Edit tour

Windows Analysis Report
h1a1eHrclt.exe

Overview

General Information

Sample name:	h1a1eHrclt.exe renamed because original name is a hash value
Original sample name:	1d98bb52c2eeac75f2e83e8b0b88459f.exe
Analysis ID:	1501418
MD5:	1d98bb52c2eeac75f2e83e8b0b88459f
SHA1:	ab0db0eca10717ad295b4c015db9d51c20bda41d
SHA256:	6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Uses 32bit PE files

Classification

Process Tree

System is w10x64

h1a1eHrclt.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\h1a1eHrclt.exe" MD5: 1D98BB52C2EEAC75F2E83E8B0B88459F)

schtasks.exe (PID: 7348 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7364 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7380 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7400 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7436 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7452 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7468 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7484 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7500 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7516 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7548 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7564 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7580 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7596 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7612 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7628 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7644 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7660 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7684 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7700 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7732 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7748 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7772 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7788 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7804 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7824 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7840 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7880 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7908 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7952 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7992 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8008 cmdline: schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

RuntimeBroker.exe (PID: 7668 cmdline: C:\Recovery\RuntimeBroker.exe MD5: 1D98BB52C2EEAC75F2E83E8B0B88459F)

RuntimeBroker.exe (PID: 7708 cmdline: C:\Recovery\RuntimeBroker.exe MD5: 1D98BB52C2EEAC75F2E83E8B0B88459F)

UQXKdqQetSFpkBwLVgNixbuHXutP.exe (PID: 7724 cmdline: "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe" MD5: 1D98BB52C2EEAC75F2E83E8B0B88459F)

UQXKdqQetSFpkBwLVgNixbuHXutP.exe (PID: 7756 cmdline: "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe" MD5: 1D98BB52C2EEAC75F2E83E8B0B88459F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"N\":\"@\",\"y\":\"<\",\"I\":\".\",\"0\":\"^\",\"Y\":\"$\",\"3\":\" \",\"v\":\"%\",\"w\":\"*\",\"O\":\">\",\"V\":\"|\",\"S\":\",\",\"H\":\"!\",\"R\":\"(\",\"l\":\"~\",\"1\":\"&\",\"U\":\"_\",\"Z\":\")\",\"L\":\"`\",\"M\":\";\",\"D\":\"-\",\"F\":\"#\"}", "PCRT": "{\"d\":\";\",\"N\":\"*\",\"V\":\"_\",\"B\":\"@\",\"F\":\"<\",\"Q\":\"$\",\"k\":\".\",\"5\":\"`\",\"x\":\"|\",\"C\":\"#\",\"W\":\">\",\"U\":\"-\",\"J\":\"~\",\"n\":\"!\",\"T\":\"%\",\"X\":\")\",\"a\":\" \",\"z\":\",\",\"i\":\"(\",\"2\":\"^\",\"t\":\"&\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ahWGQa9701g1GeR1gf58", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001B.00000002.1832916443.0000000012FBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.1832482661.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000017.00000002.1833064398.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.1832482661.000000000350C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001B.00000002.1832421022.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.1832599441.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1890007237.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: h1a1eHrclt.exe PID: 7264	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7668	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 7708	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7724	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7756	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\h1a1eHrclt.exe, ProcessId: 7264, TargetFilename: C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Desktop\Memory Compression.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\h1a1eHrclt.exe, ProcessId: 7264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Memory Compression

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\RuntimeBroker.exe, CommandLine: C:\Recovery\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\RuntimeBroker.exe, NewProcessName: C:\Recovery\RuntimeBroker.exe, OriginalFileName: C:\Recovery\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\RuntimeBroker.exe, ProcessId: 7668, ProcessName: RuntimeBroker.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\h1a1eHrclt.exe, ProcessId: 7264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQXKdqQetSFpkBwLVgNixbuHXutP

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\h1a1eHrclt.exe, ProcessId: 7264, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\h1a1eHrclt.exe", ParentImage: C:\Users\user\Desktop\h1a1eHrclt.exe, ParentProcessId: 7264, ParentProcessName: h1a1eHrclt.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f, ProcessId: 7564, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE DCRat Initial Checkin Server Response M4 - Source IP: 185.114.247.170 - Destination IP: 192.168.2.4

Timestamp:	2024-08-29T21:52:59.619605+0200
SID:	2850862
Severity:	1
Source Port:	80
Destination Port:	63625
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Win32/DCRat CnC Exfil - Source IP: 192.168.2.4 - Destination IP: 185.114.247.170

Timestamp:	2024-08-29T21:52:38.466015+0200
SID:	2033087
Severity:	1
Source Port:	63623
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.114.247.170

Timestamp:	2024-08-29T21:52:32.084292+0200
SID:	2034194
Severity:	1
Source Port:	63623
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE DCRat Initial Checkin Server Response M4 - Source IP: 185.114.247.170 - Destination IP: 192.168.2.4

Timestamp:	2024-08-29T21:54:00.783788+0200
SID:	2850862
Severity:	1
Source Port:	80
Destination Port:	63660
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: h1a1eHrclt.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows NT\RCX70B8.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows NT\RCX7165.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\RCX649D.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\RCX646E.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: UQXKdqQetSFpkBwLVgNixbuHXutP.exe.7724.24.memstrmin

Malware Configuration Extractor: DCRat {"SCRT": "{\"N\":\"@\",\"y\":\"<\",\"I\":\".\",\"0\":\"^\",\"Y\":\"$\",\"3\":\" \",\"v\":\"%\",\"w\":\"*\",\"O\":\">\",\"V\":\"|\",\"S\":\",\",\"H\":\"!\",\"R\":\"(\",\"l\":\"~\",\"1\":\"&\",\"U\":\"_\",\"Z\":\")\",\"L\":\"`\",\"M\":\";\",\"D\":\"-\",\"F\":\"#\"}", "PCRT": "{\"d\":\";\",\"N\":\"*\",\"V\":\"_\",\"B\":\"@\",\"F\":\"<\",\"Q\":\"$\",\"k\":\".\",\"5\":\"`\",\"x\":\"|\",\"C\":\"#\",\"W\":\">\",\"U\":\"-\",\"J\":\"~\",\"n\":\"!\",\"T\":\"%\",\"X\":\")\",\"a\":\" \",\"z\":\",\",\"i\":\"(\",\"2\":\"^\",\"t\":\"&\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ahWGQa9701g1GeR1gf58", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Users\Public\Desktop\Memory Compression.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: h1a1eHrclt.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\RCX70B8.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\RCX7165.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\RCX649D.tmp	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\RCX646E.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: h1a1eHrclt.exe

Joe Sandbox ML: detected

Source: h1a1eHrclt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\RCX4EA7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\RCX4FB2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\RCX7435.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\RCX74E2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Jump to behavior

Source: h1a1eHrclt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:63623 -> 185.114.247.170:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.247.170:80 -> 192.168.2.4:63625
Source: Network traffic	Suricata IDS: 2033087 - Severity 1 - ET MALWARE Win32/DCRat CnC Exfil : 192.168.2.4:63623 -> 185.114.247.170:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.247.170:80 -> 192.168.2.4:63660

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 219.53.3.0.in-addr.arpa

Source: h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000003327000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX66E1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX679D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6B57.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6C14.tmp	Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88CC20	0_2_00007FFD9B88CC20
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88C9E0	0_2_00007FFD9B88C9E0
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88C9B8	0_2_00007FFD9B88C9B8
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88A94D	0_2_00007FFD9B88A94D
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B8910AD	0_2_00007FFD9B8910AD
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88CF68	0_2_00007FFD9B88CF68
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B8835EA	0_2_00007FFD9B8835EA
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B892500	0_2_00007FFD9B892500
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B882AF0	0_2_00007FFD9B882AF0
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B889F15	0_2_00007FFD9B889F15
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B889F03	0_2_00007FFD9B889F03
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B882AF0	0_2_00007FFD9B882AF0
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B88CE7D	0_2_00007FFD9B88CE7D
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B882AF0	0_2_00007FFD9B882AF0
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Code function: 0_2_00007FFD9B882AF0	0_2_00007FFD9B882AF0
Source: C:\Recovery\RuntimeBroker.exe	Code function: 20_2_00007FFD9B8B10AD	20_2_00007FFD9B8B10AD
Source: C:\Recovery\RuntimeBroker.exe	Code function: 20_2_00007FFD9B8A35EA	20_2_00007FFD9B8A35EA
Source: C:\Recovery\RuntimeBroker.exe	Code function: 23_2_00007FFD9B8A35EA	23_2_00007FFD9B8A35EA
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Code function: 24_2_00007FFD9B8A35EA	24_2_00007FFD9B8A35EA
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Code function: 24_2_00007FFD9B8B10AD	24_2_00007FFD9B8B10AD
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Code function: 27_2_00007FFD9B8B10AD	27_2_00007FFD9B8B10AD
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Code function: 27_2_00007FFD9B8A35EA	27_2_00007FFD9B8A35EA

Source: h1a1eHrclt.exe, 00000000.00000002.1889761378.0000000002B40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000003466000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000003466000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000003466000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameexOrkDudfsKKj0bU5hWDd8H.exeD vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1905991677.000000001B720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889906246.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1913836244.000000001C270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIw9sIQRvcJN.exeD vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889880989.0000000002B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1910376657.000000001B740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000000.1675693377.0000000000A54000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename6sXzmumtXnhXmWMrDHvX4OCI.exeD vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889805402.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889730411.0000000002B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1905836463.000000001B710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1906577294.000000001B730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUSBSpread.dll4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1913400700.000000001C1D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1913400700.000000001C1D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1905603692.000000001B700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1897086974.000000001326F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1910514136.000000001B750000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1905510093.000000001B6F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegEditorPlugin.dclib4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889837066.0000000002B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe, 00000000.00000002.1889934053.0000000002C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs h1a1eHrclt.exe
Source: h1a1eHrclt.exe	Binary or memory string: OriginalFilename6sXzmumtXnhXmWMrDHvX4OCI.exeD vs h1a1eHrclt.exe

Source: h1a1eHrclt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: h1a1eHrclt.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UQXKdqQetSFpkBwLVgNixbuHXutP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UQXKdqQetSFpkBwLVgNixbuHXutP.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: h1a1eHrclt.exe, bF9lvyh8mI5iGOsLfP1.cs	Cryptographic APIs: 'TransformBlock'
Source: h1a1eHrclt.exe, bF9lvyh8mI5iGOsLfP1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: h1a1eHrclt.exe, VsIv95aFHRwZujFnLxN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: h1a1eHrclt.exe, VsIv95aFHRwZujFnLxN.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@41/89@2/0

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File created: C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File created: C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe

Jump to behavior

Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e2eb62b02f520d224f8bc61ecc2b071c634e9553

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File created: C:\Users\user\AppData\Local\Temp\fjilrMJ9JG

Jump to behavior

Source: h1a1eHrclt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: h1a1eHrclt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h1a1eHrclt.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File read: C:\Users\user\Desktop\h1a1eHrclt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\h1a1eHrclt.exe "C:\Users\user\Desktop\h1a1eHrclt.exe"
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: unknown	Process created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
Source: unknown	Process created: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\b090c5ff0df038	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\RCX4EA7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows NT\RCX4FB2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\RCX7435.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Portable Devices\RCX74E2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Jump to behavior

Source: h1a1eHrclt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: h1a1eHrclt.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: h1a1eHrclt.exe

Static file information: File size 1772544 > 1048576

Source: h1a1eHrclt.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ad200

Source: h1a1eHrclt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: h1a1eHrclt.exe, VsIv95aFHRwZujFnLxN.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: h1a1eHrclt.exe, b9Km99rYSxbOWHthSJN.cs	.Net Code: pZXNtcnseu System.AppDomain.Load(byte[])
Source: h1a1eHrclt.exe, b9Km99rYSxbOWHthSJN.cs	.Net Code: pZXNtcnseu System.Reflection.Assembly.Load(byte[])
Source: h1a1eHrclt.exe, b9Km99rYSxbOWHthSJN.cs	.Net Code: pZXNtcnseu

Source: h1a1eHrclt.exe	Static PE information: section name: .text entropy: 7.403118868606928
Source: UQXKdqQetSFpkBwLVgNixbuHXutP.exe.0.dr	Static PE information: section name: .text entropy: 7.403118868606928
Source: UQXKdqQetSFpkBwLVgNixbuHXutP.exe0.0.dr	Static PE information: section name: .text entropy: 7.403118868606928
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.403118868606928
Source: RuntimeBroker.exe0.0.dr	Static PE information: section name: .text entropy: 7.403118868606928

