0657802a928bdd2ddc43ff4392282bc56
Instruction ID: a3128dec0bdddab885399d1f85601bbe73bc84fa1e40cca7bee5737eed54db2f
Opcode Fuzzy Hash: a3184bbde5b2c33c8f02c47d4d9531c0657802a928bdd2ddc43ff4392282bc56
Instruction Fuzzy Hash: 77414FB0A1021ADBDB24DF65D9986EEBBF6BFC9614F188429E401E7350DB748A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07CCBC00, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1852957ff228c9f720804b5c42942041beda25c74b7529e13abfb1b89e03b22c
Instruction ID: 462a56f46756320e61a36f46cc5c1ae810923c0f262ee831d86a774d68f8324d
Opcode Fuzzy Hash: 1852957ff228c9f720804b5c42942041beda25c74b7529e13abfb1b89e03b22c
Instruction Fuzzy Hash: 8B31EAB1A04258AFDB05CFA5D845AEF7FFADF89210F14802BE905E7250DE345D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07706B08, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e8dbeef2e765ca419fb1d72005434ba061195ee869b526c2647151a914d03d
Instruction ID: 5e085b85785b1ae1cc30cbbf2ba59981de6f90817728e5a3a1125986c1ba7ef7
Opcode Fuzzy Hash: 80e8dbeef2e765ca419fb1d72005434ba061195ee869b526c2647151a914d03d
Instruction Fuzzy Hash: F631AEB57001059FD700DFA9D891AAE77F6EFC9240B248539E909D7364EF30E9058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF625, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffe2a2591952aed0ad432262df2a480f3ba822f56b736feec977147803c8d25
Instruction ID: 6d84857239d11c5d0dee29b2b12aea4387745934a0d5e379a3855e3b06caefb5
Opcode Fuzzy Hash: fffe2a2591952aed0ad432262df2a480f3ba822f56b736feec977147803c8d25
Instruction Fuzzy Hash: 54315E75B002048FDB14DBB5C559AEDBBB3BF8C708F208429E512AB3A0DB719C45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2E10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce71963f420c12d6f5f7179012b242faeb7b0f1c2798f6bfdce91517b0af81f
Instruction ID: ec0f66f74e058bae6df74333dacf4d30800f04f89a5792eee261051546ca3727
Opcode Fuzzy Hash: 5ce71963f420c12d6f5f7179012b242faeb7b0f1c2798f6bfdce91517b0af81f
Instruction Fuzzy Hash: 57311275A10218DFCB24DBA8D984EECBBF2FF89215F148599E406AB361CB31EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2E17, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8427235cde8214346d4d11ed7d78efa4aa61a2af79aad718ca61c697028cae0
Instruction ID: ec0f66f74e058bae6df74333dacf4d30800f04f89a5792eee261051546ca3727
Opcode Fuzzy Hash: a8427235cde8214346d4d11ed7d78efa4aa61a2af79aad718ca61c697028cae0
Instruction Fuzzy Hash: 57311275A10218DFCB24DBA8D984EECBBF2FF89215F148599E406AB361CB31EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2E1E, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b96029c0b8faee8042cf135dd59a8a1e46f5ccba7cd9560bd36f08586bb76f
Instruction ID: bc7f32e99e47593cbd9ba2a1ae2dbae024ef49dc71edd9a5c98c3134e624e1f8
Opcode Fuzzy Hash: d6b96029c0b8faee8042cf135dd59a8a1e46f5ccba7cd9560bd36f08586bb76f
Instruction Fuzzy Hash: 8B311275A102189FCB24DBA8D884EDCBBF2FF89214F148599E406AB361CB31EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2CE1, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519f9e5f13c203650f07666b83d7bded4ad5c229c40e099f3b8a3edc47327573
Instruction ID: 21d3d338cd0854cb6a7e74f4277394ee3274c77aa7d4ee49747f05400db7a312
Opcode Fuzzy Hash: 519f9e5f13c203650f07666b83d7bded4ad5c229c40e099f3b8a3edc47327573
Instruction Fuzzy Hash: F931ADB09052598FCB01DFB4D8915DDBFB1FF4A204F2585AAE448EB252E730A909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07CCDEB1, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0328530901d241339b87354680fc448bff54c765e94e5393fc4e74aa7805c22c
Instruction ID: ef8978aae6d560c4cf7ed23b143142287f2c50e131956edbae9fa865979c1318
Opcode Fuzzy Hash: 0328530901d241339b87354680fc448bff54c765e94e5393fc4e74aa7805c22c
Instruction Fuzzy Hash: FA21D3B1310216ABDB04CF55D9806EF7BEAFF84214F04452EF9068B255C775DE19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD2D8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c399510540f696280625811ba1bf99453dd180b3504bbe98360733f2d52ac217
Instruction ID: a50f2ea48616cea7bea9885fbe0cd1056c193455c820b049cf44502f2779c5b5
Opcode Fuzzy Hash: c399510540f696280625811ba1bf99453dd180b3504bbe98360733f2d52ac217
Instruction Fuzzy Hash: 89215E75E002099FDB00DFA9E9419EEBBF6FB8C211F14852AE906A7340DB315A558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCB1C0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5716cf90ec55decb5e830b6a929832d9a06a4375499c674b38dfb6fe15a93e39
Instruction ID: 71b5e72f04fb61c4d9f8ad412ee5bcc3223c1312538cd17d121b070496b2300e
Opcode Fuzzy Hash: 5716cf90ec55decb5e830b6a929832d9a06a4375499c674b38dfb6fe15a93e39
Instruction Fuzzy Hash: 9A31ACB0B002459BD718CFA8D499BAEBBB6EF88311F14402DD406EB390CF749D45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCC1E1, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97df4a9c2eef055d762a8fc45885d70b6c578fbd9d7e49755834c0a4afe9fb5
Instruction ID: 10aefa183181e1d150e63fe66fa3da2bda2e04e36d81f60cda3c1021226d52c9
Opcode Fuzzy Hash: b97df4a9c2eef055d762a8fc45885d70b6c578fbd9d7e49755834c0a4afe9fb5
Instruction Fuzzy Hash: 6B319E70A003459FCB12DFA4C8809DEBFF2FF8A314B10495AD455AB661DB31AD09CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD3E8, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf529af2a219e4ad795145be9bfa63113f3e306012fde2d1b3f89c9148cb713
Instruction ID: e2eebadd177d770818ca51c5d4a84d8546d04bc7f2234c51abac22bafa21462d
Opcode Fuzzy Hash: dbf529af2a219e4ad795145be9bfa63113f3e306012fde2d1b3f89c9148cb713
Instruction Fuzzy Hash: A4218170710A168BE714EFA4D4907AEB3A7EBC0625F10893DC20A4B685DF75B9498B91