Source: h1a1eHrclt.exe, MH6Pelrn2TUweV0UyFK.cs	High entropy of concatenated method names: 'sjKNj4rlm5', 'wwOxgFw9F9yTyI5BSnU', 'CKCQhSwCKsRED6ViArb', 'QcR6F9wV18CZXVRkjY4', 'ogF21KwA6BDUw3qdedj', 'pNPpZ6wu6Fc0JYhI88F', 'Lk6eP5w76gR1XSB86be', 'IvSmmLwTIPEibWe9fGm', 'vSHs72wMM3mxToE3Kqm', 'HKdAqnwenXsYZ6pEchv'
Source: h1a1eHrclt.exe, jSrsHOLTrrM2xmqBBtQ.cs	High entropy of concatenated method names: 'DipClBB2OqVssZTTq7r', 'VopxvyBIKwHB0FrtAt4', 'WQwpL4BmY0OODJnR63C', 'SCcALdB61JmG0assNFZ', 'tkqF5wdaxD', 'V7FpKpBUBcsTlKLGn8a', 'nrZhgFBDTrENnSqyOec', 'MWnClpBhhCBX6qxuayk', 'ofotIhBqyNGQPPkZxjq', 'IE8rh5BWINZlSiETXOy'
Source: h1a1eHrclt.exe, jUsats7ZXK0jplfw4au.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'TT92g6TD7Z2GdP1hwIn', 'q5uND7TWAUuWjOnViKc', 'TK91BaT1p1silNfd4OQ', 'o0AQC5TQpsMhjVemKt2', 'rswCLaToPF17msr7Vru', 'kMqh4fTOX4UIcwaZDkD'
Source: h1a1eHrclt.exe, b9Km99rYSxbOWHthSJN.cs	High entropy of concatenated method names: 'wDHNDwMiPH', 'W4vNwCIJKQ', 'awTN7O7ZYL', 'RBbNQWOMkr', 'xVBNdtoIoj', 'c0oNpAhQiH', 'EXHN1lel1r', 'ywNbNsnhc7MTUoeZaye', 'U7mdRYn26QotLuGc2qo', 'jBBSQbnIyx5ivxNwRLr'
Source: h1a1eHrclt.exe, Wv9rL7Tm50pYMOpxRj7.cs	High entropy of concatenated method names: 'uCeqv2jmk5', 'A9YqcgjW9Z', 'L8sqa3rIBC', 'vy41ium5An6JeDYTVB6', 'HkqnQGmvE9Bvvxlywif', 's3HisAmthCB4YSGZvRn', 'WcioDimF86DFkdc3BNX', 'B483ocmN0JBrFGGwLrV', 'xDFggEmHOUqvdCZeQEo', 'cymHdEmlQmb2sHLQ2pr'
Source: h1a1eHrclt.exe, gyJF6f77OneXw09Fs90.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'I2olP27X7SFcb3iKQIS', 'ulpkox7sY0PbhGJeVhZ', 'mMpI1E7ma8hR3TSe7Pe', 'ThUk3w765E1xITsyrcJ', 'WKhd1Q72PVw6JO3M2xn', 'kDWbS17IB9x8UbA8dcV'
Source: h1a1eHrclt.exe, TPStjY7l4pva3TqkNGg.cs	High entropy of concatenated method names: 'hxVrXc3i25', 'C2qmTAbAOn3ukSBWxA9', 'vByhq3b9SW0aj1BQCOb', 'cpHprGbROaANWNRpR7V', 'rl6lWBbVccbalOngk1s', 'b5ok8abCIIhiILAP8jp', 'QLnw7dbuWOGgdR6EYrN', 'vtkgoub7Kh5Xbtl74m2', 'cUxr80aUgQ', 'vYk6HtbeR6c2r0nlPaX'
Source: h1a1eHrclt.exe, e5St7YhrZSiCgICd47H.cs	High entropy of concatenated method names: 'rhhhqRr6eb', 'fQNhuGrkAY', '_8r1', 'AM8hA2o8j9', 'byHhB78uEs', 'zrjhREZnlk', 'wLuhbBDRKW', 'X7O78h0pAuAKfeof1W9', 'hARrkM0LcXExMg4UhZj', 'e54Vdo0ahBmL77DXudb'
Source: h1a1eHrclt.exe, jRDHk1TZ8wdmqnAhS9r.cs	High entropy of concatenated method names: '_223', 'Aq5cJama9T00fggx8CN', 'KrbecgmEbVhPTCRfyNf', 'HRCYXKmXdwI0UGc1EBj', 'aJXDNAmsswiXfh3OTsT', 'oHDXcCmmG37EXAMCHTO', 'xuqJl7m6dg7Jlfk57yF', 'Ay2FrMm2JEucnvsnpa7', 'xNtTVEmIfTIIET86aZy', 'KlZPAZmhtsD3W5xlv7O'
Source: h1a1eHrclt.exe, b3PhiurgRGy6wuba9nk.cs	High entropy of concatenated method names: 'rSL945VXG9', 'AUY9S57soP', 'KGT9z2vNnb', 'KsVVxbfHui', 'FbuVrUfxP6', 'pe9Vg7f9mZ', 'cLfVNPkKOv', 'wS6V9l7pht', 'Bp4VVSUZMk', 'gGwNKVpx6tjyOIbGFA2'
Source: h1a1eHrclt.exe, DromesNpnqo5VlBnD90.cs	High entropy of concatenated method names: 'sTKowOhVE9', 'OJio7DvtSO', 'wW1oQvfGIY', 'h3Lod9SHN0', 'XeCopSvvNv', 'LmGWTyDXsd2iCG2uoGu', 'v9Mu9PDaJxyVkitkgJS', 'VWwvFgDE2GBb9ggE2cV', 'Q86FwODsf4AvDHLddaw', 'VYFRImDmhgfShb6UMPe'
Source: h1a1eHrclt.exe, EQtWQ3TNdH3xGpogUlT.cs	High entropy of concatenated method names: 'aaiyGIAEqF', 'Tm3yf2OXqd', 'Qpnyk3cgMX', 'yxuyXa86MI', 'NaryJ2LsqK', 'jOGy8ZLurT', 'pgEMjEX1ectZUM1g6k2', 'IDoHplXDOamvSGMcfHH', 'gR1qWiXWyAterEics3d', 'm58qovXQU6FPh7g7T68'
Source: h1a1eHrclt.exe, phFxN7NioGUhEfowAkC.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'AhvtHeZZbB', 'wwxtlQ8nfQ', 'r8j', 'LS1', '_55S'
Source: h1a1eHrclt.exe, GXYkFqNBvh1OAu7nkgb.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: h1a1eHrclt.exe, m2hUbaNXI5AP6XSJ81x.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: h1a1eHrclt.exe, E7P5NGhjUnP0O0esRF1.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'z8fL6SnAsl', 'qdwLhmhPyh', 'hO0LL6sHwX', 'U6NLOfIZpV', 'G9iL2fJkSr', 'cdyLCnZyRE', 's8eXbGyGCGhhd7rQGGH'
Source: h1a1eHrclt.exe, XSrnu47PZefU14h0sn5.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'ibvBwXiOaKRtiEmpImn', 'VYZxqdiBtVjQRrKGn3l', 'EnsH68iSFjOihxTfNoT', 'oofOxZi8tlMfslyfvBN', 'DKaGCSicsBToSSie2tc', 'b5dRUQiGyDUQyYsnWLX'
Source: h1a1eHrclt.exe, BtxyJKaJ6dVjquNB9aL.cs	High entropy of concatenated method names: 'kk2K5agZuQ', 'VMHK6E2jwj', 'EqSKhtgyEE', 'hwAKLXsRZD', 'hFWKOJII44', 'HsbK2jxp4s', 'QQFKCrsHQq', 'c8SK0m5Pom', 'jMMKKppeBS', 's2kKDxdiVu'
Source: h1a1eHrclt.exe, PpwnyorSw6lhircxZB8.cs	High entropy of concatenated method names: 'TsB9sk9QfQ', 'TTf9YIjvVH', 'dhO9iIxhmP', 'zvi9MmnFck', 'HG395baxPw', 'G0ygdxpRliAM1KO0Hp8', 'Vh2QlUpVGGijLhR598H', 'PKIt0ufP1JbvCejWbW0', 'xhTfyNfzdZxjO5NxaaB', 'wV4IOapAJEQljuukkgX'
Source: h1a1eHrclt.exe, u86F3IrARqkNVtLTnDf.cs	High entropy of concatenated method names: 'y1LVCLlyvC', 'GSnFDDLjIwOllA5ylbu', 'yqMpmSLPTOK3bEmC4jT', 'sSYWAyLZJNYEdSNfbQl', 'B0duoXLkfv4FMBqPpBX', 'uXfC7gLzv1ZJhZRwlN0', 'FgbWsdaRLImfAvkPwoR', 'V0S8SMaVIyLUqrbw53A', 'L3XSJGaAR2ifm3ZDgZT', 'qSVjBsa9SvPkOUxWiQ1'
Source: h1a1eHrclt.exe, EjPjWZ7I3GWmbFdj5oO.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'o1Q0U8MRH2xmK1donrZ', 'A6ihSSMV4pRSXabafVk', 'HqAgonMAU9XWg8vLH8Y', 'Rim1euM9Agb0fcpmaph', 'HoqLHRMCdRU2rViu8F8', 'pO3tZLMu2MATxYQu34x'
Source: h1a1eHrclt.exe, Qkum6TOXfkJU4ASTmL.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'i0NSYMAi3NNniHTBHvL', 'JjUCYgA3SYDcmpAKSsA', 'U85v9sA44p0QCDCImdt', 'ipcPtUAnYXx01FtR2KT', 'mfLR8yAwFlveuVOxFKw', 'LE1WFUAfoO9WRD9ytZ7'
Source: h1a1eHrclt.exe, tA8Q7eNLYLD2i8sIAcw.cs	High entropy of concatenated method names: 'dJtRUmhicp', 'LOwocWqE0mOgo6XFoyF', 'EIBeBJqXdyKHG7wdIvt', 'GCcTlpqL4UU2ataYvZg', 'EUtFx0qaOFnJnEqVoWP', 'kQsA0PMUaZ', 'wicAKtavkP', 'H0SAD8TS3k', 'D44Aw4A8Rv', 'F6pA7gqljl'
Source: h1a1eHrclt.exe, jPe79nQyWr8AbTlZmq.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'zaYXukCrsfFpgWlUNN2', 'gXngoaCgb8k3wYXvyqd', 'BQdtxQC5J6xjTmS5JCZ', 'nDYfQbCvrvjOUpP9jE5', 'akX6CUCt79FQEpZwNew', 'r7ho8tCFcSm1xfCxVD4'
Source: h1a1eHrclt.exe, xTYwNIT2oMup5amaT5n.cs	High entropy of concatenated method names: 'sg9', 'EtwcYCtXBB', 'TJOu4iNQFh', 'RjfcMnwaMv', 'FTLsOo2tnfT5jsZrbmm', 'ea2uOJ2F6TQmHIK0SAb', 'JuTZx72NKPgI67jk8e5', 'B34DQE25Krkyq2TZPKo', 'Bwfp6b2v8dGem2KGqVx', 'g6mp1V2HdDXPVXYaiTT'
Source: h1a1eHrclt.exe, ju4ACRT5d5CdtaNm35L.cs	High entropy of concatenated method names: 'DswuDfTkcO', 'bViuwLnQSK', 'eYhuw62EdyPCr9HUfAh', 'sOWBg92Xv8stFKdwE5t', 'vaQ5M52L5Fxsck6g2oq', 'TTpZId2a2rpdoX72EFN', 'JVnrNK2sZKkiAvYed2l', 'e3I2PZ2mxhvBTKgxeEd'
Source: h1a1eHrclt.exe, yukyl1hEBXSjdNkKYRD.cs	High entropy of concatenated method names: 'aK1hFRJ8wE', 'M0ThsZ96aW', 'NBmhY9QnDE', 'JmchieSwXk', 'TrWhMyx565', 'v0kdYu0kl8kyD9ZeNDo', 'A7TU600jmGClq7Uyg9X', 'lhdsnk0PXTubAQx6fu7', 'zWpgLW0zMUF8QIy9eUM', 'AxwxYdJRwx0fJYyj3QE'
Source: h1a1eHrclt.exe, jODQhu7pfTUquWbdJMr.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'gEEQOVMPvweAHHOmf5J', 'mvcuvkMzuQVnGgyGFNH', 'eXf5I7eRTtsqa1MSnf4', 'dXp3IweVnt3AHeUPERT', 'LHvFyfeAj5NlttQvOXM', 'Th0ufoe9rLbfL2EoZxY'
Source: h1a1eHrclt.exe, tujMEErrRC4upTyrwG7.cs	High entropy of concatenated method names: 'X4Vg833oDT', 'cRWgvW8eZU', 'oEugcb4ToZ', 'guOgaWIKPo', 'wu5gPABwxm', 'hbfgeSAbOe', 'ajB0Jv4aoVn3uImieRk', 'YC1Hqp4EMEUVWJk3kCM', 'O9lTrs4pmFSGCQNZ4s6', 'dZs9Gg4Lm23dP6ZJsVO'
Source: h1a1eHrclt.exe, hTMSP5hiBcbITPt7G9l.cs	High entropy of concatenated method names: 'KFcCiXTc98', '_1kO', '_9v4', '_294', 'PibCMfebEN', 'euj', 'AJQC5BsT0G', 'aBqC6BmKSV', 'o87', 'CpNChT3nX8'
Source: h1a1eHrclt.exe, wrvgjaver9L0L3jQqE.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'ycMEhDuWxxYCY9RT1uk', 'SnXAGsu11V1o8NdfY4l', 'xXZDnXuQgKRwm7hyulR', 'V5GcmQuosuOargfSy42', 'lGWVCOuO4kKLC8XMF5I', 'jOFh6vuBhQrqwOZ0ntr'
Source: h1a1eHrclt.exe, n2QMGuLYniKS1XALVRP.cs	High entropy of concatenated method names: 'UgT5FRFoJN', 'iR15sJ27ju', 'THIcfBcKUPngopR6Gtx', 'wxGdcMcxuWrAM8IhKxA', 'cxW0sccZVuTLwjqdfK3', 'HF4ciWckcp68b2uTCx0', 'mPBrePcj7FcRk0aH0ru', 'RpGEyDcPC72ncLx7hXE', 'fZcJsnczdoTF98OS8FK', 'bmUb5bGR9n7BSGGJs79'
Source: h1a1eHrclt.exe, lMJnpGre6eLeHlC9W3Y.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'R0eV7Vs2wk', 'moeVQiMwoI', 'qCoVdkJqbp', 'e8qVpAY3oh', 'QyJV1msr7M', 'XlDhTdaedtOL8DJbILw', 'T8Huxpab6CNJ96Qeqht', 'll62lFaT076bflaJPx1'
Source: h1a1eHrclt.exe, k53gaBN51q1lrDFM6YL.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'cB9oxCi1sE', '_3il', 'TOior5SxuX', 'ys0ogJqnii', '_78N', 'z3K'
Source: h1a1eHrclt.exe, Jevog7NtZpoeF73sUpj.cs	High entropy of concatenated method names: 'T5Sb9RRE9c', 'Ow4bVaXNKc', 'Gt2bEuStpR', 'R1xS3nUL20VN493hEKb', 'eg1g2uUaSkmab90uAQg', 'l1bfrjUfZf7Cw48uAo5', 'zLSTFAUplDX794UtZ8l', 'cFpfeRUEVUHC2XFNKTi', 'BPrJhfUX1rOsF5ke6JT', 'Kcs3TIUsEgUv2Tk0mGP'
Source: h1a1eHrclt.exe, lm8BBBuaZwNxDXeXAo.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'BDtXVwCawsrpCt0mNg0', 'CwLBEeCELcpo09p29Cf', 'ndNgvgCXsK1OUAgLJVy', 'lxCne3Csnu3AddwxIgO', 'VWjXBrCmOvwW8ye7c0d', 'RYwftmC6NOwmCpyeIce'
Source: h1a1eHrclt.exe, upOqCvToWjZ63EjDTDV.cs	High entropy of concatenated method names: 'lnN9JThGpuBiPdCuU6U', 'Gx3otEhdf0bZc35Jv4h', 'mXt1rth88s48fymPyiI', 'KviMEthcNwwvVBqsbhm', 'IWF', 'j72', 'emDAUQRgUb', 'PcmA31bDnW', 'j4z', 'GYZAWuFZy4'
Source: h1a1eHrclt.exe, NkCf6YLxkRtrSTKWCVj.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: h1a1eHrclt.exe, CqlbON7KcRb1uQEfsVZ.cs	High entropy of concatenated method names: 'XXYrCA2GBH', 'WSEfPyMaokkc3soJwrF', 'tpFcxNME8l9HiYQOFcs', 'ua31d8MpF17gKOH4Ma7', 'Cx5HLSMLlwymPXufClX', 'Ygaou6MX7ArnEAWZ9AU', 'nBixVxMshTXLl1GbsMY', 'M71EiqMmLjgcutbyPsE', 'VWKf9oM6ZvIZQ9AN7Fu', 'f28'
Source: h1a1eHrclt.exe, sNDxSC7QkbxeEncqtnX.cs	High entropy of concatenated method names: 'W1dgBJZV3H', 'ig5gRVj17S', 'jIvqTni34ofIPsEFolL', 'Fka7pxibT9gq3ANc1KD', 'Me2QTZiiyvU1ebJtEPO', 'fNs4Lpi4JXuSpNo10ee', 'vQnqhsinuC3ohO0c9ws', 'QFQ4GAiwJUf2VbNq9Yc', 'eGIKIjifZF8YYsunbS3', 'UdMuK7ipBobv0XVOlp5'
Source: h1a1eHrclt.exe, M8tUEdL3E31g7arFWVi.cs	High entropy of concatenated method names: 'Bju5PmJmnf', 'pKD5eENjG2', 'K5E5IYsNfI', 'fhU5jYMAip', 'wh35Zo5V1m', 'u91540Pn6l', 'NFHAEEGtiAW29nLPL6t', 'WcxuNPG5vv0WBF1h1L0', 'K9uBiBGv3ritU7oi4H9', 'RPqgqkGFhd976KOBs9J'
Source: h1a1eHrclt.exe, LlO5avNoS392bL3yllY.cs	High entropy of concatenated method names: 'Yj6H61IaXu', 'oGLHLDTipc', 'TIHHom4i1Y', 'vE5HtLrAI2', 'FpkHHpmhCD', 'aI1Hl9i0l4', 'bCsHUxgDKH', 'Gq1H3CAwhd', 'uJUHWqh9tr', 'c59HTPXcn3'
Source: h1a1eHrclt.exe, ENHbnK7aWcMWv5XPruf.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'P6xJRZ7xgmLfoHmqn3m', 'NYRC2F7ZfSWmKBHKnfE', 'bXgXyb7kds6Zfcf82Ah', 'mPTHVx7jKaO7SqfDoKu', 'XtnORW7PvMU6qnvCOca', 'jEwmDr7zeiY1id0qd27'
Source: h1a1eHrclt.exe, FdbpiwhsS2U5JcMT3K8.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'beFh5G3CRX', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: h1a1eHrclt.exe, eqdfR3aDLAxDpiyl7o.cs	High entropy of concatenated method names: 'Yf9oj2qNx', 'wFWBBSB76ykVKN60uf', 'e0ts6co7UtnUCJVEkB', 'SNelJHOqUPS7Ksxcm1', 'UNW34qSo8l3juYPni9', 'EiNvbj8oWMJ5yTXF5x', 'UwhgPxLJ4', 'awxNNXQf6', 'XEH9A69lr', 'CKsVRkmaO'
Source: h1a1eHrclt.exe, DC1YT7aXe4HOl71UWbO.cs	High entropy of concatenated method names: 'EFIN3oFFQvu9g', 'uthmeS5fhXK7JVonD5D', 'ftQon25pIj8VKUPnpak', 'lwVdEC5L2GVOFMqXieg', 'HctpsD5a1XcXx1Nac56', 'EwPGJl5EKrT4sixhC3s', 'CkgVGr5nKb1QtTRRU03', 'SFmpdS5wWJemEmkckdc', 'ul0I055Xr8JrF6BLgoB', 'irQYKm5sqw6aGAPupfY'
Source: h1a1eHrclt.exe, pcnMMATPQT5fVeQZLZb.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'LigABWreGb', 'W6dcAl1tE6', 'r9QARTOabC', 'NwicNNrnTX', 'aRyMTsIdVFh7SO49Qdt', 'QvATeFIYRZeQlFrefnN', 'YmfIhIIcKqTM1MqupgX'
Source: h1a1eHrclt.exe, bUFJOGT7jM7ODd9Iecx.cs	High entropy of concatenated method names: 'ltByCMMByD', 'kjMy03ZbE0', 'wU8yK8wanN', 'IhqyD44sQD', 'WLBAiAEz2wpQuhTxhc0', 'V0D2pUEj48Rai70V6U0', 'DD2uPKEPPvQFxgRcQsX', 'xVEUR4XRcfMXtOUeCmd', 'FJgTI3XVNbRS0ApQgdB', 'ma91T6XAiON898C5f2e'
Source: h1a1eHrclt.exe, FjPl2VLAHn719X6PdiL.cs	High entropy of concatenated method names: 'lHr6xxtOVf', 'TG78xbGkNPBUmI2FNWv', 'm6LZumGxIoHAOJKrdOC', 'qhDA0vGZw2dUF9ccw8y', 'EEn94SGjUn77SAiuGcQ', 'MgwaASGPM2T3QwQiSXE', 'YmbAIpGz8RvusUNNwFj'
Source: h1a1eHrclt.exe, NpKc6wTf9lLJvu2anKk.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'KjhclrnxUe', '_168', 'eyr1MSIqXqCQoV8ccs6', 'p9sOycIU4vXiSw6Tiw4', 'ujucMgIDJl7gT83Nhv0', 'bCVSi7IWXLBkyCx8k36', 'dg3IOrI1m5LmmY5kHXQ'
Source: h1a1eHrclt.exe, LHcq5Eo1CFOvCc596R.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'PoB4cJugmUguS9pEl7q', 'wOeKdau5WsGtA10UA0k', 'svoZbkuvQ407vWMn0Eh', 'yyFfvqutF2Qq1SJc3wj', 'j4g3JAuFuPuYAaqG1yS', 'Cvo0tTuNBarjwIk7WtY'
Source: h1a1eHrclt.exe, GwWnAVhp3TAE5rPOC4W.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: h1a1eHrclt.exe, o0Mj3yNYyD1DCEL7Ew3.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: h1a1eHrclt.exe, rmDmOQPCWM0LVuvGGT.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'iYkSCXuf0Y0AmfdQJy7', 'YgNEGvupsFemOu9hO69', 'VNk7EauLCreycFQXYYB', 'UYcRLsuaqrP6ZpPXprA', 'Rlu5PMuEgwgJXn1Zmbg', 'TA9lZcuX7VO7dAibZl3'
Source: h1a1eHrclt.exe, Dg8t5e7nIOLD44Jieya.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'iMlt6VTYGmrr7HL8Lfh', 'Qg3CHvT03N31srV3tLx', 'CghNIZTJ1NYqll1IWPr', 'G7c2yoTyFUpLqmG8YV9', 'eXXgl9Trn8i8poIuhL3', 'lBnjZPTgvZXeQ1XJWKa'
Source: h1a1eHrclt.exe, UmtlfWrqC17GpZ5qdAL.cs	High entropy of concatenated method names: 'aV3y6VP9LB', 'IqyBV8ENdmIbHhTdJq6', 'VZZdMtEtElvWaCA9w72', 'S6TLCNEFjaseAxr5RlE', 'zFXXF2EHBdni6RhbD5n', 'lkBZPnElxf0hPI8er5F', 'z2KyW3XDKx', 'M1ayTpZYj5', 'Q27yFYaaUu', 'RITysgbBbm'
Source: h1a1eHrclt.exe, ASMmeBhghxBHIrSlTFN.cs	High entropy of concatenated method names: 'v5SLuHO9IB', 'XCtLA9NS5i', 'plSLBe5C4G', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'uXtLRff4xt'
Source: h1a1eHrclt.exe, PDX4krrDBvf482YxINq.cs	High entropy of concatenated method names: 'Cmx9oTr21u', 'yZd9t0geQb', 'LI4oDjfhC3mAQ283LKv', 'MOywD7fq9hWk6VydisC', 'j9bjbef2MejneKhmcRM', 'BeVKJxfIQcDA4op8dUL', 'UMIR01fUEaUOpdY4Sck', 'VLCpJDfDSxKtBBA3CbU', 'z3trXZfW6cMGkNXTEQs', 'xf461Yf18gqEcscjgdI'
Source: h1a1eHrclt.exe, N68WH3TKELCpw3wUu6U.cs	High entropy of concatenated method names: 'eFGuHDnLTR', 'KiJulnbhuE', 'FA9uU78x6V', 'JkpQLK6rVh0wUC0j4pc', 'n1HuDG6JTg9bi2DSyt8', 'fLfRYS6yAHTd9DZO3vT', 'eef2BK6gg9fJZOkkWUZ', 'Af6uEcNOSp', 'HKmuyV3Qcr', 'EgTuqwM50P'
Source: h1a1eHrclt.exe, zBLppX2nxFT1GRH1E9.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'S7BgSuCipjmwIpp7cWp', 'n1wf6pC3fkr06gdw3Zl', 'Esm8IfC48phRYFsqtnJ', 'xRex2FCnGKB7VdvK78f', 'nLRsEvCwHrcsu49TjIg', 'Vk2xsICf36bdh8VED8y'
Source: h1a1eHrclt.exe, ngxA5uTQh0pGVXOQ2VT.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'eAuc4OJwAL', 'gLkA9hLDGh', 'Y6TcBcQ3Pp', 'LAYHH5InjZSKKThlgRx', 'fXXokUIwJYxOnexTdEC', 'cv8M6BIfxt1mu93IFSa', 'c6vXLMIp16uMXivIB2k', 'qvvKMgILivtK9HjPA84'
Source: h1a1eHrclt.exe, aibejwWTJLGIwC5HnE.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'CPKfHF3jN', 'Qlkvo6A8y3EKuhGJg71', 'N00g8KAcGq1DuYwqxIn', 'WGmQyAAGVCnp9Uafxpq', 'xehGbdAd2jLrt2AFpCq', 'avKvVsAYY7ssloqnP2q'
Source: h1a1eHrclt.exe, tqk5UIBwoLG1SqGs92.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'mYxudhuK4cjeThI3xEb', 'l4smfAuxRVTTeLFLj6g', 'UgYbhhuZRRVau2TIWyQ', 'pYrnYHukjf9ZXJOee84', 'phaAOTujZZE2MOTPscE', 'VK68MsuPh9VrMx26S9w'
Source: h1a1eHrclt.exe, kcJW52NZuTkjf6IAytt.cs	High entropy of concatenated method names: 'MufRQqQoxH', 'MhaRdBoTNW', 'yt9RpjPUZG', 'qp1R1uv9sb', 'VlTRm3YBkj', 'Bk1rOlqPTH12kM2dmFd', 'yITNkoqzcA6hu5nsWKu', 'uAlvbvqkWSdFc7lfucc', 'nGTMELqjHspqM2Pati5', 'RJnxLZURgyldCWDsud1'
Source: h1a1eHrclt.exe, cBwpX3bXmDTJUZM63X.cs	High entropy of concatenated method names: 'Uyl78KJWn', 'er2QTa30F', 'XpAdN89EK', 'BRiYpBVdRwjoGLM8NtB', 'yS1SCqVcfswvNlKg3gy', 'RU9rjvVGZHjepoeOH8N', 'WymAJ1VYgRF551rZy9I', 'gm7InQV0JkPxEU2xsIK', 'j4kA0MVJC3wlmvOwq1O', 'AJQWLbVyWiOk4SdFvLe'
Source: h1a1eHrclt.exe, SAuIUc7sWTMHcbASKOJ.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Y2ULuKM8YbwRQBSVrkQ', 'cioOxiMc0yqkJUItwrh', 'T6GThsMGxNIEBwSieog', 'TtwJ78MddixDlJcc9t6', 'X7b9DOMY7G4YAmYDIkc', 'zXFMGIM01LUxYAayXEb'
Source: h1a1eHrclt.exe, OixhBihJRYLb5Ih5817.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: h1a1eHrclt.exe, qcO2Ojk6YpAQrjSDc3.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'HsXVioAjHrZjtXUgFKj', 'aKAhYBAPspinPyaDyrs', 'mujI8tAzPcrvGOFOQt0', 'hFIPXS9RiftOag0yp6R', 'yklvjU9V1MXi5LsHE4j', 'uyxvPT9AsqgIubv83hg'
Source: h1a1eHrclt.exe, HJCSx27YDZdFSBYn3IF.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'NguOoDTTFYNnBB7SSgq', 'ATuCGUTMMllgodFUDsx', 'jZRyC6TeY54Ot2mliYR', 'AbiiaETbxXK8HVYDZvD', 'IPbH6DTipvfmhdToKQw', 'D2Mf3ET3mhvWDcYwYRf'
Source: h1a1eHrclt.exe, mEtTVxTz4OFLkCE5XKL.cs	High entropy of concatenated method names: 'sdHAO3CDMf', 'fgnA2kN1aK', 'TVUACfY29k', 'd7X7OahJIwsDvve1BGH', 'HoeMJQhyfC4NA8utWhc', 'RlZHxghYxRCPLQeOy0e', 'p5POuqh0gwjGC0ythAF', 'PVFFn2hrY2AgsGM3u1d', 'pBPMdihgja1AnQ8vNYy', 'qMKQ53h5O3q7sfXkP1t'
Source: h1a1eHrclt.exe, Mst6FvGklbR31cHHCe.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'Fr9K229ZKujP3uJDLj2', 'UBbDVC9kW4ctD7CPA4h', 'Jw60d89jLjn07tBPsAA', 'brWI7n9PqUgSkhgUieN', 'wf5I3r9z4uGhXTBCr1q', 'w1yyVWCRA4Nl5gUZa6m'
Source: h1a1eHrclt.exe, FLV1fL7q3YJtkkZbZYn.cs	High entropy of concatenated method names: 'eiMgiQGuRr', 'MXkgM9Wy8Z', 'jGAg5jJU0N', 'RaGcwT3ibd05rxHmg5d', 'KmN3Mn3eZEYFIboqtlD', 'CPd5iE3bALcvOQKxabX', 'nsqScG336yRva0wSorL', 'mEapGg34f25XqEwDgFK', 'nxiKd23nHrRghnGZgiB', 'yyC0xN3wpbpvKLC2L65'
Source: h1a1eHrclt.exe, jgEnQZj4Qs3AV50K3e.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'EK0mBHva6', 'Gxy8xBAXhJLkFDjMFYN', 'J4ZkF2AsqRbDnhBqVwo', 'OXo6AqAmfCpOqvUPUy1', 'iuZaOwA68hfYhqSVtYl', 'DmhhmyA2uT8acjbJaqK'
Source: h1a1eHrclt.exe, irxHZtNVfslXOGj3GTU.cs	High entropy of concatenated method names: '_7zt', 'xDgbT7c9Zi', 'LDPbFhMPUY', 'Tfpbsqa969', 'QwEbYkKS1f', 'GkcbirhJ8W', 'hWbbM8hJ3r', 'jY4aNoU2kOA4TqUvkxw', 'RAR0PvUIcdFWipHBrho', 'USwHOwUmNURRSlmh0S1'
Source: h1a1eHrclt.exe, ywtfX57TtM1GRyIPgvN.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'lOhpIl7QCh86pwBFBNQ', 'htRgV17oCTrloG415vQ', 'goIt5O7OSow1wmU90QL', 'IEvyMC7BdarhsfUWqRg', 'NIb0gw7StZvaRYXjlFm', 'WputfC78lYFGidQKWnj'
Source: h1a1eHrclt.exe, z9ttngTnxWp7pyvZhoh.cs	High entropy of concatenated method names: 'rDjqfhp0li', 'lrbqk6FAcf', 'teZqXUKilX', 'usgqJyvC3A', 'XhAc3dmSMqcddXQCsjZ', 'C2s5Y8m8ca8Mx0ojTeV', 'z2W4TImcfD5T8OhI601', 'mNo3EOmObG17EChfI9E', 'hrhftNmBEnRIOX6GqoI', 'F07AacmGabeJcZmE8sx'
Source: h1a1eHrclt.exe, vJrnlAhhvlp0JM8CIPn.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: h1a1eHrclt.exe, GmU9fV7eXiDNOegBJht.cs	High entropy of concatenated method names: 'qlsr4MaS4j', 'TtHJBcbGvNQ6rXPPG5t', 'MrinVpbdhdkL64ilthv', 'nGZcK8b8bRR9vvey8B1', 'uVvqfTbcBQb99gtKIBO', 'pes1QmbY2y8UAB6a6jK', '_3Xh', 'YZ8', '_123', 'G9C'
Source: h1a1eHrclt.exe, H0k8IphWHD01gh7KnnI.cs	High entropy of concatenated method names: 'IlG20mrCjW80wlEGym0', 'ovmSt2ru25y6OxFuCB9', 'lIbMbtrAQoP2VEHE02D', 'jQpp3wr9vE1jaqkWZnR', 'rm1L7sayV2', 'WM4', '_499', 'TZTLQQib7g', 'AhQLdP5o39', 'vBxLpPUxoL'
Source: h1a1eHrclt.exe, cpHSEhfrLJlrHm5Ric.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'KCqqcHu7iIj6ANiVEUe', 'e7uSPPuT4DODf27PQNl', 'BAutauuMoJE0RDceJFB', 'x1pJkyuey5ReUPnXKP5', 'LDeWTnubPZnM0AZqSLl', 'ciQA5tuiYBnLegajUjr'
Source: h1a1eHrclt.exe, LpWOsrzcTU1gsdi8DX.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'IAC51079CXl1P5LQHOC', 'VHVkvi7C1NHi0PHEHAZ', 'MNSo0s7upV7VXM5SQNR', 'fwAdps77MEaKJrPeGnQ', 'Qs3Ieh7TE4h4BUalj6n', 'LJOanj7McRWYOL0IK79'
Source: h1a1eHrclt.exe, z8IkeoTdb1MGPXrZfHc.cs	High entropy of concatenated method names: 'LAcqwEV2oH', 'cxPq7NGfdi', 'vqIqQercQV', 'GKIr4QmwVM8Ar0DgSE7', 'zM1w8Pm4u4C0M0rFd7p', 'dh0ahbmnkGRxDsIXwsm', 'W9JqEXmfJofYveHbBNN', 'jeGqHLrnVg', 'bwTqliPffE', 'ODCqUlo97g'
Source: h1a1eHrclt.exe, Gtk1KIepeiBhvby6ZA.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'wj0XC09cGfo8XFZDjWV', 'flt27Y9GZ5702pCf5Ce', 'wCTQlM9dwbKmJ4iQWVc', 'GBLFjl9YZVUDcgyCi0g', 'VCq4gJ90eUP8tEkY61i', 'k1RbCC9JMhQnJjWAWox'
Source: h1a1eHrclt.exe, dn48JCNvQKk7YATH4Iu.cs	High entropy of concatenated method names: 'W77t4eoDT7', 'uRet7qDWVl', 'iaQtQVDWus', 'gT3tdq5hKj', 'tnctp3vKn6', 'Kwdt1kIibu', 'Qa0tmyUDql', 'qDOtny36Im', 'LORtGXPJrF', 'fiVtfLiFNJ'
Source: h1a1eHrclt.exe, nKXxYM7Jf8P5CdUvqGZ.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'vt6mPfMveEU0ljcFJOs', 'qi6NbRMtf6nKU7X43Mt', 'VgiOvLMFrV7PtiYBNmM', 'CB3o66MNmiTZ6SlV42o', 'BbTirHMHeUAsvNp2lnG', 'aVg8XkMlr3wslw97OM2'
Source: h1a1eHrclt.exe, FLoRtiS2ydo47ZULCP.cs	High entropy of concatenated method names: 'V6S5c16KN', 'lmj6BBT7l', 'avmhJqZed', 'SbkL8hv8R', 'i6aO0lsnE', 'mqs2jeJtq', 'bHVCnMKZP', 'Cyrtb7VMmUtAxZcFV7W', 'ram4nBVegnK9UQZNZIx', 'SYG4IKVbihL8ci5u8hi'
Source: h1a1eHrclt.exe, IgHCkvLcatk56EHrqFA.cs	High entropy of concatenated method names: 'Kf969wZw06', 'srN6VOdOy4', 'ThB6EqM1w7', 'QQu6ySwFj0', 'o0Z6qOP5bO', 'Yby6urB2Ae', 'Bvv6AKDJQc', 'Rg56BvmwrO', 'fVq6RPMqRi', 'Fpm6bE3Aex'
Source: h1a1eHrclt.exe, aZulNf7vwl46ynZLHX1.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'AIRZlBiF5qY180gXF2N', 'ykTjtliNJoEEqm5F2FE', 'hWVY6viHy6Ld5xiF6D8', 'NQaakpilGoncv17nSEw', 'RS8N9KiKcIbt88vrUl7', 'eP8is4ixNQvRSdUJrMF'
Source: h1a1eHrclt.exe, CBBMcvhwVYAY7VUoe5i.cs	High entropy of concatenated method names: 'Pec2pu200X', 'qd1pUXrQVRA0FMtegGA', 'eQ6kuJroPTvAZ40RRed', 'wDiHVUrWjnkA5W7eaKq', 'xqiOVWr1ARiZgNdD7AX', '_1fi', 'lfjOafU6lF', '_676', 'IG9', 'mdP'
Source: h1a1eHrclt.exe, GXT2iCLlFC8LWJ3jAaU.cs	High entropy of concatenated method names: 'rcd5838A8k', 'WM05vQ7DSj', 'klG5cxDyX9', 'Jh5H8oG0wbS43352ctC', 'TBoPbZGd1qgwSXnfDWF', 'YFlFEiGYPrjIgriYJEC', 'Y5868QGJMrnREDMaM9R', 'BGSQ1sGy6m1Hv42hNNu', 'resSGlGrTULSmgAxrjO', 'mrhC8hGg3kfQGd1Ar1M'
Source: h1a1eHrclt.exe, vXy3RPrtRHPVa9Iv4Qc.cs	High entropy of concatenated method names: 'H2iN4SOXio', 'ETANSHNnY0', 'dwmO8uwXsyxhuNYlUcs', 'wyrdFjws93kc3F7dKRX', 'fQxb0Xwmpgq7xscuKOh', 'ye0aOjw6q6m9I3ppaVM', 'a4KGPZw2dNE4TvdFkSJ', 'BZZg0WwIp0NulvC37Gk', 'sSliqgwhGX2tI05Qt6W', 'bFhlUhwqYopSs77thK7'
Source: h1a1eHrclt.exe, ntvKw77oB2ZFBm3Jf1F.cs	High entropy of concatenated method names: 'k3KgTLjghd', 'nUSvCt37qoth3HpBAhn', 'jilWYj3TeJm8sEqwySU', 'vDRaNJ3Cs9q7A0kQYt6', 'mHZrnD3u90t1RC2TTuk', 'CDGBEM3MRp5SSJqYeKm', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: h1a1eHrclt.exe, Cvj3927f8GtE2O16oMu.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'F7Gpsqim25OIjFSqe1U', 'yEssxKi6kw7AQ8lRln8', 'WQIdJci2r7XWIhjw5vD', 'jTTmoNiIcjfS2Ykr2TN', 'KITGPEih0e8g5Bd4JvO', 'sl0YRfiq2XwYmyhp4PV'
Source: h1a1eHrclt.exe, OapRMpTuuBylWsFJ5di.cs	High entropy of concatenated method names: '_5u9', 'JXmcVxc774', 'vyMAxm1dDd', 'BMgcrMUuSk', 'ND94Hk2kKDZfmeonhQh', 'XRKf7j2jP5lwuLNuaNu', 'vXVg532Pl0P8R9sA1TI', 'H2E13L2xtpmyu1vT0p9', 'JvdB6W2ZORjNwJO5pRu', 'KJZ3yO2zDv9uUpiYm1H'
Source: h1a1eHrclt.exe, O1CRA5rGu0oLs72WfgT.cs	High entropy of concatenated method names: 'PmNEqrmjyg', 'eA8EuvGlxS', 'iavEflax2jZSPKyjFDh', 'cwFysoaZf4SXjOuZoPf', 'VlH8Gsal7KHjWCEunOY', 'MDsjyBaKDN419bVkPhu', 'DC4EUUIJpp', 'LO18cgERQQHMXYouZmv', 'grYmQ0EVIHsqy5JUgFw', 'TFeCllaPis6FKixZu4i'
Source: h1a1eHrclt.exe, sxjVhNN6cNS1J4PeX5v.cs	High entropy of concatenated method names: 'bvwbwxyOdX', 'UV9b7j4PIJ', 'm1tbQ3o4nc', 'dkRbd0ulQu', 'bOMbpr7008', 'DnJVpdU8AiEsawCELjT', 'pO9j2YUcTKVLq2BKljZ', 'PRrc4LUB1YQrcIbYGnr', 'TQs8TRUS2fYWJhH7wMC', 'o5XkXiUGynoGciLZS46'
Source: h1a1eHrclt.exe, Dwic0orVNMhXjIn6xCu.cs	High entropy of concatenated method names: 'kp8NzCxcgh', 'Hsk9x7BQ8y', 'gEv9rjQ3vF', 'Wfi9gCHUan', 'FPj9Nx0fOb', 'i3099VtbfX', 'Sku9VoRtOY', 'oJt9EBTSo2', 'uqJ9yB8mIf', 'wrp9qXALji'
Source: h1a1eHrclt.exe, sWsogV7X6bfLYXW5X4A.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'eJdra4TXZlYfgUZ0S1D', 'RS6cFPTsbCeMfLUb7yO', 'pS1r9XTmt0lngUMVwDv', 'APEwivT6PTLbb4dbaFt', 'DhyZWZT2g2apZ5s3Fbw', 'ntYsZ6TI8g4fkojKLj4'
Source: h1a1eHrclt.exe, lWv6x3LgVjxWbFswRL5.cs	High entropy of concatenated method names: 'd095k4n8v3', 'qBS5XY2DYc', 'mUZ5JWFl3c', 'srpggoG8Ony0ZELavWB', 'EPSUhLGBHQXlPm7G8RO', 'aDvIpKGSr1aW7utjnWj', 'TUAn3TGcJdG2x6Bt0QP', 'rVNtN5GG57lidrl7FHX'
Source: h1a1eHrclt.exe, InuDCD7g4DGa1uDjcKA.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'ivFY5qecK3b2FryuGxg', 'ADlWQjeGFC0Pw3NdQSc', 'rOkSN5edVO3xj3cJF9c', 'Nw5U7XeYttEQemLf0gb', 'odQmlCe0W74muhUhxoB', 'oORZ13eJkMLNXLryZKl'
Source: h1a1eHrclt.exe, bF9lvyh8mI5iGOsLfP1.cs	High entropy of concatenated method names: 'Uuu6Xci5rb', 'yGW6JCXR3Q', 'dLg68JT9KZ', 'f4T6vPodnm', 'rcK6cCc3DG', 'AjG6at9cSG', '_838', 'vVb', 'g24', '_9oL'
Source: h1a1eHrclt.exe, mrl5DRTIJFo2vcyyVQx.cs	High entropy of concatenated method names: 'FRBqPrjTjB', 'YkvqeWOIb2', 'fxWqIR57lt', 'csNqj5dMC7', 'YG2qZP2D9o', 'ArIShI67l677GbDr1jZ', 'SFGX236TrsRRREcBYdV', 'Y4VDP26CgYe0K7C1kiX', 'aDxqaw6uaiKxLw8G8uY', 'MQUqLG6MdR1yFrQje9M'
Source: h1a1eHrclt.exe, S5jDEK7mHXV7Dt6smke.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'S8gh1sTlqpgJmOsHOsC', 'YiNEQFTKOw2bOVjnRDM', 'xXqXWtTxnWWOjKn7Mwf', 'iSjOwbTZC5IaBEJ2Wst', 'vDs7kaTk8CiCsufgJjr', 'XhNY2FTjHXWmd2VsTI2'
Source: h1a1eHrclt.exe, ngfKfBhuXKJwVBfHrDY.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'm8yCuPw14s', 'aKbCAeYm9F', 'herCBcCCQo', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: h1a1eHrclt.exe, ELZd9SLqSrNa4gD0Cpw.cs	High entropy of concatenated method names: 'FCC6OG5jDi', 'gP262pOmAo', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'fbK6Cnoove', '_5f9', 'A6Y'
Source: h1a1eHrclt.exe, n1ooaE7AQFy1h08b8td.cs	High entropy of concatenated method names: 'll7reptp7k', 'uhuUgtbhWWoQ346IVbc', 'y615AlbqMUJL158bnbp', 'cPWLhdb2OYnqx7P4Ny7', 'DqShKfbIQ84GT4qOFfc', 'oVeW7obUIdM0Z1Im07s', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: h1a1eHrclt.exe, bsoBub7MLMrnHLDQfZS.cs	High entropy of concatenated method names: 'PpWgrxtoNY', 'nRngg98Np4', 'EpagNcC1TE', 'y6pnQnbHjBiTm5TbfTK', 'PTBtHjblCJ3Hu7Say7c', 'h2MdMabF2xQI6Napjo5', 'y2GgBfbNog8N0PYXC22', 'jE6QUmbKmbBuuGKc9jS', 'ODak19bxnSaeLmJlqOV', 'JG0VobbZg2EWLBQeCeT'
Source: h1a1eHrclt.exe, MZ5bWXL9PBtZNMMfQg8.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'Vvs6McTM1L', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: h1a1eHrclt.exe, doMJ3nTEhYwsyma2Shw.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'BOXFaw2nuWodSBD5e3U', 'YIJFBT2wWvxn3lKmyR8', 'UMY5AI2favt3rSJ3Eo7', 'Lsapq02p1deMBMogwIB'
Source: h1a1eHrclt.exe, fb8x2wr8oiNB9ZgwaSC.cs	High entropy of concatenated method names: 'u5Qg6d74iA', 'QV4ghtNlLV', 'A8jgLvFiFX', 'XYmOKH3BBGMCID1RCON', 'herjnW3Sl1naTp5UFIk', 'uQik3P38baPhL1lXhJf', 'cSgM003cX3v1qOeOk7p', 'jnBRZo3GiEGxhvMCB9m', 'ycvbc63dFayV7aHciW9', 'qYPwgS3oIGtoRZLO6Zj'
Source: h1a1eHrclt.exe, VsIv95aFHRwZujFnLxN.cs	High entropy of concatenated method names: 'KkXjfy5UtqHrQrW72I5', 'qOn9105DenO53nMS0J9', 'psNaWO5hs5hWdB7bVUS', 'OZuUXU5q0jGZg8aDmF1', 'ntUKtEnY4h', 'DnOvOw5QrCHyCM47OeO', 'pJLXf25omjTA2OEWu9n', 'CKkXEx5OmmCUPg8MOMf', 'TsWV9U5Bxur30hsxVCR', 'cjnC2h5SUD8Tlqma5nB'
Source: h1a1eHrclt.exe, NeGGpwLpLMf5JZPrAmH.cs	High entropy of concatenated method names: 'whn51BtAS3', 'bMK5mXJ1fZ', 'e3e5nvvD3D', 'cFa5GpLevQ', 'mYV5fuPG9h', 'WE6jIdGWoOKPhCbO20U', 'kug7YmGUXLydj5nuJeD', 'H8AA4iGDsDB9jR6kvZZ', 'TpCNV5G1sTO0355lPWZ', 'ncYTSMGQK3EDXPVxGv2'
Source: h1a1eHrclt.exe, Q3GUMn7ElxUbkKMdwO2.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'mPqRtQMhsXwaMKdKLaM', 'xgOZD0MqtdjOiELviyX', 'hCN2eSMUBUBopwEScAI', 'BwPDuhMDE7JWD9ifG5G', 'awsqHbMWet4vx2QUwZ3', 'BE0eRuM1M8JvwmrnicC'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows NT\RCX70B8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows NT\RCX7165.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\RCX5766.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\RCX56C9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6C14.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\RCX61FB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\RCX649D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX66E1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\RCX621B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\Public\Desktop\RCX8071.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX7792.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows NT\RCX4FB2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\user\Desktop\RCX4C16.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\Public\Desktop\Memory Compression.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows NT\RCX4EA7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\RCX646E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Portable Devices\RCX74E2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\user\Desktop\RCX4BC7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX679D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Portable Devices\RCX7435.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX784F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\Public\Desktop\RCX7FC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6B57.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Users\user\Desktop\h1a1eHrclt.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX784F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX7792.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX679D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6B57.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\tracing\RCX6C14.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File created: C:\Windows\addins\RCX66E1.tmp	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP	Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Memory allocated: 1AD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 1A8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Memory allocated: 1B4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Memory allocated: 1300000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Window / User API: threadDelayed 1268	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Window / User API: threadDelayed 1032	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Window / User API: threadDelayed 366	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Window / User API: threadDelayed 365

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\RCX70B8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RCX4C16.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\RCX7165.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows NT\RCX4EA7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Microsoft Office 15\RCX52FF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jDownloader\RCX646E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Recovery\RCX56C9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Recovery\RCX5766.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Windows\tracing\RCX6C14.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Recovery\RCX61FB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows Portable Devices\RCX74E2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RCX4BC7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Windows\addins\RCX66E1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jDownloader\RCX649D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Recovery\RCX621B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Windows\addins\RCX679D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Microsoft Office 15\RCX5253.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows Portable Devices\RCX7435.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX784F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\Public\Desktop\RCX7FC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Windows\tracing\RCX6B57.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\Public\Desktop\RCX8071.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX7792.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\h1a1eHrclt.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Dropped PE file which has not been started: C:\Program Files\Windows NT\RCX4FB2.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\h1a1eHrclt.exe TID: 7308	Thread sleep count: 1268 > 30	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe TID: 7308	Thread sleep count: 1032 > 30	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe TID: 7284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe TID: 5800	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe TID: 4548	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe TID: 7984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe TID: 5232	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe TID: 6024	Thread sleep count: 365 > 30
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: h1a1eHrclt.exe, 00000000.00000002.1913400700.000000001C1EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Vr
Source: RCX649D.tmp.0.dr	Binary or memory string: IGvCvmCI3Gh7fCiOSgp
Source: h1a1eHrclt.exe, RCX8321.tmp.0.dr, RCX70B8.tmp.0.dr, RCX5EAD.tmp.0.dr, UQXKdqQetSFpkBwLVgNixbuHXutP.exe2.0.dr, RCX5AD2.tmp.0.dr, RCX7165.tmp.0.dr, RCX7BAC.tmp.0.dr, RCX621B.tmp.0.dr, explorer.exe.0.dr, UQXKdqQetSFpkBwLVgNixbuHXutP.exe6.0.dr, RuntimeBroker.exe0.0.dr, UQXKdqQetSFpkBwLVgNixbuHXutP.exe7.0.dr, RCX649D.tmp.0.dr	Binary or memory string: VYFRImDmhgfShb6UMPe