Uniqueness

Uniqueness Score: -1.00%

Function 07CCE0D1, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de5b0185d7b3c0f0f7c821865de5ac2aabb4f85f878855753efa97b6408436
Instruction ID: 200129257ce3779400432dc192b8bb6579c6f929f5ef763d3e4d4b825f9cae6c
Opcode Fuzzy Hash: b6de5b0185d7b3c0f0f7c821865de5ac2aabb4f85f878855753efa97b6408436
Instruction Fuzzy Hash: F011E136604244DFCB11DF65EA68AEE7FB1EF4A351F00409AE805A7253CA354F14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF6B8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2344c1386ecb1919c019dbfd2bb93dab72ca57c181ec2a68832258ca622b9c
Instruction ID: 4df52ca6439d9d8522f788b1a03412621c43186fb493fb456ef065c6741d09ec
Opcode Fuzzy Hash: 8d2344c1386ecb1919c019dbfd2bb93dab72ca57c181ec2a68832258ca622b9c
Instruction Fuzzy Hash: 73215E75B012048FDB08DB79C455AEDB7B3AF8C705F248069E912AB3A0CBB59C45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD3D7, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecbc025ca358997297b01afd6ac9b0cb5d0926bd0032299d327e806b79c7e6a
Instruction ID: 638298c9106c4951826e590c7d8ed2ec06b40c8b434faf50f13fcc15f78f4d86
Opcode Fuzzy Hash: 1ecbc025ca358997297b01afd6ac9b0cb5d0926bd0032299d327e806b79c7e6a
Instruction Fuzzy Hash: 2111DF70710A1A8FE314EF74D4907AEB3A7EBC0215F10893DC20A8B681DF74B84A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2560, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f12e31c3f2b4bd244c9ce9ad2bb6559064fc94243579d94f9ed83eafa0526c
Instruction ID: 8a1983cfa8cacb24887101050673db2f85ff42f4ecc6b2ab6d3cd2f95bc45c79
Opcode Fuzzy Hash: 57f12e31c3f2b4bd244c9ce9ad2bb6559064fc94243579d94f9ed83eafa0526c
Instruction Fuzzy Hash: A01123F1704B529FDB318F29C4D03E67BE4BF41262F0484AAE849CB651C724D90887A1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCC208, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c3429a0390ba3b760bde1c098b27ed08834c061b32da4a43593d2294dd0b95
Instruction ID: cd6eaabbf57607f346dd4c21c0010449470ee348fd84189e9dfad4a32ebf40f6
Opcode Fuzzy Hash: f6c3429a0390ba3b760bde1c098b27ed08834c061b32da4a43593d2294dd0b95
Instruction Fuzzy Hash: B0210970A007199FCB10DFA8D8819AEBBF6FF89304B104A29E555AB650D771AD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD4E7, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a603372776b3e13b5cbf092864d1496d1fc6933b589aa917ef1a561572ed8ca
Instruction ID: fb3629ba635164e4dfbaf594932ab558931bf003774531f5dceb0b73db881fb3
Opcode Fuzzy Hash: 2a603372776b3e13b5cbf092864d1496d1fc6933b589aa917ef1a561572ed8ca
Instruction Fuzzy Hash: 2711BB756007049FC710CF68D884EAAFBF6FF88310B108A98E95A8B751D6B0FC04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07706AF8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9394c6bd624c13d1ded6780911722cc1046a451005b3be12568c52ba33565bec
Instruction ID: 942033904601bcca26f447268624fb6f6a4e777f05ad8a10e8219b730267e286
Opcode Fuzzy Hash: 9394c6bd624c13d1ded6780911722cc1046a451005b3be12568c52ba33565bec
Instruction Fuzzy Hash: 2C11E3B5600211DFC701DF69D8419AABBF6FF89310B148179E508C7361EF309905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCBAF8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22ba5f49d3ddd54af6ca8cb8a6d43aa8f17d4b1dbc6e75fed6a10583395f539
Instruction ID: 06c9c0beda319579da021ff7d3d447903423a2dfb63f1ea985aa39f2d018b6ec
Opcode Fuzzy Hash: f22ba5f49d3ddd54af6ca8cb8a6d43aa8f17d4b1dbc6e75fed6a10583395f539
Instruction Fuzzy Hash: 8A116DB0B002058BDB24DFA4D9697AD77B6EF88315F2080BDD802BB395DE759D04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07CCAF60, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f738a451eafe4441f17756cc9423c20d5754c2fd381b3789234e3a3f472c2a2
Instruction ID: f4acf0533ec792076980c39c59081864e8e9857bc118bc92bf6392a284bdb3b0
Opcode Fuzzy Hash: 0f738a451eafe4441f17756cc9423c20d5754c2fd381b3789234e3a3f472c2a2
Instruction Fuzzy Hash: 6B11D3712147518FD321DFA4D09479E7BB6AFC1215F548E2ED09A4B660CB70FA09C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 07CCEB18, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7990c87d0b09415756caed7abd98e473fe7ee6a6b62d09c3e97ea8ee7a303c
Instruction ID: 5e36876ecd6a90b08a180d791bb19aa94b6aecf4b8ed2354dc31a09de85f1d0f
Opcode Fuzzy Hash: 1e7990c87d0b09415756caed7abd98e473fe7ee6a6b62d09c3e97ea8ee7a303c
Instruction Fuzzy Hash: F611087431A3904FCB09A7B0A4694DE7F6E9F811453154CAAD907CB393EB24DC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 07CB2570, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68a726b634d58c68f5db76e786c885ec9c881f482a15384f2051a0ac67f3c98
Instruction ID: 3c7c18ef758d17141780a699ebb790b0ad0e0096832862a3bb3ae142bb091077
Opcode Fuzzy Hash: d68a726b634d58c68f5db76e786c885ec9c881f482a15384f2051a0ac67f3c98
Instruction Fuzzy Hash: 0801D4B2714E228BEF309A79D9E07E673D8FB403A5F044476F80DCB290D669ED489391