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Queries volume information: C:\Users\user\Desktop\h1a1eHrclt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\h1a1eHrclt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Queries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\RuntimeBroker.exe	Queries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Queries volume information: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	Queries volume information: C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe VolumeInformation

Source: C:\Users\user\Desktop\h1a1eHrclt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001B.00000002.1832916443.0000000012FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1832482661.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1833064398.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1832482661.000000000350C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1832421022.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1832599441.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1890007237.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1a1eHrclt.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7756, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001B.00000002.1832916443.0000000012FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1832482661.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1833064398.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1832482661.000000000350C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1832421022.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1832599441.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1890007237.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: h1a1eHrclt.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 7708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UQXKdqQetSFpkBwLVgNixbuHXutP.exe PID: 7756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	123 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	31 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
h1a1eHrclt.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
h1a1eHrclt.exe	100%	Avira	HEUR/AGEN.1323984
h1a1eHrclt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows NT\RCX70B8.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows NT\RCX7165.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\jDownloader\RCX649D.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Microsoft Office 15\RCX52FF.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\jDownloader\RCX646E.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Microsoft Office 15\RCX5253.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows NT\RCX70B8.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows NT\RCX7165.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\RCX649D.tmp	100%	Joe Sandbox ML
C:\Program Files\Microsoft Office 15\RCX52FF.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\RCX646E.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp	100%	Joe Sandbox ML
C:\Program Files\Microsoft Office 15\RCX5253.tmp	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\RuntimeBroker.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\Public\Desktop\Memory Compression.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe	84%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	unknown
219.53.3.0.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	h1a1eHrclt.exe, 00000000.00000002.1890007237.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501418
Start date and time:	2024-08-29 21:51:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h1a1eHrclt.exe renamed because original name is a hash value
Original Sample Name:	1d98bb52c2eeac75f2e83e8b0b88459f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@41/89@2/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 20.166.126.56, 52.165.164.15, 40.127.169.103
Excluded domains from analysis (whitelisted): cu14777.tw1.ru, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, ipinfo.io, glb.cws.prod.dcat.dsp.trafficmanager.net, update.googleapis.com, sls.update.microsoft.com, www.google.com, api.telegram.org, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target RuntimeBroker.exe, PID 7668 because it is empty
Execution Graph export aborted for target RuntimeBroker.exe, PID 7708 because it is empty
Execution Graph export aborted for target UQXKdqQetSFpkBwLVgNixbuHXutP.exe, PID 7724 because it is empty
Execution Graph export aborted for target UQXKdqQetSFpkBwLVgNixbuHXutP.exe, PID 7756 because it is empty
Execution Graph export aborted for target h1a1eHrclt.exe, PID 7264 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: h1a1eHrclt.exe

Simulations

Behavior and APIs

Time	Type	Description
20:51:59	Task Scheduler	Run new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
20:51:59	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
20:51:59	Task Scheduler	Run new task: UQXKdqQetSFpkBwLVgNixbuHXutP path: "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:51:59	Task Scheduler	Run new task: UQXKdqQetSFpkBwLVgNixbuHXutPU path: "C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:52:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:52:02	Task Scheduler	Run new task: explorer path: "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
20:52:02	Task Scheduler	Run new task: explorere path: "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
20:52:02	Task Scheduler	Run new task: Memory Compression path: "C:\Users\Public\Desktop\Memory Compression.exe"
20:52:02	Task Scheduler	Run new task: Memory CompressionM path: "C:\Users\Public\Desktop\Memory Compression.exe"
20:52:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe"
20:52:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
20:52:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Users\Public\Desktop\Memory Compression.exe"
20:52:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:52:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe"
20:52:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
20:53:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Users\Public\Desktop\Memory Compression.exe"
20:53:08	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run UQXKdqQetSFpkBwLVgNixbuHXutP "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:53:16	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe"
20:53:24	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
20:53:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Users\Public\Desktop\Memory Compression.exe"
20:53:49	Autostart	Run: WinLogon Shell "C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:53:57	Autostart	Run: WinLogon Shell "C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
20:54:05	Autostart	Run: WinLogon Shell "C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	nhom89337074245633707424563.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	Stacey Opted PYMT Tokyo electron limited.docx	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	199.232.210.172
	RqYh.exe	Get hash	malicious	Remcos	Browse	199.232.210.172
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	Gxm6KI51wl.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	199.232.214.172
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://general72.s3-website.us-east-2.amazonaws.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (592), with no line terminators
Category:	dropped
Size (bytes):	592
Entropy (8bit):	5.896478690232391
Encrypted:	false
SSDEEP:	12:7QMEO++HbrQtZCKKz+j8e86jyppNgCd5yqo1n2UMNPb5MPw1GpKVXA099b5:UMEyQnCKTX8qOpegYGz5MIIMhA09P
MD5:	3288BA6EA7C5E3E3E95D48ED349288E2
SHA1:	340EB859283D2B6F94BCEA5D0CD61F7CE5CBC434
SHA-256:	8444B3C65DF426D7C4491BE29E74814011B050573B35000437EF0049A1133315
SHA-512:	923F894AAF17E4050E9F7B7D5BFDFE366C16521BC8CA8DA526CA3902D7E0EF6F62C4B5C922E01F96FA81A2A5C1162BB0FB9FB3E0A8A06A50604FDF1E626657F1
Malicious:	false
Preview:	eiyMuCLwauGi0oyCIbsEQ1Kt3JmVte0nkHu9S4Dzqp2PD9tdHNd720TnYESkazC54c8t4yuOX2Xl94q3ZJOgA2vuxHlNldY1m6UkBAiSdPj9dsndYYKRkg5BrN5xNgm4ef8DkF2Zk6CuTvQFdHyMSHRFBS3xFvE6npf7tk3TgvroeKs570TGsZlWO2BRLEUy1GHnQSV3Nfqhaml0j70Pc8ONDIt0imHcb2xXCFpoea2NtD6lRKrONEW213jIjeUlXNGhzNxeSMuBGBeALIjX43OWg4gJfgF9FQ0f7YvDWM5BUUv0Zj6a56qd9uB5ro9vHu5zL9CwXfBs7MCLIpt5koEJjWfNXzVsNK4jY5pagJDZ58fws0wC4DKcqwPydzZhJSexRcwM9TYbkpNl0tehDTxJ9c3mq16rtgPmdsePDjDlot2Aio8uU2d0fVxzjKgIWrrEalIHOPddQMfQj2EB3MW1CYHI5oq3D5O7Cxk7f0fFYAkTzhQqFeOJVzBBe9MjikZU7hNvSHfCrQcByySYYAxiqElMwidgo5hykPVRTeX89McFW9NqrxLhw1o36B9to9XvsoaicAE4nyjd

C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3797867526131045
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	C8A8B1CC3F01411C2FE3B1C690441BF7
SHA1:	3500AB8B34A3DDE2AE142C8CF5860EBFBD75BDB7
SHA-256:	F10E056660155EA5105D0406404DBD86A861157B5443655F23CB1D7FA04F00DB
SHA-512:	534F7DE8B9A70EADA5794DAC918FEFC0E7FE472C902F0A70860971EFA2BC380D68B1EF376DAD6DCF7E3EDB6A61192ACD4A3E40965400F3B6B5AF721EC74B3329
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3796046968168865
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	F43B0B725D72B0141930D6E257364020
SHA1:	508B8C9E151065BE2710D6270666A9EBAAE62F8E
SHA-256:	E2E8C94927653CDC9F08C76793718E8B38FC9C3BC9CC6D5FCB78F251FE718614
SHA-512:	C32C7092834202C154DCD77A5E63BF4489BD36356D1B8610224EA5FB0FB85BCF9F911784B579C5E05CDAFBF8D2F847F8A79E39A9D9F68B8AB4E008D021B5B4C9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379821207429215
Encrypted:	false
SSDEEP:	24576:dv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:dv/ScA8oGAv5/c14rvuZx
MD5:	7D7370FF25D8A931F907CA027D08C820
SHA1:	1778B078A95ADB958D2BFD469327BA85A54AFFD9
SHA-256:	42DF7ECD8728B2A55BEFF8B4A6AF47088A0EAE69ED92BC686FD49010346F937B
SHA-512:	157D8C76E13432D2BBD7F3E51797F82DAFB0B6EDB57381BAAFE49085E05889E2E223022DAD8833626D7B9C8DB937F20C650C206766B87C6ABC93E18AA96F2782
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379639271639264
Encrypted:	false
SSDEEP:	24576:9v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:9v/ScA8oGAv5/c14rvuZx
MD5:	0DEB6886790B60945B5930DD1EA65390
SHA1:	6E55D8B566ECF6BD00DA1D7AD7F1729655248159
SHA-256:	56E52741481E28286A1FE8C1F6B348C464EE4A6A07B4C9FBA167B1C7F88CAE9F
SHA-512:	9E382479DB895145DFCA9CA9B839C86440DDAC0F636F8CB2361ED0045DF2C737B396CD36E233E4658492A92AA98DBBCF549B8670E3735C692FFDAA7DF82B13CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Defender\en-GB\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (639), with no line terminators
Category:	dropped
Size (bytes):	639
Entropy (8bit):	5.8979249367170885
Encrypted:	false
SSDEEP:	12:qrUx3LFenRZlKzBP+rD6LYPR+qmbgt/zBeqS4RV9XOOHMqtfMd0F17+FI2Wu:qrUHenRZ4QgY5+qkgvs2IOsqfcu17+Ok
MD5:	884832C3D1D9D7C62C9339BF9F47B5BF
SHA1:	4FA115D6364BFEABEBCE7EEB3C2511BE83C391D5
SHA-256:	F88DCEAB20E2908B785F7243208EACB9E8C7D7625490AEC7DBC0D0A2CAA65E4E
SHA-512:	EFB61FC434947E166B65DC593943FD4C6E9C97670571BF8D067065F761A4C9F60741955E5338E4F1EA707D92275FFF909B1F11BB08C986F00ABFE3566D75DB71
Malicious:	false
Preview:	S8EcBjcOqT6tQj6VHCoW4ct1CxTPmK9LO7wwAftYntBMjnufiAxlvGtzPNaOQNmfTvfTwKUlSPsKbhSYCyqlWYZHO7hxFfIaHf2yIbsYpMSgXiXr5BMbgAJ5VXEzmhgxHSD5pePkFS6KF3uqj01DSq4HW6cvX3wIpeYFfbBbwmVNE8zbmYPwpdfaY5jtBeMMgxekeoLHyaRqUqDYGAI9n9cM97rj2SaRZJrQdP68NI7PLyGr2LmAVNjgVSlh7lOf99RL8w41EKveCMAL19qrqZ5LjL5LoZAl3bQMh4tFQu6LcEdIRap85gzkDGlx1tNoKKkk6yn6Pkb5dusfrw3OtBqXmpIbT5OhgRBSd3MdwssUF3GSXGGEz94IdN8QpMnUW4ZLtaBxkabBTWRtjzEMyJrhX2yP45xkEY8Le5j6ESeZi3zH6PrzIbfMM1y0mv3om164XGOoQHHgoR9eDqTpO7bn2v8mHtTTZ0xq64t0ADjAT9h52Uw5cNaoZSCmHmggxyGyeShJ6dpLXbT2NDtx6Y0MZIRn2HsXgDMe3takwn89hPR79JYE3tkZ83YWB3QzuSoUPz9emJASZ1oK1Tossoewcwg9UEi3WJOPk6sJJ4butRAGPNfsOiGGy22cS9K

C:\Program Files (x86)\Windows NT\RCX70B8.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379785264822321
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	EDE6FEBCC14E54B4CA537778B75A266E
SHA1:	7586367685D588F39A42BD5377BA6ACE8818C9A9
SHA-256:	DF435E73CDA8860A1EB61C061B02A3750FB14C937306CCEA218D631C9DD9C2C3
SHA-512:	2B00C4C7428E5B8C933C21BA277BB87803A7BBA0AA65BB52B4B7694A1996E283EA34560D8F1795665BA7FF1D22C033DDFDA42F88ACE3F3331528EF98CEDE3B31
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\RCX7165.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379603007692856
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	4E46A743A3E794DBE60B91E13BBBD284
SHA1:	85C358456ADF5AC1684BB531B59DEB43A437B776
SHA-256:	39DBE4BA783007E64F542D536F53625D87FC612C9CD413C5B9929AC7425F879C
SHA-512:	8C211B82CC1267D5BF6BBC9FEC2139CACB8D492E97FB1C305F86D10585EF024FEED347FDFD72F2F2ECD6B374611F84E771E7F15BD48C1525F8BC23850DECB398
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows NT\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (969), with no line terminators
Category:	dropped
Size (bytes):	969
Entropy (8bit):	5.902416790356831
Encrypted:	false
SSDEEP:	24:kerBzRwctTU3tS7jUrYdTV2LyNp1Y2pubmAi/9:kerxRVtTU3tGHdTgeNZU09
MD5:	5C2D02B21C1D0F4D2A5A98C1ACC9E106
SHA1:	A45BD1BAC7E52185864D515AA8096F9DABA4F180
SHA-256:	4F657AF1FA4D84B065D4D3616DCDB9CDCCA0CE7718BEC6236EF3D5D8B5FD4E87
SHA-512:	2FC16A5D98E70D2BC7A20D4DC11DCAA49D3DBA1EB2F24A6AEABC651083144D7A40E507C0E608E99AE38B94E0233F4242DC1326C13A462EB083F560021C93106B
Malicious:	false
Preview:	TuQV3Av1YKBULwK3hmPPJTHZUkrN6UQvpwzVLWyZ7FkGrG1iMb0k1jy9n0ASSh4E3QoZ7zsKx0SEtBsOtIBfdq3F7zsUWgGZKfMabclWsqwBRuPlHwjJfZkNXjbHGYxRt23NySxQhoww31xNjGMk764u49D1BdQU2fSZ0Cxz8Sm0nyTfvOh9LNUw7ITzO5ODYb3YjYWhTXloUDHGpiGx6QJpKfbss7lDDjcL455W19qxlqc3AMKqybGISOOD6ozWwikul6Mumt56kVDeDhrgw4OmcU3pq1ZNKTBDFrSEAaDEfKi6KtAZ7Tj1T8RRCgDuUswQTAZVPmfW0JGSw6f70AQ1uKuGZACdXSuxXRmJUpJUxNAJ29fFBG4Tc5fJQS5PkC9hZT4eUVmL05DgJkOae6bRYbUcvc3Bu4uuOduiEBvqdscg19ApEeuokrI78cs1bkb6KTRp0pWcKvxp8ylwbN7PKGJgUwklT3O2RgWhrUzYIRdy4c9K15ZOnLwEJvVEEuJRh4YbbDFGYiH2nVm1xauXd9PGuSY69vTXILR9Ehsx0SzEE3ayJeRo9vxhoSrJpIHnOtucEmwPr7hKKLB01kwfepXWXtVw0iIrLMzVJ8ugrB7COnXdQ0REWmIjVYEURAZIyz97Wqr3zPycsVHuV1g9QDVjDP9u4ZPrmyOZnaHjIYPGxq1AQT9ZeZ1udZ3Gr69aAG03GrG4u612yPvXX9ekZ0NN6d5OgA2LZyGrz83jNEohh96OogsrcZAJ3n7nw2YtDpc9IEhZF4WVLpp6hqjASLsAy6xMAQwVq5e1h6Fj8TlhCp8O8BFFSXb26bLMRVZzIBoQLxZll9C9jK8J8jO9LqCSdl4Fu3Sn3wZBArDKmeeSVcTwdCNsHZob8Wwj2T0rqZFwv6JQfDXqMt7BSIlspkfeI7Cn5dSSnwl6XgAg37MDC7POYuQtrHCG3lox4fUBuEDZI