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD4F8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f97eef150aa0c2dc02c598cb3b0799464804814129d258e80b405654f6e818
Instruction ID: 553d348912f53d3541803fa2d49c6d9865d84fb07e6a0d7755d10739cc3ca4aa
Opcode Fuzzy Hash: e3f97eef150aa0c2dc02c598cb3b0799464804814129d258e80b405654f6e818
Instruction Fuzzy Hash: D31188752007049FC710CF68D880EAAFBF6FF88710B108A98E95A9B351D6B0FC04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCD2E8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b936759196310487b26c58b439535daa72ac23dfd06dbe334b750afa97c59a
Instruction ID: 84eda763110b9dbb3b40916da54e6d3475368647df4431253bc7f478f329fef2
Opcode Fuzzy Hash: 27b936759196310487b26c58b439535daa72ac23dfd06dbe334b750afa97c59a
Instruction Fuzzy Hash: 02112B75E002089F8B44DFAAD8409EEBBF6FB8C211B14852AE916E7350DB3199058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CC9D10, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f724fa4a9c2f3ac57c4d8f4ab43a38884e3b65b1be6f413f994f406b3e374953
Instruction ID: fe8f13f7121eeebf99f5d3a6f89af1b785e87f8b92ccee584be630ec8c6e9612
Opcode Fuzzy Hash: f724fa4a9c2f3ac57c4d8f4ab43a38884e3b65b1be6f413f994f406b3e374953
Instruction Fuzzy Hash: 9F012270B012006BD310CBA8DC05BEFBB7AEB84700F244079E618AB2C6CBB05915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCBC80, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d10cdae64ff90d2d839cb6422933ec492f115a5d392ff1fceb1d5f19da951ca
Instruction ID: 9e47064e76236ab151cf9455fddffdf686a611fdabc175499789f3d707566b4e
Opcode Fuzzy Hash: 1d10cdae64ff90d2d839cb6422933ec492f115a5d392ff1fceb1d5f19da951ca
Instruction Fuzzy Hash: 191154B4D00259ABCF05CFE5D995ADDBFF6AF88310F14842AE815B7254DB715E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA850, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d246f109c7091d5f233f91a22c8cdd7a61c5dc02d20a0751139ed3f0b44f4f2
Instruction ID: 01eeb81e3b7c740206730ce13a12473aba18b15f42f24050c67c37cf7667c221
Opcode Fuzzy Hash: 4d246f109c7091d5f233f91a22c8cdd7a61c5dc02d20a0751139ed3f0b44f4f2
Instruction Fuzzy Hash: F2012270F00215ABE7148B98CC04BAFBB76AF84711F64807AE614AB2C1CB705905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0770A62C, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f367688622d28d67328e66e002a6e8f602e8d8d1a98c21aaa57ba4397d527ba4
Instruction ID: 9dc0cbab57543e67ce93dcf212430bd4081bddfccebd75a4d2c1557e9ba576d7
Opcode Fuzzy Hash: f367688622d28d67328e66e002a6e8f602e8d8d1a98c21aaa57ba4397d527ba4
Instruction Fuzzy Hash: A10149303052544FE345DB68DC20BAA77B2EFC2209F1581EBC905DB382DE319D0A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07705719, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a545f4900e116b6b4548861ce239e648e25547a4473501ffca86cc74fdb7e4
Instruction ID: 87b7b2f84fe35aa648cad02d91aeed39f4598f38753e87f23f2c29e82a637085
Opcode Fuzzy Hash: 73a545f4900e116b6b4548861ce239e648e25547a4473501ffca86cc74fdb7e4
Instruction Fuzzy Hash: 03F028366042548BC7159278E8184DA7BA7EB8B170F1804BED442D7641DA75990ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCE100, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfcd75a5fe53018745ca61a8caad8021706bc06a4a6f801e41fd92c4b592326
Instruction ID: 28af30a679850417c6dc670821203662e51e7e2d30d34b1bc3901bb5324a98e4
Opcode Fuzzy Hash: 0cfcd75a5fe53018745ca61a8caad8021706bc06a4a6f801e41fd92c4b592326
Instruction Fuzzy Hash: C1118071A00209DBDB24DF55D95DAEE7FFAEF49351F108068EC05A3282CB755E10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CC9D20, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f0247118601a4cb8b5e8d1210bbab52f0208ddafb1c334a1be379e39ecaa02
Instruction ID: 194583f6510b443a6834533f7c0ced1c7610e7d2334ddf2d5515673d65a119ad
Opcode Fuzzy Hash: 48f0247118601a4cb8b5e8d1210bbab52f0208ddafb1c334a1be379e39ecaa02
Instruction Fuzzy Hash: 2E01F770B003546BE7109B98DC05BBFBB7AEB85701F244079E614AB2C5CB705915C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA860, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ffce2106dd60229c8d0e151edc596cf2a0e7895afb3c473bdd48345453df38
Instruction ID: 8e4734971cbaaa721fbed70919c70756587d9ee24d304aff9e429559d75c2e3c
Opcode Fuzzy Hash: e4ffce2106dd60229c8d0e151edc596cf2a0e7895afb3c473bdd48345453df38
Instruction Fuzzy Hash: AE01F770F01315ABE7148B98DC05BBF7B75AF85711F24807AE604AB2C1CB745905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0423D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475507929.000000000423D000.00000040.00000001.sdmp, Offset: 0423D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfc4fef71d652359353691a6d141945434190f4a71330f5a7938c6a10a4db0f
Instruction ID: 462c8153de3de04071f98d094f2edec8630cf4c7bb3a9fd5b519aa1a8f0cbbb4
Opcode Fuzzy Hash: 5cfc4fef71d652359353691a6d141945434190f4a71330f5a7938c6a10a4db0f
Instruction Fuzzy Hash: F801F7B16343909AE7104F21EC807A7BFECEF41B69F18841AEC041B242D3B9B845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0423D006, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.475507929.000000000423D000.00000040.00000001.sdmp, Offset: 0423D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2991395a27aadbd48eb5333eb0c105b29c1d3d17a5c1c840da0c9e1259e1b081
Instruction ID: 74349aab01c5140fe7f48a9d819b8d852e9227d8cf68c26f1222288493880581
Opcode Fuzzy Hash: 2991395a27aadbd48eb5333eb0c105b29c1d3d17a5c1c840da0c9e1259e1b081
Instruction Fuzzy Hash: 3201406141D3C09FD7128B25DC94B52BFB4EF43624F0980DBD8848F293C2699848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 07CC9C90, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6613a7394d6af29cdb2fce33a5a1dfc3f3394cf47213827a1be5d6eaa6882
Instruction ID: 2c86c89c954f7269e4d664978f7d1a6788ea42210a17f5561fc8f9e363ab57b7
Opcode Fuzzy Hash: c3f6613a7394d6af29cdb2fce33a5a1dfc3f3394cf47213827a1be5d6eaa6882
Instruction Fuzzy Hash: 8BF0F6503186A00F8746A37824652AF1EA74BD714A719446AD84ADF7DAEF158D0B83E2