C:\Program Files (x86)\jDownloader\RCX646E.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379844924171614
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	D680458B72A97D1BB80C3913EB1A62E5
SHA1:	2BF5F6F5FAFBC3DB4169CF0FCC2AFF6895952358
SHA-256:	E55B9B856BC460760153E9526453CE11E45868FC40081D45EFC59B8697360741
SHA-512:	2DCB69A53BF10E7013814A4EAF6EB134FFDAF21F16B6C28779FF3EB31CFA6580AB63CFE600247FEFE30D056E2B44F42EDB6E0C3450BA8E4E54DE56D5909234A0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\RCX649D.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379671625083486
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	274AEC1DC6B1373DB8691F5EBEE16129
SHA1:	46B6476C005CACD0585473D9FFDC64584D4903EA
SHA-256:	127D3AAF0E2C58393E4FAF95AB608EA0153366E54FC6060A7F651AF0E89636BC
SHA-512:	7FBA986A6FFAE4D5B8F426FD5F3EB02878199FBCA2EDB7B8E586C1FACA13517DAEE3712D763F78C455FE990CBCF1B9BBFFC2EA7075CF48F6E1E4605D0D5EA116
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\jDownloader\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.046569531114784
Encrypted:	false
SSDEEP:	3:69UdaoT24DmX/WcSRJbDKCzvhR:r2YmXe7RBDhvhR
MD5:	DD5CBB0B64B196201D653555801EB86F
SHA1:	D65338E0936B5DAC55CF9C8336860E10974F7880
SHA-256:	F2DAA995E0A2226B677C72ED6DE95CEC004E91E88B5B017AD03CAF36BDB9A399
SHA-512:	352AE39CE1381E02A21230CC1EA4F8EAB1CE0EEC290190BDA0AA0B9B9C5CA97C47EDF7AC7825851087D698F4AA1D33580E11D31F7420DC1EA8947CA989874897
Malicious:	false
Preview:	wq05XqOCODYtqKvSEXwUsDJDlvVs9e7GtlN5SVfg3rMaKGZX0IC0Q2UtgxTmVfDt

C:\Program Files (x86)\jDownloader\config\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (307), with no line terminators
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.840646614365453
Encrypted:	false
SSDEEP:	6:shV7+iA8z0U4rZnk2maf5o05SmqWdSh8GKBc4J4aeMfaqqfoXMpRxV:sbtu1kyPMEi8GOXBaeYRxV
MD5:	1DBF8761861C06E612C66C49F313EC2D
SHA1:	52A3D60A53AD2C9EB166DD706AA138C011AD59B1
SHA-256:	35112D01700EDFAB3F5F8F7472B28159E49E38BE0F2C0DC6D4D7842639BB4566
SHA-512:	7F89B4569FA36859495CC11E8901F554F55B94B900BEE65A6B3052844CD26264E644C9A078F61077DC18E49F726047090EB17FCAB98237107C8D97E51DC1346A
Malicious:	false
Preview:	sBpd0USldhRBcbGvbogJFv56suQFXlAyLHB2R2ghdmvlZrb4SUywruM6FtvFDMN1hdzVZNdjI8qdAUgBTWwDxOGb5FxiGaeQY3E61GeF1OosEt5vMuvqaKESWYZUa4creZEHQkJN2rMikYXLJBVWox0OzvjdqJp6w6Oooyfmkiys7fs8AOKYjGDrizSeAqhsCPwnKshVgtvG9HQTClcc8QXp3gGyfAl4BFqssEyRqz1zU6saj8bZNFuv2HunmszgH0F3bil7xKvJYhU6ypPhiMr5V50lULp79Vse1y9AXelCTkWUwyy

C:\Program Files (x86)\jDownloader\config\RCX7AF0.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379778138340665
Encrypted:	false
SSDEEP:	24576:dv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:dv/ScA8oGAv5/c14rvuZx
MD5:	AAF0090B535B4DD09482EC0E73B046B9
SHA1:	A5A779BC1DC987C38E0890BDDBA3B0943A47D744
SHA-256:	A34E2F339CA50DEA6DC01D8BF2EEC7FA344624FAE9B14878FE4D2822909A7ABB
SHA-512:	9E7C844E8F3C4F062B752F5B9AD63F229BE406C06D544574360140D0838204589D358E2B5E04D56B8C240818E216C31FF0ED309857F4524DECCF8D214AA6A569
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\config\RCX7BAC.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.37959588432374
Encrypted:	false
SSDEEP:	24576:9v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:9v/ScA8oGAv5/c14rvuZx
MD5:	06F6C36CDBC548C103711A88D3AB9415
SHA1:	444FFE19D4FD94399167B1FA8DB60203084E9596
SHA-256:	B7A95931040727C7B1EFBFBB43155E8F0B3442D0BE9924D6CCB8894B69EF4BD0
SHA-512:	093AF410DB8381185D6DB59FCBD249DB166FBB20BAAB423B65A257735D6D8AB1312A81C6A7DEE4E902E5FC8C076A6D4466824B18403B677F21C06B6F2760A630
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379844924171614
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	D680458B72A97D1BB80C3913EB1A62E5
SHA1:	2BF5F6F5FAFBC3DB4169CF0FCC2AFF6895952358
SHA-256:	E55B9B856BC460760153E9526453CE11E45868FC40081D45EFC59B8697360741
SHA-512:	2DCB69A53BF10E7013814A4EAF6EB134FFDAF21F16B6C28779FF3EB31CFA6580AB63CFE600247FEFE30D056E2B44F42EDB6E0C3450BA8E4E54DE56D5909234A0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379778138340665
Encrypted:	false
SSDEEP:	24576:dv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:dv/ScA8oGAv5/c14rvuZx
MD5:	AAF0090B535B4DD09482EC0E73B046B9
SHA1:	A5A779BC1DC987C38E0890BDDBA3B0943A47D744
SHA-256:	A34E2F339CA50DEA6DC01D8BF2EEC7FA344624FAE9B14878FE4D2822909A7ABB
SHA-512:	9E7C844E8F3C4F062B752F5B9AD63F229BE406C06D544574360140D0838204589D358E2B5E04D56B8C240818E216C31FF0ED309857F4524DECCF8D214AA6A569
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3797867526131045
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	C8A8B1CC3F01411C2FE3B1C690441BF7
SHA1:	3500AB8B34A3DDE2AE142C8CF5860EBFBD75BDB7
SHA-256:	F10E056660155EA5105D0406404DBD86A861157B5443655F23CB1D7FA04F00DB
SHA-512:	534F7DE8B9A70EADA5794DAC918FEFC0E7FE472C902F0A70860971EFA2BC380D68B1EF376DAD6DCF7E3EDB6A61192ACD4A3E40965400F3B6B5AF721EC74B3329
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379821207429215
Encrypted:	false
SSDEEP:	24576:dv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:dv/ScA8oGAv5/c14rvuZx
MD5:	7D7370FF25D8A931F907CA027D08C820
SHA1:	1778B078A95ADB958D2BFD469327BA85A54AFFD9
SHA-256:	42DF7ECD8728B2A55BEFF8B4A6AF47088A0EAE69ED92BC686FD49010346F937B
SHA-512:	157D8C76E13432D2BBD7F3E51797F82DAFB0B6EDB57381BAAFE49085E05889E2E223022DAD8833626D7B9C8DB937F20C650C206766B87C6ABC93E18AA96F2782
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379785264822321
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	EDE6FEBCC14E54B4CA537778B75A266E
SHA1:	7586367685D588F39A42BD5377BA6ACE8818C9A9
SHA-256:	DF435E73CDA8860A1EB61C061B02A3750FB14C937306CCEA218D631C9DD9C2C3
SHA-512:	2B00C4C7428E5B8C933C21BA277BB87803A7BBA0AA65BB52B4B7694A1996E283EA34560D8F1795665BA7FF1D22C033DDFDA42F88ACE3F3331528EF98CEDE3B31
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft Office 15\RCX5253.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3798600893094575
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	D3C6DDC9AFB278CE46101CA21DD847E7
SHA1:	B7B5AB0121A57DA784D53FC81F1F0F50FF5442C7
SHA-256:	C9F0D11D3A3E46EDC3CA3F947AECF00335CF2180DC3F32B8711EBB94BC24A66A
SHA-512:	52CEFCF1A7C783ECF7571110139729AE5336DA6730AD74A27CD043711A3690D78AFC25EC84A166250020BECC72561E6657E65362C18205B4AA737A52F47E827D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft Office 15\RCX52FF.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379678579779187
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	208CC48075C395B1D0E69212A58811AF
SHA1:	FCDDB527DBB219EFD9055FAF51E7DF13CDBEA6F8
SHA-256:	F245FD2000FED94B0D920CE8B8C1DD2487A457AA6BC027D177189A34E9A544A0
SHA-512:	FAD5858ED1B62EC899BBA443C8ED309C6E0EBDD7D4AACA6CCD58D7E3D5FD51400C0481E6DA5704461A6A0003DB46EF7B547A843E5739D89E9D4B53B471585926
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft Office 15\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (732), with no line terminators
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.905187228441203
Encrypted:	false
SSDEEP:	12:3u4x4bdPR6raTQJ2fdYbjaOcPIHzzx+8MZK/9uYEenF1QRDDkGUil5oLc0kJTrgY:3bx4xPXTQJ24jaOmITrUK/XEeMRwvLcp
MD5:	F0D6087F4E64FF5BBB500C5FAABAA1F2
SHA1:	88F28F8B5C5A37A5791CCA93ABCC134C98441A14
SHA-256:	D073608120CA131749F0A02566B84D28A8DD731534B6FF423BF467561E267BFD
SHA-512:	8DC20C6417D1339E3AE1CAFC349A83B15C6E718A4397AD0E142369ACFDBF930765C1E65325BD289B3765E320B046F0D304B84E113031569D1C0AD6CC34E0FECB
Malicious:	false
Preview:	n3Pz3d4FKOQDBcTe6jFYoceOlZnbUWwNdd7bxJ3ihsTytqbR97qcD3ELYBOd0cuxbDjhe2rwqh16Ipf47WcXqUKkZwDw5ZsF7gXpG4wHQ3wgCICsfTgd9XGH38Hrz41Ryv9lSzxCkVGwhoiQtUQl2OFjZPwIwERVCfrQJaZpgd3oQUjOZ18eoQYkqZMCDpPfDvuC6SHS4lEZVaTFqhs5GwrwGHjuOXm1NXkfkgSHtpkCL9OQGHWf6TZQE85ztXEh9NL8zxfJPlMaMokH2TnHBG437TbmkcYVlCD7xQaSlMQVH8EZXy7Zt6g2TRAfW3jwM0zJkmUl2Vfy0iw9PBOwf8mogLogQ55sndIQI4zueWgYarBufBPUowROOLnY7xU7ZwLXZf0VMeSIbONzK4BPpkE0L4C7RawqBj8nfoU9K4IKdIwA8yODwFSysVMfc3DvrmH2QjTgjBEuc3WCHC9cMs46QJ5JbzhR0Xc1B4uYeseuAiWy8JXa4lj8sLmGoJEtew3EbeBNSk8dOJ5rwGLSbGXPyeJzSnuUouQOpSXeIKHTmFuiQ4Uh8vRXZnQ6VL4p0ozd3qCesrKR9DnstkjYSMV2c2yBBaI7Pcd8PQpj10yRlAYV9hMulgWoS6AA1AcSiMBhkpcd4AgcXDRbedCeNYVsFzpTPpr0XgtY90uUEtzlA3QPpifY88EJ1Sbv9JNPSqF1U2cntrZeitsLianrJT1Zcjhr

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8321.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379850178580107
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	6132DB2EEE0A193DFF803106FA180266
SHA1:	54DCE1DD06583B7407FBC88672AA4BF5EA354416
SHA-256:	D711127BA9381456B1D549B18E29814E8909E9CAE5950ECC6B79351EF37BA530
SHA-512:	258070C266E709A5DCCE7092E27F803F58D06F19627340A252AD14D2C04E88F8E6C6092B9553FBDBC4DF0BFB72B8BE01A107969B025940F33D53F5F1392830FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\RCX8370.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379671625083486
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	274AEC1DC6B1373DB8691F5EBEE16129
SHA1:	46B6476C005CACD0585473D9FFDC64584D4903EA
SHA-256:	127D3AAF0E2C58393E4FAF95AB608EA0153366E54FC6060A7F651AF0E89636BC
SHA-512:	7FBA986A6FFAE4D5B8F426FD5F3EB02878199FBCA2EDB7B8E586C1FACA13517DAEE3712D763F78C455FE990CBCF1B9BBFFC2EA7075CF48F6E1E4605D0D5EA116
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	5.526686044662688
Encrypted:	false
SSDEEP:	3:k3L4IissHlXJggUVF/ah4xnhaMjObiBJT7ucKan:k3LfissF5gzFo2hafbiBJWan
MD5:	368CFD909A898FFB97570AF4EE8FA611
SHA1:	75655AC0459B325829FAC1CA8399B81C720D6005
SHA-256:	EE6992C98415ABE20FB447174D7A55E1B08980DF8C3B1A925A793EE1BE9CC4D3
SHA-512:	9EEC1C34D9252BFD028CCD23E76B9FB8691BB70834F26C72E5ACC741BF5A5C0442AA4C85BB1046B924BB9A6DD475BD2B27D73EF14DBECBF6A913BF8B10893B06
Malicious:	false
Preview:	ZZs6OQj0DZUtK5RIIkavRSW2uyoMKg8Qn1qpIAZfctNPCQATBj3yHuyHC0MZmWqgbEFSPlAHL5TiEH0dyULknJI2DimSy93GCqy7KrEZjvnMb

C:\Program Files\Windows NT\RCX4EA7.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3798702415568975
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	333DC2C67F2D99A4BDD2753B333010C9
SHA1:	D2C35FC528454F24DEFA30CBB1B18CAF00E9BF1B
SHA-256:	67BDB34F5DB07A808DE387A9ECA8A12C7EF0A0944EE21558ECE5EE6DAB8FD8B1
SHA-512:	E79F1EDC8FA32C2080B5DC644D9DD8D94D37083CE609A9C932F59236A31218439EE89C3697802821C2F2740478D27310EB9C24DD94D60FEE44C5AC12178AA0ED
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..X....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...X....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\RCX4FB2.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379689056894185
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	23B26847CC0773FE3BBB6EA1DD1A9457
SHA1:	6F9B4616CB74E2ACA1A9473AE6BFED911F29F94A
SHA-256:	920AD48206013DC3355548DEA4629A6F537A02BDD193D055259CE4ED829A5729
SHA-512:	BFDBABCF4EB0BF80408B321736A0E8633D0AE59A5D4FCD72B3BDEDC1A53ABDF37FE045D90B8EBC445251A9647CF7B3C7135D833FF2F43E9383BD55B91520C060
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows NT\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (697), with no line terminators
Category:	dropped
Size (bytes):	697
Entropy (8bit):	5.875264044604047
Encrypted:	false
SSDEEP:	12:6wMMW+dL4vGutBoH5hWCZSOtLyXMWy4bLdOtYzd4oMXYvRRTXdH2rWnlgMDCRGHV:6wfdLBu0HuCsOt2XMW1bLHtFv3XGWn1x
MD5:	EDC7284677ED8801BFF2EF6DF41CB9EB
SHA1:	ACBCD54239848ABB31D415FE2FFEC05122D92178
SHA-256:	2C9C28060EE97DA719089831BDEABBFDC2899948EC0306AF1E881E79640272DC
SHA-512:	A43A1297EFA13E7BA97AB5617D9B5B7ACD99973E88A320CA1A8AF2CE2B71716A046C01F6EBBA72C275665FCEE028F8599047F0339979A5AFC60533D73E514FDC
Malicious:	false
Preview:	CQkaJwHQVpXPlDEpvS75yyvwZRQQ3npectBbsFUImi9yNRrIrjowQx2OfyB2g1XsA3w1Bn7p8ySQy6iHjHiT83Np1x54DclvKRyUfzHEl8xcemZiP4TZSDtGpHAOrDmgMgFgIOmt9dr9FvKOXWoJJMcHhrpXz3XiWRP8g3aBRjZzVtA47v0UYcXAD78biO4GFJnyfLre6n1jwnwxruaDCDK34P4i49cDpTuMGMZvDWXvlxNaLLtyy1EC9u4PRJk7Ky4d3jreVp9qqZRGCdWtPoPxOrMWRKd4wZkx3uhmdPdI2XWkcxMyw0sgjGOLWUNLLE4QyeNS5uPAKG50Vm4e7pI5qDOwfWPJBS7xdFv7j42BlsVcKXztasOg58jvQbwifG82IHXQ164CwHU8rvlHhfsTDb2efArIITfeudUCAj2dxLtxolDezoBAXoyrP2u1Pw4cmzNObiH8mPf1rF046MSdSfGFomxIyANBRQLzYzDQhDXIJ7AJB04DebKHsHkyv9JlBeka4BfHIB5OH86rlnG8GKg0FEGQOOfi3vGpWjPAUx4cf59tL3MH2Lf17tUz4P34fWVV2RUCXFnSPEUJEWFUBYprPOrnOZFF4A6Jkn14jKtxhNl2YKviJi2GqnFnjrx79iYPHLjaeKv0p2JCnyODoh5WHzc6hOV2Xvx9yWvNlUD9wBbxeCAuc

C:\Program Files\Windows Portable Devices\RCX7435.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379868077851925
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	D20F583D6B769C5FF4DDABAC26E3DEBC
SHA1:	D6CE23649FCA13E0A8C905F7485322EA19C14CAE
SHA-256:	B33264CF02FF33273BC92DF96F50C8AFC846A6611978A218D46BCADC629044B6
SHA-512:	D1AC82A8BF0DD3F97379C0622B93FF47D2FFEF8713EC6692382E6D042D9BC92A896EDF19A20C5C6638F5D442B8CFA3E67B302234545B32F8D7541D8EA65E9359
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..X....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...X....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Portable Devices\RCX74E2.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379686886000702
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	D7E4B7B7DA37235899EC9F610C3888DF
SHA1:	C92394E9CFBC0463281F7ED4B421A6D58E8D11CC
SHA-256:	3A18424AEFA1E907FE31A0EF795304A45BBA22D83AEEC7C3CF12DDC57AB8C3F7
SHA-512:	22745A1F9B97EC7CBE61D0A942EDB5501C1F1419F12B47802875BF1CE4213EFF4C5B1224CA97870E2D971D532DB53C9CD6D99B1AAC319597A20A3A2734C23EDF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Portable Devices\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	181
Entropy (8bit):	5.657158081430953
Encrypted:	false
SSDEEP:	3:Z6ATm9bJB0uY7VRqEhR90GR23rAx549LsRRrxSFlkjUqKJzgmMnVO1RJgww:Z6cm10uYRRqEhT/REUxCpkt5UqKJGQi
MD5:	C33FA955AB1C9F3985EF761290412891
SHA1:	2B425C46A433AB03224EA2DFB07CF028EEB2D184
SHA-256:	8455977468672CBAE1E41C1BAEBB8F67DDF218C9979773FA5139FF62DA1812C4
SHA-512:	0D021DFFAC3BE9F0187B4823154C9D0F43D4B37C2EAA97FBEBC38B7B9D2768FAE4EBDFCE84CED47935089E07229551A905F9B8FFFE5E45B0111BA405B890BB9F
Malicious:	false
Preview:	NjlgufCw2MmXmKS74zGXGekmSTraJdEGQKyLdhpm8145cbFOJeR3r1Dt89NaymmZIgHcWGdWKdYPkpJ0OdRpLLYYGENeTOyWOex6Tn1CA4tNcyJTzXMUV7N6HtVR39D5pCAF1NgklOoRcK5R53p6CdBRR0ykRkJB0xiayDbm0ltGT5e6xEV9U

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\7a0fd90576e088

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.334962500721156
Encrypted:	false
SSDEEP:	3:jDBF2HHu:/Bcnu
MD5:	7B4376C8AEDCC7AB391EA6C3D145B09D
SHA1:	B75493BB5294CF55FBEE986A0C17BA98D33342E1
SHA-256:	57CB6DD67BC42CB12816872ECF1231D30AAA92838FCA01FD9749F7FD82F6B9FB
SHA-512:	C99C57A9D2B5C1639928218679E853111193BED77FC66A13F2ED32626DA03E6E6091B3BBBE0B133DB55AC5C5CA238B0565028132ED176744F0C4814DE7EFF9B3
Malicious:	false
Preview:	Fnbomfd1cCFau47WW1wNOJrs

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX7792.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379901908252852
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	05A3C526C3C0FAB80D54A5E9DABB05F5
SHA1:	CABF04CD3FF1BDB212ECFAE0ED08A5DBC68AEDF0
SHA-256:	1DA32F76FAD6384CE2D5BC9EA33C7E4850A7131652B78810DC537FCEF4FB0054
SHA-512:	855338FFA35E7BFD0A1597D1FCDD6F38C896D5E18891652F91B901B81065AC06E709143CB06A2FD7432E7EA8175923F1229587C7824375FC9345E5018FC3560F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..D....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...D....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RCX784F.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379720240539656
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	588EFB65191D67B992F0F3A7AE95C92C
SHA1:	1F8F680214BA280D4F689A282DD3154F6509F027
SHA-256:	CDB630664B72B93C6033D66349FAE3EF9B8AC6B45E2D84889B2CE0593D6C4670
SHA-512:	23B2F4A01FFB2669B09BEF36128362336D86A6721C7AB6A86A5F7AF4BF12EDF2666FC84DF195D28FB688C4596D0361FFD24DE5E204202E8524D4B2550BD30BE7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.80547519403521
Encrypted:	false
SSDEEP:	6:uVt2DoqkUyoWfaUATInbE32rASQblLTVPLlYhCGPwFBa2QZTBnn:2EDojoWfnAYTrASYvbb4TBnn
MD5:	96152EAD42367DE73780BC12496B3E61
SHA1:	BC9124837243A91383AF57DD82388C28328FE932
SHA-256:	230A5D91D0CFA04FB40F66F20405C460FB5E41736470EFAEC474CAA55E71EC8D
SHA-512:	FEF61ACB6C06ECBA9A90172E2343A5315D32BDBFC660302FF478E91F09C8D4900777A47F8A0724FD89B9BA201D16731D6DBE3D519495EF2F6638C6615DC5897E
Malicious:	false
Preview:	enU9yqWsjoNqsQ48SLQZLNY1KhAsmr7AowZ9djp5KGNqjHHeFDaZL6GRPdyRqoG1rNC605esfVPEArRDZgmiRhysqItAvXOgAW9WFLnKjr40rCRiMv1KBikJYTQsLe7HGsEor57O2c9jn8Ao1Ly9gEfcv07v559Fuwt87n0QxnRiiBfaTl09p8lBNl218LS7d3y1OBqOVhL3x63uUgcTE9ZwKrvWu8SmUTFpMnLR5mnIwrORsHgbt93deCqgQTdXOjjd0OiqVLXbVQ9dddnmb12UamKJ7oAlIQ3MIuaejzG

C:\Recovery\RCX56C9.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379888048522558
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	5AD8AF2C0C4D7E3231247293AA7A6A61
SHA1:	F6F6E155BDA58766A474F2C45FA779FCC20475FA
SHA-256:	C57D1837D2C2D23BE12B770C3989D45ACB14AE33DD919AD3B1D272B69AEC9A48
SHA-512:	C97543DAC2EDCA69D67A422EC1CA46D4ED5BC8377CB2C4AB79D916AEACDDBE789E026309DBC3CDF558AB4C7146CB7C6622922D5B2BCDD9F0C39F3F9637D64D98
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..T....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...T....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\RCX5766.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.37970646743417
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	BC38A392B93534252FFD139C85F5F6AB
SHA1:	7599C945F29EDBE2BEABBAB4EBCFF7EAA48E9052
SHA-256:	86E94AB656F309F6EE7B81058ED99619C94A87B5E785FB2A139C5501A3970F18
SHA-512:	E2822AF083BFC22C5F23AAA3284496DE4B4FB0ED80A351474AF664CD3F9999C11CF43A7CCD0B015BA48DC71A01D01E0B00FB78CEFD3AD5715CE1E2AEBD8ECDE3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\RCX61FB.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379795625165225
Encrypted:	false
SSDEEP:	24576:Nv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:Nv/ScA8oGAv5/c14rvuZx
MD5:	DE6394BE428DAE1B967C9FC33E0AE4BC
SHA1:	F4BBE755E2653354FD227135F1A2DDAD2002BDB7
SHA-256:	E02D0377368EA933C10910B7B054D452CF1D79D48171AEB7ED47ED04167D98AB
SHA-512:	31B05BBB624B3251A3A76BCC792BEE6740D91DFC404266272B5B6CCBF84DFB29B6B4E085498458C791C03AEFD42B4792A717576934221B2DFDCC3D09B348FAA6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\RCX621B.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379671625083486
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	274AEC1DC6B1373DB8691F5EBEE16129
SHA1:	46B6476C005CACD0585473D9FFDC64584D4903EA
SHA-256:	127D3AAF0E2C58393E4FAF95AB608EA0153366E54FC6060A7F651AF0E89636BC
SHA-512:	7FBA986A6FFAE4D5B8F426FD5F3EB02878199FBCA2EDB7B8E586C1FACA13517DAEE3712D763F78C455FE990CBCF1B9BBFFC2EA7075CF48F6E1E4605D0D5EA116
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	5.587337987411754
Encrypted:	false
SSDEEP:	3:uRQQEVfyReX1fCSjPT3Mwsy021iQBc68hJrzbkKSjq3GlweRWI:uRQQ86ReXN3xs21iQohNQK/GlweRWI
MD5:	5D6254264D381C7C1341E8D79F763F33
SHA1:	AC7D4B3EA2DECB147B7710B76281E41556330616
SHA-256:	445DB56039ADA5C67E3DFC713FC0C16FE6C4009BE51FD203D1D3CB66AFD62327
SHA-512:	05C22D9DDAFC30B45ACF6442C17E17C1702DDCA91F9E0E983C0B9585E939AF6887A93948255A9E153893B5F1A1B31F60386115A224E3CC5135ECEC4C9C61F969
Malicious:	false
Preview:	hHCtuB5a0qNilLWt6M2rG3zOAdLGLYlHcpiGuphLDjHCKYUwAnUP8VAoRytQ0yPcEFG5nP9RoqnhvxDlJYGhDWJHo4y65RVPUo7FSYIvoDkRsd2euIGbsrZs68RsaD

C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379901908252852
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	05A3C526C3C0FAB80D54A5E9DABB05F5
SHA1:	CABF04CD3FF1BDB212ECFAE0ED08A5DBC68AEDF0
SHA-256:	1DA32F76FAD6384CE2D5BC9EA33C7E4850A7131652B78810DC537FCEF4FB0054
SHA-512:	855338FFA35E7BFD0A1597D1FCDD6F38C896D5E18891652F91B901B81065AC06E709143CB06A2FD7432E7EA8175923F1229587C7824375FC9345E5018FC3560F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..D....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...D....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\1a5d5b8dcee3d8

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (823), with no line terminators
Category:	dropped
Size (bytes):	823
Entropy (8bit):	5.889611294690539
Encrypted:	false
SSDEEP:	24:qz+RYxi0dy9syf2x+6HUUn02W+0IkDwrn:XRYwsM0Htn02W+ZkQn
MD5:	3C13BA9D34C38B3FD1B71D55BB492ADB
SHA1:	F33283DAA423F675281F5A26A6F236681CC4DB7A
SHA-256:	E82FCE2A9744D7668DD6846715A948077A4E3521BD1A81DDA8C245E42F4757F8
SHA-512:	9FABCEE8E9C6F85BAFE4A1DBCBA71A9185F49A81BD11BA1522D3F38B8946BC9E71E80C215FCBE5A089E8DD1B366CDE1DF24403C88D7352F2562E10F5E89E4735
Malicious:	false
Preview:	0EAqOKElpmuifyfWsdrYxVsPdSX09gfaTg6tyQPH3Tdhx6NLHPxTcoBeWuM6xOlIGUP92vibOjfd2LcgFLsttL7oebXDETUpsUbcrOSVrVF3JhmLRp1lf2Z4WkebYeX5P0vhu9z03WBYGEe6yMwYcsJ05gFGt07N7JnTwEaR0AsI0AxSFhmLs9dgq5mN4sGCYya6aLJtveibAB94sxALOwe8qHn1cNXH3ptBk014X2ZOaBfp5reGs5ymTcQTiSRiGbiVR8U25GxVXQhom75vtRZ80HrIjiWFl1H9dJX7WmKmHdOC4mqkXfzyBjeJQMSXtstgIiKcj8YHGw1X2oN61wrGCT73oOrKTx2Yts3WcNAZGssPsHQl8Vf7AnezkQyVQOxT4coKv1enwS9TksKh7FL8R5XFODvLZoI14YUQcG0G01LsoKP1GQXKDzB8Ei5rGTOHKHZMX4E1PEHZupbEy3FJR7yFWVL4KJAhnDhgvDeLLf58slOZH12MOEzMSTzBsKrGEjwqH4TvZ37vC0XvHwwTQxTiOVNbOccByy4IziRMiGxUHEKc6D46XX0QQNcwr1h7a66N5O5ifjuJA9bJLueKhgna8n2lGefqj03KH6hrIVbynqQQwSl6WXZ4TfPSWUcAEEkJFRBONxCMEzxSXlzx3jTLb91mqOVx2btiFGLeRWsjVNzes74vepHeuYsGaZi8cOTnFPMRZUgg0u0OJW3tUjTNUOxqXFE1ytGG3LYdvnVJJkoAie6Dfzo24FT0bf3UQorGntU87a8qOJEtkwI3JBV9FOLx1iBPuA3e2hXyK8FE17nvBkQ

C:\Users\Public\Desktop\Memory Compression.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Memory Compression.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Desktop\RCX7FC4.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.37986883823295
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	0659DE167594EA5065D81C899BCCDFB3
SHA1:	D4C3AB4C356DA49F515B995263ACFA27C260C198
SHA-256:	C250B95EEA3F72A9566F34E39F78EF8CDB7601039BA341FE93BD2F24E1830C0F
SHA-512:	5A4F3B25D8BBA8701865F3D8BA4810E7C792E47FF0ED2FE314AB1CD7241019C473D9E523004358C36F7CDEF008F78CEE64404CD5D553A754D85246737BF97C0F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..\....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...\....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\RCX8071.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3796867496017775
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	2ED54C3852E5BC66C1FEA06D19CE9961
SHA1:	DEAC982F48A67DF322A8019711085EB9AA1FB998
SHA-256:	AB0EA594D31555710C02AF83569913ED4AD968933A10DFA3700B70028FE9CD99
SHA-512:	77AEB7E54C1C26ADE6DB31073CC4CFC3730B5FDC3B3E970450636077FB9CBAE671BBBF347559BE24DEE77539B1B673A8098B503DF9D4E7A3D8B1FF868F2C38C9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Download File

Process:	C:\Recovery\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UQXKdqQetSFpkBwLVgNixbuHXutP.exe.log

Download File

Process:	C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\h1a1eHrclt.exe.log

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpBGqZ8
MD5:	498D8CC0F157AA5168D6679E694BD803
SHA1:	05A8C750A8FC7F3438945EC9607C4F240917C31B
SHA-256:	5A452026BD10A826A716DD6A5B5D7D731458217CD89CD9F24FFC5A52AE6CD35F
SHA-512:	9924A15F7EC4B178E0C7B2BA6CDA7D26787372E63C49B66019D13696C14BFA3AADD2A597416E3589CE8B3F6AB4C9EE32A8BAA7C66ADDEA7A09C78B90B33CC893
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\G58brWjr2x.bat

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.0301274837094905
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE1aH9to/N0BvKOZG1wkn23fPHXgc:OTg9YDEGaFmDfnHn
MD5:	6DD76C0173BE05889043A122E7C5AE56
SHA1:	74C20F744F67A56BDB7E2EDF5B0B1920C78D68D7
SHA-256:	43A6DCEB97E33F9F980725FF45BC54ECDF430509890AB83DC9D806384A1423ED
SHA-512:	857A5472C00D6DB49712F58F0ECA9C980CD7A38B748E630850BE86A40B72F8E0BA7854AE85BA343FDA32D191B898ECE23ADF846F589AD07ADCF6EA3FADF66BD7
Malicious:	false
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\Public\Desktop\Memory Compression.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\G58brWjr2x.bat"

C:\Users\user\AppData\Local\Temp\fjilrMJ9JG

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:2WV22u:2Wm
MD5:	3835BA4DB05FDD0524265C8C205913C7
SHA1:	E1F78E7BB8AEFAB0EA70D371CC3703E72E182857
SHA-256:	32133C8A6DC7A5DB8947AACB881B0BCBF05DC860C8CB23E472BF7D8F41ECB5AB
SHA-512:	B14AE8F0AC4D28AF9514BAACAD49798F317E460AA5626A476472F336D2296263D8E0343BD30BEE657C5E951DAFCF550ADA84D3C1C6F1BA74DB3A79344DADF391
Malicious:	false
Preview:	wDcSB30wxm3SsrcSUENq2pwDJ

C:\Users\user\Desktop\RCX4BC7.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379924520243349
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	A4ABFD0129191605360F0E97604677DE
SHA1:	BF2B23D4748D8464EAA1EF649D9FCC4E528B8DBD
SHA-256:	75AC8379FBE6C30E204630A6A878DA508EAA909C9436EEE9C43C035767478BD0
SHA-512:	7C481289E2C0A8D0C31F6DB7DB94082D6734BDAD2B2C91BDB05664888AEF1B90A54D092F07EB4D7A7345C98A268E98854AD9B68894B028B1E49D9B6680BE24C8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..<....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...<....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\RCX4C16.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379671625083486
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	274AEC1DC6B1373DB8691F5EBEE16129
SHA1:	46B6476C005CACD0585473D9FFDC64584D4903EA
SHA-256:	127D3AAF0E2C58393E4FAF95AB608EA0153366E54FC6060A7F651AF0E89636BC
SHA-512:	7FBA986A6FFAE4D5B8F426FD5F3EB02878199FBCA2EDB7B8E586C1FACA13517DAEE3712D763F78C455FE990CBCF1B9BBFFC2EA7075CF48F6E1E4605D0D5EA116
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\h1a1eHrclt.exe (copy)

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379924520243349
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	A4ABFD0129191605360F0E97604677DE
SHA1:	BF2B23D4748D8464EAA1EF649D9FCC4E528B8DBD
SHA-256:	75AC8379FBE6C30E204630A6A878DA508EAA909C9436EEE9C43C035767478BD0
SHA-512:	7C481289E2C0A8D0C31F6DB7DB94082D6734BDAD2B2C91BDB05664888AEF1B90A54D092F07EB4D7A7345C98A268E98854AD9B68894B028B1E49D9B6680BE24C8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..<....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...<....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\RCX66E1.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3798499922313505
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	9CFD03C580613B35118C6006DB4557A3
SHA1:	796F767E0ABBB04E8FCADA92B6C583535E355BA1
SHA-256:	2CF43D03253EF68B36BAD3164E078C1C90C271CD8FB91BFF34E29D06311284C8
SHA-512:	181ED0D2C5AD2ED5CA71052AB11BD0A1D9898945E11D29445F5DE4625304FDA8954849D0666479D940FB106F6BBC809DF6975F35A9C7C9CE4E6241F5C9AF54D8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\RCX679D.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379668482453169
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	A17D3278FB4ABFF958116581E47AE977
SHA1:	A17E553FDA3F63F69E043C2214A2CFE14FB6C015
SHA-256:	C9164CE7C29E5DDBF554EDBE5814891A3C3D2267B3D75F32A668DB1DC586F915
SHA-512:	5FD21A2AC985E3560637724BDEBAA4F98550EF67DAE4FFDD026862F05BFBAAB4F5DD80142FAF4FA697842AF68903C7B587859A2230A2DED9701D4EEEAB9AC774
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\addins\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (865), with no line terminators
Category:	dropped
Size (bytes):	865
Entropy (8bit):	5.913977098733164
Encrypted:	false
SSDEEP:	24:qHSOsUEYk08+KYHKxK1THxwIvUYt+1e8SUrUwX:tOsUfu+ckUwKe8SGX
MD5:	4BBB12E1D97FF9FEE276C8527351E675
SHA1:	5EC4D1DD1F375509EF51C126C79BE11D7948F2D6
SHA-256:	4B52B4037185C11089796093D8809F0A9DDD164122C5A5F1514DEE6CE8DC24F8
SHA-512:	DD8ACE80A93AFEC7C8CC95AB8E63A394CADDD74D0153468C1F32F059BFCDEB57CA861945E1F9FFC188382C020A454762711E8908A0117530B5050FADB1AB9B99
Malicious:	false
Preview:	QbB0t2fV721bGz0QeZfC3LXodU2FUaAHT8AbT3x4xQXnMR9dJycafr8EDXXZAZAh1tIIyZ7kmkOmxubLUY6g7kmmA5Y6fX3YP0vdJ0ou01x4cVRS5LEldejRGfI2ABEOrzW798CdtLpFxsJooFAUTR4vQeXnswuyxiNn9UT7Ik2SyeeXVdO4Bu5Z5lqflYu7b0SOfgpTwDMsZm6w99SPhzxCnxrYoyVtz407LQ1yy4I7hM9So4flGfZmDPkryRp8rc2fv8ktHdbmq0fayZttSumUeO46pK9hPKQETegpUvemDw5MuK3Zh6p7ziAhEoE7d4XgjaGT2EZgPAQsTrLeQj9TeSOve9lqrgIJYZnTDjhcgIrzRSOWcjq34EBQLVz2dtzt1HT3E2bqChwWlZdMvPOHzPOUXWIruo9xS88K8URkIA1XRppw1nHOfs3m28gstt6Xh9DmaTNa7n9zX1CsqW0GhvSkFWR9xj0YDezSmCVhaqQ1sDOA6yBX30zwqchDBNnYxlw3CtGoASq1eb1BHRD9hceNoCmJeSfMD2DHRV8MsXXkJ8RPkg5uJn0UGiP9H6JswdxmXuuwS0RJF4DpuWi8WvCZBtBsG8FvOpyqLp10vJbTWqOLfjPuXKWBaYkosBqUuf5aGXeFfsMMTtDUezNgsVYDTwPwENIudHi0vyFIFKPp8JsrUQK2yKlZH2HTHrARkctLLMjptEaiGsFJEibyDP5TfIt2rwAYJ7EfagfIqeIttCSYw7OjPMOVgapCdq87DCZJojthCTHiGLjd0UFthbI7st890dp9fLpqnJuNOrg5EqOV0MMIlPZm3ba4ltrjoIC5f3zqk2e04M2CfnIoRgYQvDwLs