Uniqueness

Uniqueness Score: -1.00%

Function 07706190, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4c65a5af2684dc20e69f0e178f3413175499ac64069546ade67a13842a4e6f
Instruction ID: e47dcf38cb0a64592914ca32663ca9240022e5e7283f0cdb888a2f82c31aa9f0
Opcode Fuzzy Hash: dc4c65a5af2684dc20e69f0e178f3413175499ac64069546ade67a13842a4e6f
Instruction Fuzzy Hash: E101463310029ABFCF129FD4DC00CDE3F7AFF8A224B05451AFA4446121C632D964EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCAEE8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93995ae2661c3d4ff996941fcd08783d42b49d02b9d3e38475fb86d71ec20b2d
Instruction ID: 0941cb64a3824e8e4b5619ea424160440fbd0001bb7fe037dcd7fcc740581e2b
Opcode Fuzzy Hash: 93995ae2661c3d4ff996941fcd08783d42b49d02b9d3e38475fb86d71ec20b2d
Instruction Fuzzy Hash: 18017C71300708CFC725CE69E088B9A77EAEF85315F04496EE18A87650C770F945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07CC9DA0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0abe443206308b36437f7c1257d6082c65fbb257a8be34490774a92d4c82368
Instruction ID: a8f03f85b0c6eb336289ceb0ac2c63fca8709b6ad24ff46e2d39c862bd8f3af2
Opcode Fuzzy Hash: c0abe443206308b36437f7c1257d6082c65fbb257a8be34490774a92d4c82368
Instruction Fuzzy Hash: B1F02BF2A082905FD301C7A49C157E97B71DB52301F5540AAE181CF5D5C775D515C721

Uniqueness

Uniqueness Score: -1.00%

Function 077061A0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbf659ff18e275da7c6126c066b37b8119e3b398efd9d548019dc4c51e36cdd
Instruction ID: 6de6ea1791f070365a60ae19c4c167b921ece52ce3fec0449a0bb3b830151f4f
Opcode Fuzzy Hash: 3bbf659ff18e275da7c6126c066b37b8119e3b398efd9d548019dc4c51e36cdd
Instruction Fuzzy Hash: 0EF0E232100299BBCF529F85DD00CDE3F7AFF8C754B055919FA4846120C732D860EB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB13B7, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53251575ac87fa3eef9cfc4e87ff697ab0095ee657d0bf0d18a3d161aaa3f576
Instruction ID: bba7268771b6d2f9a8abb941654a5e5d6ee161a03d38e6affd0bec236f150901
Opcode Fuzzy Hash: 53251575ac87fa3eef9cfc4e87ff697ab0095ee657d0bf0d18a3d161aaa3f576
Instruction Fuzzy Hash: 31F055713003510FC32657349C1ABEA3F689F03621F0800A6E504CFBE2DE18D80383D0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCC198, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e052d8010ba5a3fcab0e88b734288cf2e5f2b451f528de6c47c45331754ec1cd
Instruction ID: ef48811fcd6e203314b173ef6b4456c7de409296787f72200115417e9b71419a
Opcode Fuzzy Hash: e052d8010ba5a3fcab0e88b734288cf2e5f2b451f528de6c47c45331754ec1cd
Instruction Fuzzy Hash: 2AE06D76505255AF92018A91ED40CA7FF7DFB8A2603094282F9089B213C621ED81C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 07705739, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c371ccb930e549ef251c6e9833d49ef9b0f3bf778eaa527c7b63e53959505c27
Instruction ID: 0caf5ff6d409a52dcebf3e7c59e666bc5e205b48968df79c96204f45dab72d0c
Opcode Fuzzy Hash: c371ccb930e549ef251c6e9833d49ef9b0f3bf778eaa527c7b63e53959505c27
Instruction Fuzzy Hash: 2AE02236B102188BCB289668D8084EE33FBEBC9261F04007AD902E3B40DF75CC068FD1

Uniqueness

Uniqueness Score: -1.00%

Function 07706207, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86f0cfbff1792654e2d7feb815220807297cf897a400ac060ba1ebf1faaf140
Instruction ID: 9ef04f4f411607efb58c3d2f373b27eed7e7cdd3d23933be0cdc5a286ba9b6ad
Opcode Fuzzy Hash: a86f0cfbff1792654e2d7feb815220807297cf897a400ac060ba1ebf1faaf140
Instruction Fuzzy Hash: A7F0BC32010299BF8F429F94DD00CDE3FAAFF08264B409906FA445A120C772E9A0AB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB13C8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3779fb973d1895cfd4da10a786303ba53d1dc0749e548e368a86d515e1d01d93
Instruction ID: 5a0454779019659a99d5ea6d48bed057d3ce87ce51469a286a54c737d38fb809
Opcode Fuzzy Hash: 3779fb973d1895cfd4da10a786303ba53d1dc0749e548e368a86d515e1d01d93
Instruction Fuzzy Hash: 4DE020B13401140FD72457B59C1ABA9775CDB40666F040475F50DCF7D0E929DC0247C0