C:\Windows\tracing\RCX6B57.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.380002853260246
Encrypted:	false
SSDEEP:	24576:dv/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:dv/ScA8oGAv5/c14rvuZx
MD5:	B6D3585982FB05465DE3822130E9D9DE
SHA1:	B6CE050061E19DDBB5FCEDC1545F4F48376482E0
SHA-256:	8B38513D65E279CFCCDFAD1CC27E81751EB2F883EA2E2BE733EE8E8C66488576
SHA-512:	EB3E706CEC2C0A9B7AF091BB34FAADE60566EE5C378A53E3DFEE41A32013350051ADB567134AECD3DAEFE3A57AADC9F49EA3F35EC35239199EA2851C8B6BCE7E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tracing\RCX6C14.tmp

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.3798266756272985
Encrypted:	false
SSDEEP:	24576:9v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:9v/ScA8oGAv5/c14rvuZx
MD5:	B64CC06FAF02F461099551AC340ED675
SHA1:	B4BFBD3D9F7B800A077DD261F792588F0082778C
SHA-256:	7CE549DCB70F40B32EF2549EFC3EFC300B62DCB8577B48FDF9DA2EFAA64CDBB8
SHA-512:	D539E8A9E82DF0E1D0544D43A2E0E38CADE9F3E5293ED102AD75BAD7FB08BF2197AD52EF536472E696F53AB64075FC472B45C51BB2298A72CCF6BFCAFEB2AEB0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..P....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...P....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1772544
Entropy (8bit):	7.379853135504453
Encrypted:	false
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
MD5:	1D98BB52C2EEAC75F2E83E8B0B88459F
SHA1:	AB0DB0ECA10717AD295B4C015DB9D51C20BDA41D
SHA-256:	6CB8969C2E226F0597598198992DD4AFD52D70AC83C187852D3CD872DD6B7A0D
SHA-512:	BB05CF51B6B7B4318BF81B9CC5831E558018D7F2347429CA4513454F06FF3BA5C77B90F82FE533DD5CA60139B059DAF65D752B5648C702D2FF4AF6E648421E26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. ....................................@.....................................K....@..l....................`....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...l....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\tracing\b090c5ff0df038

Download File

Process:	C:\Users\user\Desktop\h1a1eHrclt.exe
File Type:	ASCII text, with very long lines (309), with no line terminators
Category:	dropped
Size (bytes):	309
Entropy (8bit):	5.79641651560459
Encrypted:	false
SSDEEP:	6:9zPRKbZuLXQtB2RPZiwxdCfaQTloXKx0/Ubvg0RH9fyTtTtnI/Itx:9rRgWQCRBdxIf5WXKbrLd6pTtneItx
MD5:	D63C06DDA4C10A46BC2DE4DE2BFA71F8
SHA1:	E7E713C13F140D7EDA0F86A97B36824F4DC723BC
SHA-256:	29DAF6DC1A31F3AE8204222E61EF861F32F053AEFC0FCF7EEDA50C32F54FDFDE
SHA-512:	119C39E2E167722CBE4DADEE533CEE52B0BB806A1A5BCC9E2B92C1F8521A9EC75A133EBFB0CFF17773C39DF4A1842B8E04D39F2B826489250C9E7306A5B991FB
Malicious:	false
Preview:	z7WfisvjrrjYZ7lCSHtwJcGo8uQ90756ZMyLRv7pfMVFmUao37pJM0IW1shxbvtuvm9MJZugKER7GABoUmG2SvuiDbTjOJOuclTAUNfdMI9IjLQ1q3dyo0bA1aJrGLSAzheeqBTHHmqJvm92Lc3UqZFmKTI3EyXBz9SBqvKojWrCKSOPbQfnR7Tac2UW3ZCTPoTwT7MaROuUrDc2E2cxSut1p2jybxvKTYxf8c6eEFVCN8sZZcRA7OAe5bGbXX8edkBTQ63m67tNYqorJKY8fuMEXSkgVeGqG1jm7ZIdipD9fwGOwZSN9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.379853135504453
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	h1a1eHrclt.exe
File size:	1'772'544 bytes
MD5:	1d98bb52c2eeac75f2e83e8b0b88459f
SHA1:	ab0db0eca10717ad295b4c015db9d51c20bda41d
SHA256:	6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
SHA512:	bb05cf51b6b7b4318bf81b9cc5831e558018d7f2347429ca4513454f06ff3ba5c77b90f82fe533dd5ca60139b059daf65d752b5648c702d2ff4af6e648421e26
SSDEEP:	24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
TLSH:	A385AE027E44CE11F0192233E2EF454887B498556AA6E32B7DBA37BD55123A73C0DADF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6......>.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5af03e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1aeff0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b4000	0x36c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1ad044	0x1ad200	03a5907d84042eb27c78b005eac1d322	False	0.7664175147465774	data	7.403118868606928	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x1b0000	0x2fdf	0x3000	6b02395c68bd5f1dbc2655a11d3b0d3b	False	0.3102213541666667	data	3.242520796463451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1b4000	0x36c	0x400	56aa0870c812a002188b7e10667659d0	False	0.48046875	data	3.9508957106139526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1b6000	0xc	0x200	38f35b895c1f002a8e16d030a78a191c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1b4058	0x314	data	English	United States	0.5647208121827412

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T21:52:59.619605+0200	TCP	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	80	63625	185.114.247.170	192.168.2.4
2024-08-29T21:52:38.466015+0200	TCP	2033087	ET MALWARE Win32/DCRat CnC Exfil	1	63623	80	192.168.2.4	185.114.247.170
2024-08-29T21:52:32.084292+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	1	63623	80	192.168.2.4	185.114.247.170
2024-08-29T21:54:00.783788+0200	TCP	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	80	63660	185.114.247.170	192.168.2.4

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 21:52:30.567095041 CEST	53	50161	162.159.36.2	192.168.2.4
Aug 29, 2024 21:52:31.033996105 CEST	55577	53	192.168.2.4	1.1.1.1
Aug 29, 2024 21:52:31.044800043 CEST	53	55577	1.1.1.1	192.168.2.4
Aug 29, 2024 21:52:34.660120010 CEST	60847	53	192.168.2.4	1.1.1.1
Aug 29, 2024 21:52:34.667701006 CEST	53	60847	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 21:52:31.033996105 CEST	192.168.2.4	1.1.1.1	0xce2b	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Aug 29, 2024 21:52:34.660120010 CEST	192.168.2.4	1.1.1.1	0x26aa	Standard query (0)	219.53.3.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 21:52:15.955024004 CEST	1.1.1.1	192.168.2.4	0x57b0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 29, 2024 21:52:15.955024004 CEST	1.1.1.1	192.168.2.4	0x57b0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 29, 2024 21:52:31.044800043 CEST	1.1.1.1	192.168.2.4	0xce2b	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Aug 29, 2024 21:52:34.667701006 CEST	1.1.1.1	192.168.2.4	0x26aa	Name error (3)	219.53.3.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	15:51:56
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\h1a1eHrclt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\h1a1eHrclt.exe"
Imagebase:	0x8a0000
File size:	1'772'544 bytes
MD5 hash:	1D98BB52C2EEAC75F2E83E8B0B88459F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1890007237.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:51:57
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:51:58
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:51:58
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:51:58
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:51:58
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:51:58
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Recovery\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\RuntimeBroker.exe
Imagebase:	0x920000
File size:	1'772'544 bytes
MD5 hash:	1D98BB52C2EEAC75F2E83E8B0B88459F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1832599441.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 84%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Recovery\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\RuntimeBroker.exe
Imagebase:	0x300000
File size:	1'772'544 bytes
MD5 hash:	1D98BB52C2EEAC75F2E83E8B0B88459F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1833064398.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
Imagebase:	0xfa0000
File size:	1'772'544 bytes
MD5 hash:	1D98BB52C2EEAC75F2E83E8B0B88459F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.1832482661.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.1832482661.000000000350C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 84%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:51:59
Start date:	29/08/2024
Path:	C:\Program Files (x86)\jDownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\jdownloader\UQXKdqQetSFpkBwLVgNixbuHXutP.exe"
Imagebase:	0xa30000
File size:	1'772'544 bytes
MD5 hash:	1D98BB52C2EEAC75F2E83E8B0B88459F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.1832916443.0000000012FBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.1832421022.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutPU" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	15:52:00
Start date:	29/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UQXKdqQetSFpkBwLVgNixbuHXutP" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\UQXKdqQetSFpkBwLVgNixbuHXutP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B8910AD Relevance: 9.0, Strings: 7, Instructions: 260COMMON

Download Yara Rule

Strings

., xrefs: 00007FFD9B8918D4
,, xrefs: 00007FFD9B891C72
[, xrefs: 00007FFD9B8911C7
", xrefs: 00007FFD9B891226
+, xrefs: 00007FFD9B8913B1
), xrefs: 00007FFD9B891C46
{, xrefs: 00007FFD9B891843

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: "$)$+$,$.$[${
API String ID: 0-2462650134
Opcode ID: c814fb38da8d3bd1ca76e22405b3ca3c21f28b82cceac4f79b7e55d22d8680ef
Instruction ID: 53e915b1cdf06b1ae42c3690c1acf0e2a01c74edeb9066663eb1d7eb95290163
Opcode Fuzzy Hash: c814fb38da8d3bd1ca76e22405b3ca3c21f28b82cceac4f79b7e55d22d8680ef
Instruction Fuzzy Hash: 6EC19570E0962D9FEF68DF94D8647EDBAB2BB48305F0141A9D04EA7291CB785A84DF40

Function 00007FFD9B88CE7D Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

uN_^M, xrefs: 00007FFD9B88CF22

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: uN_^M
API String ID: 0-3345912790
Opcode ID: 924b205586ac537726ec1a08ca6de74812b01bd6674e35f9866d959d664a8f66
Instruction ID: ab2584f9dda65571ecb340253c72b1dfe840aa63c141681fbd52b7411ef5666f
Opcode Fuzzy Hash: 924b205586ac537726ec1a08ca6de74812b01bd6674e35f9866d959d664a8f66
Instruction Fuzzy Hash: 92F1E371A0E64E8FEF65ABA898296FD7BB0FF49310F0101BBD45DC21E2DE3866458741

Function 00007FFD9B882AF0 Relevance: .9, Instructions: 898COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfa55410165359c3f4aeab4704d4c4c1dbbb05601af2244f8a9dc223aea4684
Instruction ID: a7a861462dbb4ee46aca1177019bba2491099a0abb99a13cea43953abcf20e70
Opcode Fuzzy Hash: fbfa55410165359c3f4aeab4704d4c4c1dbbb05601af2244f8a9dc223aea4684
Instruction Fuzzy Hash: A1628030A0AA4E9FDB95EF68C8696F97BF0FF19300F1105BAD419C71E6DA34A644CB41

Function 00007FFD9B88CF68 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8337c272943ec479c33e790141eefe1148584d67b117a8f0bd40ed692bfa28
Instruction ID: 35169dff4df4122ce35acd84db233d7d8b1995030e64c99a6e3205b3f2640218
Opcode Fuzzy Hash: 7b8337c272943ec479c33e790141eefe1148584d67b117a8f0bd40ed692bfa28
Instruction Fuzzy Hash: 29D1B270A0AA4E8FEFA9DF6488696BA7FF0FF19340F0145BED419C71A2DA346644C741

Function 00007FFD9B88A94D Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97af916aa08f83bb7ba6f2d8ec5db9030109dc4ad138a21c2b8b148f504b8590
Instruction ID: 53cd547eda0fb7d5ab945e45e6839e202d3c25113d16a999104f537ab507be35
Opcode Fuzzy Hash: 97af916aa08f83bb7ba6f2d8ec5db9030109dc4ad138a21c2b8b148f504b8590
Instruction Fuzzy Hash: DAB1A130A0AA8E9FD756EB64C8696F97BF0FF09304F0645BBD419C70E6DA38A644C741

Function 00007FFD9B88CC20 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e883113870c74e4277bb21750b5af5f8aaeefbfebc435951daa5087a9e33e10
Instruction ID: e14c42b7b7930c13ca90edef8220ce3e837955517824988a7f195a85f2f00158
Opcode Fuzzy Hash: 2e883113870c74e4277bb21750b5af5f8aaeefbfebc435951daa5087a9e33e10
Instruction Fuzzy Hash: ABB18D70A1A64E8FDB95EF64C8686FA7BF0FF19304F0105BBD419C71A2DA34AA44CB41

Function 00007FFD9B88C9E0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07697b755e2acce3c64cf887a8ea6b5b77c693b8b972f7876beb1f40e583742b
Instruction ID: fa3a0ff920d8c8cbc053e16a86175c988f5d7a0b720a27ccd04435b73767499b
Opcode Fuzzy Hash: 07697b755e2acce3c64cf887a8ea6b5b77c693b8b972f7876beb1f40e583742b
Instruction Fuzzy Hash: 34A1AE70A4A64E8FDB95EF68C869ABA3BF0FF19301F1104BBD419C71A1DB34A545CB40

Function 00007FFD9B892500 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be0e1f789c827810fa783ea138c3f6cb6a6fa9543304f373e2ac24b5dd3d9b5
Instruction ID: 91bd93bde984f0e34279eee20300a62145b4cb7fcf5116366ffd5197c7b499eb
Opcode Fuzzy Hash: 9be0e1f789c827810fa783ea138c3f6cb6a6fa9543304f373e2ac24b5dd3d9b5
Instruction Fuzzy Hash: 00817C30A1964D8FDB99DFA8C8696BA7BF0FF1D304F5205BED40AC71A1DA35A644CB40

Function 00007FFD9B88C9B8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6be98abc88ac813e1f8491d5ef059cf208f3bc98b328a45f31f414898f18faf
Instruction ID: 65041adff60e0a7bd6e71e5466da6f431a60000dec920b136503295576e382ce
Opcode Fuzzy Hash: d6be98abc88ac813e1f8491d5ef059cf208f3bc98b328a45f31f414898f18faf
Instruction Fuzzy Hash: 7281CF70A0A64E8FDB55EFA4C8696FA7BB0FF59300F0145BBD419C71E6CA38A645C740

Function 00007FFD9B8835EA Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afca32a0326cd61d33f73914640af9456059dd615be47fbde37606a2b8e2c93
Instruction ID: 86e2a9249f84e9be835b5338104510df1bc73b86ee4d72942c2fae051f2f54cb
Opcode Fuzzy Hash: 5afca32a0326cd61d33f73914640af9456059dd615be47fbde37606a2b8e2c93
Instruction Fuzzy Hash: D061B462A58D4D8FEB58DBACD8257AC7BE1FB99354F9001BAD01DC33CADBB414028741

Function 00007FFD9B88E702 Relevance: 3.8, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B88FF84
k, xrefs: 00007FFD9B8900CD
h, xrefs: 00007FFD9B88E70F

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: h$k${
API String ID: 0-848141867
Opcode ID: dbfba6c2bd5380c1a6cdc6a3499ab737bbc71129e4d11b32822bca3ec17710b6
Instruction ID: d28c6d1bddff5d7457e89b0bccb41cba68176df0b66e21844d264b8a7923b717
Opcode Fuzzy Hash: dbfba6c2bd5380c1a6cdc6a3499ab737bbc71129e4d11b32822bca3ec17710b6
Instruction Fuzzy Hash: 0B31C770E0962E8FEB79DF54C8A47EAB6B1AF59301F0141F9D04DA2290CB782E84CF45

Function 00007FFD9B88ECFE Relevance: 2.5, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B88ED1D
<, xrefs: 00007FFD9B88ED2A

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: <${
API String ID: 0-3826224372
Opcode ID: acfa63705d99ba4a975b3597a1ba930806514f869c8802931aab2fcc40e53f9d
Instruction ID: e4222ab9e47d54013cdeaeb69300bb69852a5e538b818c82d0a3755d61b76f1f
Opcode Fuzzy Hash: acfa63705d99ba4a975b3597a1ba930806514f869c8802931aab2fcc40e53f9d
Instruction Fuzzy Hash: 93112B70A0962ECFEB75DF54C8A47A9BBB2AF58701F1141E9D40D96291CB386BC0CF41

Function 00007FFD9B88C58F Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: 4d56ad0b4841914c5aa48f2a8ebf11034d0f628b97e1f3dbe6c7f89b7076cac5
Instruction ID: cbfb3a99a5a3ee6de6f8afb8490db4e2bcddcec7f4c1e93c043555c81cf628ee
Opcode Fuzzy Hash: 4d56ad0b4841914c5aa48f2a8ebf11034d0f628b97e1f3dbe6c7f89b7076cac5
Instruction Fuzzy Hash: D3C17230A4E68E8FDB66DB6488695F93BF0FF0A310F0605BBD458C71A6DA389644CB41

Function 00007FFD9B88C658 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: 40862fb0540f07b3c8f8a61ab62dac216a36a2bf4de4b5c0a18bf8c50db86f32
Instruction ID: 69df4837d73e480771c8f2ae4c0404e6c9afb9bb6e6f390c5197ab215630cdd6
Opcode Fuzzy Hash: 40862fb0540f07b3c8f8a61ab62dac216a36a2bf4de4b5c0a18bf8c50db86f32
Instruction Fuzzy Hash: 5BA14130A1A68E8FDB65EF6888685FA3BF0FF19300F0505BBD418C71A6DB749554CB41

Function 00007FFD9B88C925 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

{{N, xrefs: 00007FFD9B88C93F

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {{N
API String ID: 0-777276013
Opcode ID: 2b84de1b646402fbd181eab45bd9192cd8bbc917ced70610bf70b76816c8ef51
Instruction ID: 7e15fc8cf304954f32beeec740554fa63a79634dc87115deafcc01590b1051ca
Opcode Fuzzy Hash: 2b84de1b646402fbd181eab45bd9192cd8bbc917ced70610bf70b76816c8ef51
Instruction Fuzzy Hash: BD911671A0D29E8FD755EFA8D8282FE3BA0FF49314F0501BBD448C61E6DA78A545C781

Function 00007FFD9B88C760 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: 416783b6a1d515c0fe2a2db9320588d3e5d0d65c4af014ae74e839dd05eb4e62
Instruction ID: e0f889022947db19a52d3c4f5e285c53555d6e7ddec8256841a7bcdea162733b
Opcode Fuzzy Hash: 416783b6a1d515c0fe2a2db9320588d3e5d0d65c4af014ae74e839dd05eb4e62
Instruction Fuzzy Hash: B781D131A09A4E8FDB55EB68D8685F93BF0FF19310F0504BBD459CB0AAEB34A545CB41

Function 00007FFD9B88C6D8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: fab11026474a017c10afbed71c8444b7fb4430debc3185ac8109bba62140291b
Instruction ID: cdb3ddef137563d08a0e985a709b2efc7e6017ccae8bbeb30bde92141ce57665
Opcode Fuzzy Hash: fab11026474a017c10afbed71c8444b7fb4430debc3185ac8109bba62140291b
Instruction Fuzzy Hash: 96813F30A1A68E8FDB65EF6888686FA7BF0FF19310F0505BBD458C71A6DB349944CB41

Function 00007FFD9B88AF08 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

M_I, xrefs: 00007FFD9B895804

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: M_I
API String ID: 0-1631496010
Opcode ID: 6308965016652f6a2792466a9be34fc23ccfd0872b2d44ef28271b1b4c6e774e
Instruction ID: b282ff0ae4740a3c2fb03be03edbc1b4002770313330b829c8cc2b968fbfb334
Opcode Fuzzy Hash: 6308965016652f6a2792466a9be34fc23ccfd0872b2d44ef28271b1b4c6e774e
Instruction Fuzzy Hash: C7611C62F0F7894FEB15A768AC651F97F90EF86324B4542FBD048CB0EBEC1555058341