Uniqueness

Uniqueness Score: -1.00%

Function 07CC52D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987f69336dbac4e046dee18d761d88385e524571383d22839b3bb570fdf03f00
Instruction ID: 35660dd75d91074be2b2841900e00551570540c55eff900e34ea1e0ecc2a2606
Opcode Fuzzy Hash: 987f69336dbac4e046dee18d761d88385e524571383d22839b3bb570fdf03f00
Instruction Fuzzy Hash: 50E0E53120015997CB00DF55E8C09DE376AFFC1359B808912E40A6F200DF71A90ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF0F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f20c401de3ecefa1f46043ae4777c79b83824a72f16c4841c93d32f5b2f04
Instruction ID: 4e3747e57f04cc99bdaf69bdbd31528350555d7bb504fe0d6a95a7dc78c0ba52
Opcode Fuzzy Hash: 355f20c401de3ecefa1f46043ae4777c79b83824a72f16c4841c93d32f5b2f04
Instruction Fuzzy Hash: 70E0D8351052105FD302A764F9149E57BB9FF4923070243D2E524C73A3CA244F0447A1

Uniqueness

Uniqueness Score: -1.00%

Function 07706208, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d44596565f0691214a0650a7f9b3af8d0613f9a36c4ac979cdc91bae67f0f4
Instruction ID: 9ef0e5fca2ce66162eae4049da8ca7d06c9222255957c05a8e7c7597097c99da
Opcode Fuzzy Hash: 51d44596565f0691214a0650a7f9b3af8d0613f9a36c4ac979cdc91bae67f0f4
Instruction Fuzzy Hash: 6EF0BC32010299BF8F429F94D900CDE3FAAFF08264B409906FA445A120C772E9A0AB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CCEB09, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7d0179ef56604a410192535e2306c74863fa80fec7322525340c2e5c01b01c
Instruction ID: 05bafca88e3aa771f1f938ba9e98f00c09ffb459ba2d06c267714425fc886e58
Opcode Fuzzy Hash: ec7d0179ef56604a410192535e2306c74863fa80fec7322525340c2e5c01b01c
Instruction Fuzzy Hash: 25E02672006B64ABC610CE98EA205DEBB4C9F025603184E62E9058B1A2D721DB0445F1

Uniqueness

Uniqueness Score: -1.00%

Function 07706AB7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0a9f8583f2b0c75585d2050adbd0b106be74d740899a6482c15030a630c6eb
Instruction ID: c999e981bcd7f9b2b3ccaba63cda7fcc1c09cc75f510d0972d9d554a853e52c7
Opcode Fuzzy Hash: ca0a9f8583f2b0c75585d2050adbd0b106be74d740899a6482c15030a630c6eb
Instruction Fuzzy Hash: 6CE09272A0C348AFC766DBA4D85459A7FB5FF4612071880AAD806D3141EE399816CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CC52E0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1752fb70a95aec21a685882212df50a956d441c3e90b94fdae8a5128739222
Instruction ID: 1e870b566b2e23839f3ae99dcc80c59e2d303d1ad9e9ac99da1b5782ec950ecf
Opcode Fuzzy Hash: fc1752fb70a95aec21a685882212df50a956d441c3e90b94fdae8a5128739222
Instruction Fuzzy Hash: 91E01232210219978B10DF55E4818DF7BADFEC12597808916E8065F204DBB0B90ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF9B9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864d1ba7f4491b0beb5e1ed07a69811e6b70f2888bb4d7d40302792ed8440253
Instruction ID: daedd40b73c362d8f321fe300d4d6f3fc67fd91ff87fd5d794846a5ae3937f54
Opcode Fuzzy Hash: 864d1ba7f4491b0beb5e1ed07a69811e6b70f2888bb4d7d40302792ed8440253
Instruction Fuzzy Hash: BDE01276700119DFCF05DF99E4408EDBBB1FF88262B108076E954D7610D731D665CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07707240, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d3c25151ed5d1389acfffb86d5c9eb010a90c460ffed8d9ca25c7173f4faeb
Instruction ID: 723d9d7b24fd57de8134dfbfaa4a833c2788d7f623317aba04f489ed2ab742eb
Opcode Fuzzy Hash: 08d3c25151ed5d1389acfffb86d5c9eb010a90c460ffed8d9ca25c7173f4faeb
Instruction Fuzzy Hash: 86D012367055245B4614959EF84086AF7DADBC9A75718807FE91DC7340DA62EC0386D0

Uniqueness

Uniqueness Score: -1.00%

Function 07CCC1A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3952d640a11cf48eb4edda3a5fcdeee05ab2af365f9db3d21074acd5515bfa8
Instruction ID: 9432f1bf57b64f2ede5c171c82aebfe1efb43d808f2cba688967ab9a37abd87b
Opcode Fuzzy Hash: b3952d640a11cf48eb4edda3a5fcdeee05ab2af365f9db3d21074acd5515bfa8
Instruction Fuzzy Hash: 22E0ECB6A04219AF96008A46EC44C67FBADFB896743154296F90897302C771EC81CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 07704D28, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4880b39619d13b6393eb0acd55220412510734bb1fc60a0a70a5b5c8a1673a
Instruction ID: 2903d0c5f70d17ed82ffe7c447163c5ece70c17f4f0c6928753f7a28d8bcc5fd
Opcode Fuzzy Hash: 7f4880b39619d13b6393eb0acd55220412510734bb1fc60a0a70a5b5c8a1673a
Instruction Fuzzy Hash: 78E09271A40208EFD744DFA0E90079D76B6EB40316F1108A8C549AB340EB311F008B61

Uniqueness

Uniqueness Score: -1.00%

Function 07CBF4B9, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c0df98864aeb44dc8a31f9f9502480aec3a391743eae20754e7c0720844b27
Instruction ID: 95f35656b97b9b8d7ff930bcafdbf4e5fefa6bb1960e9407a8b0ad1f082fadf7
Opcode Fuzzy Hash: 25c0df98864aeb44dc8a31f9f9502480aec3a391743eae20754e7c0720844b27
Instruction Fuzzy Hash: 31E08676714200CFE754DB94E8527ADB7A6DBC4325F10C829D21B87640CB75B9058B95

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA7C8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5d6d1b0ee0cfd066a5447fb6a5f06d9174070bcfbe6fd86e95a597113b72ec
Instruction ID: 2071ea92cd8763f9464d42db389e8155f266f767f36e8b06db4d1afbfebcffd6
Opcode Fuzzy Hash: 0d5d6d1b0ee0cfd066a5447fb6a5f06d9174070bcfbe6fd86e95a597113b72ec
Instruction Fuzzy Hash: FDE08632604052AFD6414A94D818866FBBAEFCD32171DC6C2F945AB346C635D9D2DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0770723F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa8237f44892a31020f608592c7d39a37bd2441bc5bab44328fed9e5e5316a3
Instruction ID: dc0968dfd94076ba8c8a791d202e92464815db905014f9ca147429f0dee70611
Opcode Fuzzy Hash: 8aa8237f44892a31020f608592c7d39a37bd2441bc5bab44328fed9e5e5316a3
Instruction Fuzzy Hash: 26D05E367051206B4218969EE840C6AF7EEEBCAA20718C06FE91DC7340CE62EC0386E0

Uniqueness

Uniqueness Score: -1.00%

Function 07CBF479, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484360379.0000000007CB0000.00000040.00000001.sdmp, Offset: 07CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288c7f37d77cfcfa93f183e3c5d01325d4088e11caa8bb7d24193d103a834e17
Instruction ID: 9a9e3e81d83c286107061ee5117b06fc369029d260e9dfb4a27ad21879ac6a90
Opcode Fuzzy Hash: 288c7f37d77cfcfa93f183e3c5d01325d4088e11caa8bb7d24193d103a834e17
Instruction Fuzzy Hash: 88E0C2B2610300CFEB10EB94E8467AD7766EBC0335F10CC29D2578B640CB79A9098B91

Uniqueness

Uniqueness Score: -1.00%

Function 07704D38, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1315b033cfd8d688eda474f3fb494d1daf6c27098f5facc158d971bd8e3a0a
Instruction ID: b8825752b818b4055a303fe68167c6d3ec93cf3c40f877b74730d6295a6138ba
Opcode Fuzzy Hash: 8e1315b033cfd8d688eda474f3fb494d1daf6c27098f5facc158d971bd8e3a0a
Instruction Fuzzy Hash: 19E08670B10108EFC700DFB4D91169E77BADB45306F1044A8C509A7340DE312F008761

Uniqueness

Uniqueness Score: -1.00%

Function 07706AC8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484020971.0000000007700000.00000040.00000001.sdmp, Offset: 07700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e38d2c516bc2dd70ae426e547db45d924bd139f621e5cec6edb31c394c4a81
Instruction ID: 770690e5d063bbad2e8398bcb03e173284e587a8516dbfc96f4e889938adbc37
Opcode Fuzzy Hash: 40e38d2c516bc2dd70ae426e547db45d924bd139f621e5cec6edb31c394c4a81
Instruction Fuzzy Hash: 4ED05B75A04519AF8B999AA594154DE7FFAFB44164B108065D80AD2640EF3595118680

Uniqueness

Uniqueness Score: -1.00%

Function 07CCF108, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ca759f08bf967fb1718ad6dae35c8cb77f7d7b1e91d6d9f76d7ea4d95c71b
Instruction ID: cf88a8d6e99528cb06005eb3577cf594a3fd38079a9233ae7bcc2f164112329b
Opcode Fuzzy Hash: 3a0ca759f08bf967fb1718ad6dae35c8cb77f7d7b1e91d6d9f76d7ea4d95c71b
Instruction Fuzzy Hash: E1D05E352102149FD700EB69E848E957BB9EF48765B0280A5EA09C7322DB31EC008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA800, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7246bd391956d9833844a91f32b34dadda0cca7afdd8e28ca39ec87436db43e
Instruction ID: 7ba3879aa18ff83307a5ca326f2f0107cf55a59c6cb316dbbbe9d20a1d6aa980
Opcode Fuzzy Hash: d7246bd391956d9833844a91f32b34dadda0cca7afdd8e28ca39ec87436db43e
Instruction Fuzzy Hash: E2D0A771604190DFC744CB2595042A5BF62EFC821472DC4DAD4489F257CA37D823C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 07CCB163, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696d064619992f8fc9e4c22d11cbe8cc0faf9d276b24fa6c885929116ecc1395
Instruction ID: 9cb03dd6664e5d1726a3733200256a46ff12846f13a2b7fff0d1b0ca285e55f8
Opcode Fuzzy Hash: 696d064619992f8fc9e4c22d11cbe8cc0faf9d276b24fa6c885929116ecc1395
Instruction Fuzzy Hash: DBD0CA3AA00008ABDF018EC4E840ACDFB32FB88321F008022E7106A560C6321566DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07CC96E0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40de8ceb07ac5a8867698f96ae93be02a91e6fe88e521c6f081dd5714def4f
Instruction ID: 43d4b653b64ac3d088d5eebf4cd62f7a1e3bdeebceff13c8616a3b102be437b0
Opcode Fuzzy Hash: db40de8ceb07ac5a8867698f96ae93be02a91e6fe88e521c6f081dd5714def4f
Instruction Fuzzy Hash: 8EC012742042416FC303875CDD81E463FEA6B50700F010002B20887592C63154B0CAA7

Uniqueness

Uniqueness Score: -1.00%

Function 07CCA828, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19907cf00115837b0076a8e173e877fa9152b9f6e041b40e008787ae339c92b
Instruction ID: 14617e3e5a82158c7fef66686b576864d4cfc7ebe2479c49379bd3285e3dd3dc
Opcode Fuzzy Hash: c19907cf00115837b0076a8e173e877fa9152b9f6e041b40e008787ae339c92b
Instruction Fuzzy Hash: D7C0806444A3400FCF1583508C1104D3FB06AD75007C955E6C4529F553E51C410FD3D7

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07CCCE18, Relevance: 7.8, Strings: 6, Instructions: 314COMMON

Download Yara Rule

Strings

{ f^, xrefs: 07CCCF1B
K f^, xrefs: 07CCD023
; f^, xrefs: 07CCD07B
k f^, xrefs: 07CCCF73
[ f^, xrefs: 07CCCFCB
+ f^, xrefs: 07CCD0D3

Memory Dump Source

Source File: 00000005.00000002.484389028.0000000007CC0000.00000040.00000001.sdmp, Offset: 07CC0000, based on PE: false

Similarity

API ID:
String ID: + f^$; f^$K f^$[ f^$k f^${ f^
API String ID: 0-1600987521
Opcode ID: 32d85d8810c51ee5d74d1e9687f17179f4c4a0b37a91b86ed1243571b5956f43
Instruction ID: f7f4fa86034c173a9e0ec2e2d11ff608bb61bb2dba86dff9ea98dc42445bb09f
Opcode Fuzzy Hash: 32d85d8810c51ee5d74d1e9687f17179f4c4a0b37a91b86ed1243571b5956f43
Instruction Fuzzy Hash: 2AC1C0B0720304AFD744DB64D8917DEB7A2EB84209B109A6DC50A9F795EF71BD098BE0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6648 Parent PID: 6232 powershell.exeCOMMON

Executed Functions

Function 07715F58, Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 07718808

Memory Dump Source

Source File: 00000008.00000002.495364414.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 63a60e12e2b9ab51214791513deafaef37fac2b9863c41978a315a5c192d24fb
Instruction ID: 7a2fd46c9eada0a4856470ac7ab294ee06bb298445e1f4379b855592213153d3
Opcode Fuzzy Hash: 63a60e12e2b9ab51214791513deafaef37fac2b9863c41978a315a5c192d24fb
Instruction Fuzzy Hash: 0451F3B0D11259DFDB14CFA9D884B8EBBF6AF49314F28852AE418AB260D7709884CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07757E00, Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c3f296443f23ce35182ef6aa68bf3272db9b0c194d43d74d2f95e408e4ca7
Instruction ID: 51a7bf870c43c7d210349cff60da35f3a3858e3066f0b10b315a6a25f2233997
Opcode Fuzzy Hash: 875c3f296443f23ce35182ef6aa68bf3272db9b0c194d43d74d2f95e408e4ca7
Instruction Fuzzy Hash: CB526070600219CFDB25DF64C850BAD77B2EF85348F1189A9D90AAB3A0DB71DD45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 077186D7, Relevance: 1.6, APIs: 1, Instructions: 134pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 07718808

Memory Dump Source

Source File: 00000008.00000002.495364414.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 86fcc936e462ad031a51d4c6e3496f87e92f03b463420cb8230174df239c4f40
Instruction ID: edbd08f0594ee46823d74eacc67d0caebdce7f89b866220879500ed3c4d684e0
Opcode Fuzzy Hash: 86fcc936e462ad031a51d4c6e3496f87e92f03b463420cb8230174df239c4f40
Instruction Fuzzy Hash: 105115B0D10259DFDB14CFA9C884BCEBBF6BF48314F24852AE418AB260D7709884CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07756A7E, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcbbc4e64362b118fb26f99bbf29c603b2be39e9bb1425e72369abce51d7daa
Instruction ID: a216538a875a8fb8d867dac5b3dff760066c2aeef7d87bba2a5db111df26c4fe
Opcode Fuzzy Hash: 5bcbbc4e64362b118fb26f99bbf29c603b2be39e9bb1425e72369abce51d7daa
Instruction Fuzzy Hash: 93916B75A00214CFEB25DF64D854BAEBBB6FF88315F1485A9D909EB290DB30AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07756190, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0800d505cb2df486d70e18a4c9343ea5348f25a55bf75364e2b18490a887401b
Instruction ID: 6f963e9c8bc6d0cd7c4f95a8bcf21b79e5ffdbc692bd807063005ded5a2ba19c
Opcode Fuzzy Hash: 0800d505cb2df486d70e18a4c9343ea5348f25a55bf75364e2b18490a887401b
Instruction Fuzzy Hash: 91814CB0E00219DFDB14DFA4C554BEEBBF6AF88714F648469D800AB350DB749D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07755110, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28307b15f5796aa5219841143216ef2eb2884745b68ed46f43a92de038181ac
Instruction ID: 0e97e0cf01dd3169561d53ce2183f922115dd5ec764d7906e4866fc376c88b36
Opcode Fuzzy Hash: c28307b15f5796aa5219841143216ef2eb2884745b68ed46f43a92de038181ac
Instruction Fuzzy Hash: 2C518435B101589BDF059BA4DC50BEEBABBEF8C304F10C529E606A7798CF359C019BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0775E428, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44c76f924a72bc9512eed8f8e850cc036c11f4452107be05159d9483bb3915b
Instruction ID: e3a6be48ffeab64c3320d6df4403e3ed7eb7ce3f68a6977d9674a67c4aa6afe0
Opcode Fuzzy Hash: b44c76f924a72bc9512eed8f8e850cc036c11f4452107be05159d9483bb3915b
Instruction Fuzzy Hash: 4C419F70E01209DBDB14DBA0D450BEEB7B6FF84348F608929D80AAB790DF74A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07756080, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edb030ae8c693bdfd48866bf4d50aa6f155d3ad21913265942c018fc900ac00
Instruction ID: 39d70b7567780fb2c9145f36ef2260e09512abc4f32623f01fcb2f3db9efc84d
Opcode Fuzzy Hash: 0edb030ae8c693bdfd48866bf4d50aa6f155d3ad21913265942c018fc900ac00
Instruction Fuzzy Hash: DA318FB57102058FD704DFA8DD51ABEB7BAEF88240B148539E905DB365EF30EC058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0775E418, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7d04f558e2d8fac3fc194d58c041efe1bebf4c493906cc720a8ad1fd67f895
Instruction ID: 7e3d605cff9696907cacf794837d21e148ed2a30be6826b9eae440a0d4269838
Opcode Fuzzy Hash: 8a7d04f558e2d8fac3fc194d58c041efe1bebf4c493906cc720a8ad1fd67f895
Instruction Fuzzy Hash: 5C21DE30A053059BEB10EBB0D820BAE7776EF81308F109968C5062F790DF74A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 07756070, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4376af9548cab3807442d3a91813ace5957ac9597fbdba0bee758aad16cd0939
Instruction ID: c659c83a33350b7b8bf116c8b6cd007244d1a6196178876737ff6cc3204af853
Opcode Fuzzy Hash: 4376af9548cab3807442d3a91813ace5957ac9597fbdba0bee758aad16cd0939
Instruction Fuzzy Hash: A511A0B96102019FD711DB68EC519BA7BFAEF89240B15856AE908DB361EB309C01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0430D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.488743464.000000000430D000.00000040.00000001.sdmp, Offset: 0430D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6857abc2bddb8970a0517f6803e32418663d19dc82506b4f843ee7ac0024a061
Instruction ID: 29a7b234e1d28d0e30430cc49f3dc85ba3bcbb3fde07422c002afdfc20430228
Opcode Fuzzy Hash: 6857abc2bddb8970a0517f6803e32418663d19dc82506b4f843ee7ac0024a061
Instruction Fuzzy Hash: 1B01F7715043809AE7104E91EC807A7BFDCEF41268F18D61AEC491B6C2D379A845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0430D007, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.488743464.000000000430D000.00000040.00000001.sdmp, Offset: 0430D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9aea3762079f54832c629003f97bb9f094d3a5a1728b32231e33a0c8d24266f
Instruction ID: 25ec847aa793afdeb4d71a1a23cb3d90c436039e33a80042525a8aa21321e953
Opcode Fuzzy Hash: b9aea3762079f54832c629003f97bb9f094d3a5a1728b32231e33a0c8d24266f
Instruction Fuzzy Hash: A3014C6140D3C09FE7128B259894A52BFB4EF43224F1981DBE8889F2D3C2695849CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 07756760, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3addf55a89371205bd0d739ae9274792bc800ea393a685cab8e6df262a579169
Instruction ID: 4a073d57c8cc3183be7bc086c161fd1276371eedc17b367c5d603cbf73e46f20
Opcode Fuzzy Hash: 3addf55a89371205bd0d739ae9274792bc800ea393a685cab8e6df262a579169
Instruction Fuzzy Hash: C201F7793092808FC3158B64D41841ABFA6DFC1624318C9AFD94ECB391DB359C03C750

Uniqueness

Uniqueness Score: -1.00%

Function 07755718, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8068c9af43262ed2a1d400688c582db9e85564463fdc3a1a1e7b927eef643d4
Instruction ID: 7d2368761f482b16c6724fe8f15ca0a0419e03b8a6d65e9398c8bac1a1a73007
Opcode Fuzzy Hash: b8068c9af43262ed2a1d400688c582db9e85564463fdc3a1a1e7b927eef643d4
Instruction Fuzzy Hash: FDF0E232100699FBCF529F85DD00CDE3F7AFF89754B054919FA0446120C772D8A1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 077550B0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e40ad14752d02dc8eb1807c32cc907a5cef7cbd9e3473da035612fc35d533df
Instruction ID: 6a41ad5d2c170b0051e356bf10bde4ec6c171df45caf1ecc60cc25623478ebe7
Opcode Fuzzy Hash: 7e40ad14752d02dc8eb1807c32cc907a5cef7cbd9e3473da035612fc35d533df
Instruction Fuzzy Hash: AAE0653671021497CB19566DD8144EE77EBABC9261F04007AD906E7740DF759C168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07755780, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71636310873bc0b8a11c27f2df91da51f829cecdca39d71542ca5be3c5d9f7a4
Instruction ID: 21ab80fc3222998d7fa1a8cf9aee874fdd8f472ea7d953c67572933d2f4136a9
Opcode Fuzzy Hash: 71636310873bc0b8a11c27f2df91da51f829cecdca39d71542ca5be3c5d9f7a4
Instruction Fuzzy Hash: C2F0BC32110269BB8F429F94D900CDE3FAAFF08264B409906FA4456120C672E9A0AB90

Uniqueness

Uniqueness Score: -1.00%

Function 077567B8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17d1965fea996dd117deb034deabc1e5bac944226ff90df5bc521ea6f97c490
Instruction ID: 89304f070c2283396b0be4e63221bff31a0407be9a6b28a773a3ff6789665a14
Opcode Fuzzy Hash: a17d1965fea996dd117deb034deabc1e5bac944226ff90df5bc521ea6f97c490
Instruction Fuzzy Hash: 21D0127670442457421496DDF54086AF79EDBC5A75318847BEA0DC7700CB62DC13C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0775EAF8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99e04878716370028aa2a9385bce97661d54a800acc5b98512d871c214e23ab
Instruction ID: f21e4096b271ec1ab8f7001ffe9a19a9341a790f14e27dbdf8d040671f80c685
Opcode Fuzzy Hash: a99e04878716370028aa2a9385bce97661d54a800acc5b98512d871c214e23ab
Instruction Fuzzy Hash: DFE086361451509FC3419B68F458FC57F69DF49215B114195F9458B362CA25A8138B91

Uniqueness

Uniqueness Score: -1.00%

Function 07756040, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea38fea9a64e9a1c5dab6e8065a76032b4cc338cd449d0e756c13386577167e
Instruction ID: 9c8001e9b5f61b684bb3b2ba53a486cdb60b9da6af49522c6a20d05c7b60b7bc
Opcode Fuzzy Hash: dea38fea9a64e9a1c5dab6e8065a76032b4cc338cd449d0e756c13386577167e
Instruction Fuzzy Hash: B0D0A571F002156F8B159F55E4448DF7FFBDB44171B104075D909D3200EF7195418790

Uniqueness

Uniqueness Score: -1.00%

Function 0775EB08, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.495461094.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d2139599fcd2fe4678666f921f87b0665afbfaee2736b8af18583f77fe04c2
Instruction ID: 53f502170bb0da84ea9dd15c916ad9f79829c87a2ff351acbff64cde9eb0df83
Opcode Fuzzy Hash: 65d2139599fcd2fe4678666f921f87b0665afbfaee2736b8af18583f77fe04c2
Instruction Fuzzy Hash: A3D0A7352102209FC341EBA9E418D497BBDEF4C3247118196FD09CF361CB35EC018B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report rzMvWQOGAE.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: rzMvWQOGAE.exe PID: 6232 Parent PID: 5416