Function 00007FFD9B88C758 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: cc53633978345667dfe29537911689c7344c65d7838bbd9aad9a71dee3272329
Instruction ID: 02ef447afaebda47d40e272144bba2c0d011d78eb4990e15217490fd714698c4
Opcode Fuzzy Hash: cc53633978345667dfe29537911689c7344c65d7838bbd9aad9a71dee3272329
Instruction Fuzzy Hash: B0613130A1968E8FDBA5EF6888686FA7BF0FF19310F0505BBD418C71A6DB749944CB41

Function 00007FFD9B88C7D8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: d03f7e3cddf3415b5df33fad182e1dc65f8c2dbfec8750612846ed5e42c47068
Instruction ID: f8ef3f2af3de94f545e3b15196c9368105c3fcfc8e6b77acd4ba4f24c796a082
Opcode Fuzzy Hash: d03f7e3cddf3415b5df33fad182e1dc65f8c2dbfec8750612846ed5e42c47068
Instruction Fuzzy Hash: 2B513E30A0964E8FDBA5EF6888686FA7BF0FF19300F0505BBD419D71A6DB349A44CB41

Function 00007FFD9B88C868 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

{N_^, xrefs: 00007FFD9B88C901

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: {N_^
API String ID: 0-1452172579
Opcode ID: 6db29d1d56a9becd4a464d8a03fde9d27b992539bbdf1a487dced855aedbff65
Instruction ID: 41a14c3b34bd683e57847c4789dc9d22da5ebf38cd1d17b3b8444536ddbb3052
Opcode Fuzzy Hash: 6db29d1d56a9becd4a464d8a03fde9d27b992539bbdf1a487dced855aedbff65
Instruction Fuzzy Hash: F7414F30A0964E8FDB61EF68C8646FA7BF0FF19300F0505BBD418D71A6DB38AA448B51

Function 00007FFD9B88EAB2 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFD9B88EABF

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: cc288ed34ed48e226d37236d81577d03edf890c1444a1f76dfdeaf2ea948302a
Instruction ID: 8927ae04efa0f2501be2fbc7000e2511503db657e4625a59b1d3dddfe71eb585
Opcode Fuzzy Hash: cc288ed34ed48e226d37236d81577d03edf890c1444a1f76dfdeaf2ea948302a
Instruction Fuzzy Hash: 97414D31E19A5D8FDBA8DB18DC557AAB3B1EF58302F4041FAD40DE3291DE346A828F40

Function 00007FFD9B88E79C Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9B88E78A

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: cfb2dfe13ce09c66bd18af06169c4823fe529d24e2b70f774bd2b647e51b0c8a
Instruction ID: efc78793a3486f83403c16a10bc89174630117c91cf95bdebf80bf7738ab9005
Opcode Fuzzy Hash: cfb2dfe13ce09c66bd18af06169c4823fe529d24e2b70f774bd2b647e51b0c8a
Instruction Fuzzy Hash: CA310D71E19A5E8FEB74DB58C864BAAB7B1FF58301F1041BAD00D97291DB346A818F41

Function 00007FFD9B8901D7 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

T, xrefs: 00007FFD9B8901F5

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 0ab24d17b97b552e7c7dfb62b69bcf59a025c69e3c874e33dd8d73b8bc852c84
Instruction ID: eb7c988bbb5fba6c821691c113398fb270684c2bbe6c529c29bd147c01d55994
Opcode Fuzzy Hash: 0ab24d17b97b552e7c7dfb62b69bcf59a025c69e3c874e33dd8d73b8bc852c84
Instruction Fuzzy Hash: 61F01C30A09A1ECFEB61DF14C8547EA77B1EB58701F1082A6C40DD2260DB346AC08F41

Function 00007FFD9B88AF9D Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ab518d6ba59f15b6b593492463a06b951916457581c031d9482cb58176f1c3
Instruction ID: 1747c02d15c128affefd9bf8728b21a7b249bbc3c4728579a83158a1b42d1652
Opcode Fuzzy Hash: 26ab518d6ba59f15b6b593492463a06b951916457581c031d9482cb58176f1c3
Instruction Fuzzy Hash: 9532C331A19A4E8FEB69DB6888647F8B7E1FF59300F0540BED02DC71E6DA386945CB41

Function 00007FFD9B88ADF8 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a423cde68332a76616f2537eaf5156c19932b31f6c33480ec195749753e9e2
Instruction ID: e0e73de7f4a1346d09e88cd03b805734cfe6d0c64b65ac3531773593495f7c30
Opcode Fuzzy Hash: c3a423cde68332a76616f2537eaf5156c19932b31f6c33480ec195749753e9e2
Instruction Fuzzy Hash: 22125F30E0964D8FDB95DFA8C8646BD7BB1FF59300F0101BAE419D72A6DB38AA44CB41

Function 00007FFD9B88DA40 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87651ce4c4af03ba9ffe5db6df99db008d75dc20c880ab430728f6210b5dee4d
Instruction ID: 7a0c09e51f765208953f87fb373b54a65acd48b6910304d84c1b95cd63cff40d
Opcode Fuzzy Hash: 87651ce4c4af03ba9ffe5db6df99db008d75dc20c880ab430728f6210b5dee4d
Instruction Fuzzy Hash: 83024D71E19A5D8FEBA8EB98C8647B8B7B1FF58300F1441BED01DD32A6DA346941CB41

Function 00007FFD9B882C14 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362a1229ed1b8dc018502e736a6cbb0798339c70e5ece2018e0d9cfa847b3fdb
Instruction ID: 6f285338d811620657d3b4673eb989ababe673c36533702e702bc232c53849bb
Opcode Fuzzy Hash: 362a1229ed1b8dc018502e736a6cbb0798339c70e5ece2018e0d9cfa847b3fdb
Instruction Fuzzy Hash: ABD1A330E0AA4E8FE761EFA8C8686E97BE1FF19300F0545B6D418D71A6DB38A644C751

Function 00007FFD9B88DA38 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e833a65cb4e667a797430df9d9bde032280966bdbc354049615665b1b4270c
Instruction ID: 1a489fe572fab931dcd5a06695aea9208c2d9e335ff0d292d228556f54c7ccc7
Opcode Fuzzy Hash: 59e833a65cb4e667a797430df9d9bde032280966bdbc354049615665b1b4270c
Instruction Fuzzy Hash: B5E14D71E19A5E8FEBA8EB5888647B8B7B1FF58300F0541BED01DD72E6DA346940CB41

Function 00007FFD9B88CA4B Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dda594dbedfd06842c6dc1812f0f8f5b43fa8420b1fa2718c1f4a715baa422
Instruction ID: 333b22fdcd91178aac672dc51d9b019da3f5192dbd58a1e0d75381167d1c88ad
Opcode Fuzzy Hash: 37dda594dbedfd06842c6dc1812f0f8f5b43fa8420b1fa2718c1f4a715baa422
Instruction Fuzzy Hash: 08C1FE71B09A1E8FEB65FBA8D8285FD77A0FF58320F11007BD01DD71A6DA3866458B50

Function 00007FFD9B890980 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3933446621ec890388d57bbecf64e7c010f32f388b9b41a8606041de1ddab6fc
Instruction ID: 0de3cfb3f4450d0df90a781f2b6541083cc3d01db30f202675289c8b599b83fa
Opcode Fuzzy Hash: 3933446621ec890388d57bbecf64e7c010f32f388b9b41a8606041de1ddab6fc
Instruction Fuzzy Hash: 28D11B30E1A65DCFDF68DB98C464ABCBBB2FF19705F110179D01DA72A2CA386981CB41

Function 00007FFD9B88DABA Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da05907e3781c89ed16e209cee120d0a4ad4710efdbc92b84d984aaec981c8d
Instruction ID: effd84d52cb5f9d511d2e2ea145aefd10c3f205a1f5eb56b63e4e70daf3c4b73
Opcode Fuzzy Hash: 5da05907e3781c89ed16e209cee120d0a4ad4710efdbc92b84d984aaec981c8d
Instruction Fuzzy Hash: E3C13E71E19A5E8FEBA8EB5888647B8B7B1FF58300F4401BED01DD32E6DA346941CB41

Function 00007FFD9B88BCCA Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa1d568079f91db623b860b64186357b358b13d0bfb0da2efd623b986d7ba0f
Instruction ID: 1578575974a35dde3ce24d42249ac686313947fb90b6973a8e4a8e36300c02f0
Opcode Fuzzy Hash: afa1d568079f91db623b860b64186357b358b13d0bfb0da2efd623b986d7ba0f
Instruction Fuzzy Hash: 05C15F30A0AA4E8FEB65DFA4C4686ED7BF1FF49300F01457AD419D71A2DA39A644CB41

Function 00007FFD9B882095 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6882290b85901d7bdf3ccca0294cb08967d8e445a5b26292a7559e4705fc9
Instruction ID: 5369b4ca0dce370a014ccef9903f32f731f62490787881613c31d6409ed93b4d
Opcode Fuzzy Hash: 67d6882290b85901d7bdf3ccca0294cb08967d8e445a5b26292a7559e4705fc9
Instruction Fuzzy Hash: A8A10531E0EA5E4FEB75DFA488617B8B7A0EF49310F0641BAD06DC71E2DE386A458741

Function 00007FFD9B88C0B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770b724aa9a00d53ee16f5e01efe679ad96cfb472701adcf8cacc2a7a890f46c
Instruction ID: 6e0af84e4cda99b4dfd6bcfc9f8cd5ab0ae666b417f7c56e7861f8e9089d1d63
Opcode Fuzzy Hash: 770b724aa9a00d53ee16f5e01efe679ad96cfb472701adcf8cacc2a7a890f46c
Instruction Fuzzy Hash: B6B1A330A1EA4E8FDB56EB64C8696F97BF0FF19300F0504BAD419C71A6DB39A644CB41

Function 00007FFD9B88300C Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829f9b3d08580a30464bf4e8adc55f42f34c4b27898ddff1e6a8bad9d0127acd
Instruction ID: 45252243fbaa3ed9fe8b189fddd44e6fe4d14234d6c87df951c8c1072ce0aec9
Opcode Fuzzy Hash: 829f9b3d08580a30464bf4e8adc55f42f34c4b27898ddff1e6a8bad9d0127acd
Instruction Fuzzy Hash: 32A1A330E1AA4E8FE761EBA4C8686ED7BF0FF49300F0545BAE019D71A6DE38A544C741

Function 00007FFD9B881648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009818e93b85402dfb917edff8d56e925f3bb7ff13bd4a8ebe4735f116f1a711
Instruction ID: 35941cbbc681a8163a4493d08536015da292f3a55a4f396669d7341104c7a094
Opcode Fuzzy Hash: 009818e93b85402dfb917edff8d56e925f3bb7ff13bd4a8ebe4735f116f1a711
Instruction Fuzzy Hash: 0B81AF31B09E494BDB59EF5C88A15A977E2FF9C300B15456AE4ADC32A2DE34AD028781

Function 00007FFD9B890D3D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8417b7bc60245eadbc7535e17f538e5bcb8de8859ab6a83f306eaefa5f9ce2a
Instruction ID: 192ed55e0a6ae7b50c6c52529a68b799de7f1d66837855df75bb82cbd2539b8b
Opcode Fuzzy Hash: f8417b7bc60245eadbc7535e17f538e5bcb8de8859ab6a83f306eaefa5f9ce2a
Instruction Fuzzy Hash: DA917030A1E78E8FEB65DF6488656EA3FF0FF19300F0505BAD858C61A6DB38A654C741

Function 00007FFD9B88CA35 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618d69ba95fdaf81ff66f5559ada20c8ba3b96605442d40c72c58deb65c27f0b
Instruction ID: 430887e9517bf5721d1892a3bd53fa80234092876b6aa56faf0b6f9bcd16e0cf
Opcode Fuzzy Hash: 618d69ba95fdaf81ff66f5559ada20c8ba3b96605442d40c72c58deb65c27f0b
Instruction Fuzzy Hash: 29919C30A0964E8FEB65EF64C8696FA7BF0FF59300F4106BBD409C71A2DA34A644C740

Function 00007FFD9B88C068 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffdda77eade3a36f906a5af614040a3c2c74c29d7f8fdf3d899bacd7db3298a
Instruction ID: 3e45206c2691e4ec78f884aaffccac397ad7bcde320530444ceee1c558512045
Opcode Fuzzy Hash: 9ffdda77eade3a36f906a5af614040a3c2c74c29d7f8fdf3d899bacd7db3298a
Instruction Fuzzy Hash: D591823095E78E8FD7669B7488692E97FB0FF0A300F0605BBD458C71E6DA389644CB41

Function 00007FFD9B882950 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380bff2d284c6c7544b15dc4d2f36f55874326819d487373a64d8a91b4fc575d
Instruction ID: 6e46b8535cda80b19b1183cf47f6499ceec7ea7d17f466aa2a9c9e25fcf4d4e7
Opcode Fuzzy Hash: 380bff2d284c6c7544b15dc4d2f36f55874326819d487373a64d8a91b4fc575d
Instruction Fuzzy Hash: F291D134E0A25E8FEB66ABA8D8642FD7FB0EF09314F0504BBD419D61E2DB386644C741

Function 00007FFD9B88335F Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f523601bfc7dd0b4355184f44c37645ae45c761505e6da8965bfd457fd5f5463
Instruction ID: 8d2bf8375259e602cf01ac71c377380100edac00085e544e5d0340a0cc8a9f8d
Opcode Fuzzy Hash: f523601bfc7dd0b4355184f44c37645ae45c761505e6da8965bfd457fd5f5463
Instruction Fuzzy Hash: 87818230A0EA8E8FDB56DB74C8686B97BF0FF1A304F0505BED429C71A2DA39A545C701

Function 00007FFD9B8BF8F0 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9786dcc46e9115e21caad789ecd839bde273cb7be71c96da987ffc62319785f
Instruction ID: 221e0ab1db7b476a76a037a53f65c06a99af3ff4f3b3ee064a8b825322e45a08
Opcode Fuzzy Hash: e9786dcc46e9115e21caad789ecd839bde273cb7be71c96da987ffc62319785f
Instruction Fuzzy Hash: 97819E30E1E65E8FDB65DB7488696FA7BF0FF19304F0105BAD409C71A6DA38A644CB81

Function 00007FFD9B890DD9 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b045a675d36c3c5e3bee52d77c385f7387b505cbc4540d4ec3551008d04d45d
Instruction ID: 728653dcea31df5916e528e1cd4794e10d043432bb68d9b30d9ea8db4efb2662
Opcode Fuzzy Hash: 0b045a675d36c3c5e3bee52d77c385f7387b505cbc4540d4ec3551008d04d45d
Instruction Fuzzy Hash: 97717030A1E78E8FEB65DF6488696EE7BF0FF19304F0505BAD818C61A2DB389654C741

Function 00007FFD9B88E470 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5c7bd5fea29bf02705c9d670e9834a446600aa964e6ea137c9a4aba61c785f
Instruction ID: 8555b7a7b86ea77d13c4882a724f838b47b3c581026b482d97f877b10b4f4226
Opcode Fuzzy Hash: 9e5c7bd5fea29bf02705c9d670e9834a446600aa964e6ea137c9a4aba61c785f
Instruction Fuzzy Hash: A371E230A0AA4E8FDB55EF64C8695FA3BF1FF19305F0105BAD429C71A6DB38A644C741

Function 00007FFD9B88E3F8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1025601f5872b074f20aa7027e8b4465b558d3cbd1d6917bdb6a6bd7eb79afc8
Instruction ID: cbe87c7c0cca0ba10f65fa91d606f97dd128b04fcacbaa77a5aff78bef3df130
Opcode Fuzzy Hash: 1025601f5872b074f20aa7027e8b4465b558d3cbd1d6917bdb6a6bd7eb79afc8
Instruction Fuzzy Hash: 1171B07090E7CA8FD7568F7488256A93FF0FF0A201F0905EBD498CA5E3DA38A555C752

Function 00007FFD9B8961C0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a64c2aec6144c4bacd16a4aa95d232d5d8683a6f3a9bee2f2d3689b6a44137c
Instruction ID: e2269727f6ff4dec6dde4aa5d0ea2b1df02c7b0e00ba30df57877898f10c0b9a
Opcode Fuzzy Hash: 5a64c2aec6144c4bacd16a4aa95d232d5d8683a6f3a9bee2f2d3689b6a44137c
Instruction Fuzzy Hash: BC713D70E0A64E8FEF659BA488696BDBBB0FF59340F01017AD41DD31A2DF786A44CB01

Function 00007FFD9B88AC88 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e01e7d4771f6f3bd345f2588ad628f79eb6a25a024393f073daffadde6b22
Instruction ID: df0740040fe049b9352bd5923a36d3c1c2ed8c1816e390e4b0f089f4785183bb
Opcode Fuzzy Hash: 298e01e7d4771f6f3bd345f2588ad628f79eb6a25a024393f073daffadde6b22
Instruction Fuzzy Hash: 84619630A5A68E8FDB59DFA4C8655FE3BF0FF09314F01057AE419D21A1DB38A654CB81

Function 00007FFD9B8829A0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23a4b01bfeda03ada15cee3d0da8f7b9843eff7a01985f28f6d75b8fac3088a
Instruction ID: faa5d1812f4d9c370a468ddc974352798024773f6ed140f8af7db3c02763b8d8
Opcode Fuzzy Hash: e23a4b01bfeda03ada15cee3d0da8f7b9843eff7a01985f28f6d75b8fac3088a
Instruction Fuzzy Hash: F1618E34A0A64E8FEB96EB78C8696F97BE0EF19314F0504BBD419C71A6DF34A644C701

Function 00007FFD9B88C118 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3815954c433af7057f2c990f9e3986521314655f135450d9641ac91a90bbad0
Instruction ID: 3dbe3047b40304396deab340c7a83b8c322c935a6d47398cea2646c5f836b62e
Opcode Fuzzy Hash: d3815954c433af7057f2c990f9e3986521314655f135450d9641ac91a90bbad0
Instruction Fuzzy Hash: D7717530A5EB8E8FDB669F6488692F97BB0FF09304F0505BBD418C61E6DB389644CB41

Function 00007FFD9B88AF90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c957d7743ecafb14382d37dce45ba60b10e32a7ff3b6a87178034dd1489c682
Instruction ID: ec45ae505e8a8bf46513ea14e4cc7be870465a04e05140ee51c1c7374d75470e
Opcode Fuzzy Hash: 0c957d7743ecafb14382d37dce45ba60b10e32a7ff3b6a87178034dd1489c682
Instruction Fuzzy Hash: 16718630A1EA8E8FDB66DF6488692F97BB0FF09304F4505BBD419C61E6DB389644CB41

Function 00007FFD9B881C7D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54ebb085311519ee49e56be75ff08ca3fbb4f64c4594900a579eefe1815ee8b
Instruction ID: 45f388d2105a403342f288f1557e119f111a2ca14c101a282396d86af31eab9d
Opcode Fuzzy Hash: f54ebb085311519ee49e56be75ff08ca3fbb4f64c4594900a579eefe1815ee8b
Instruction Fuzzy Hash: DE51C131B09B494FDB59DF5888A15BA77E2FFDC300B15467ED46AC7292DE34E8028781

Function 00007FFD9B88D703 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec1d0793493be5a91ddb6fd6d97a7ea7d0e5131f6c3075dd585b75803cadf69
Instruction ID: d6f921af0948ed2b687d762493da34c7fdb447170e674e535e1569c152941430
Opcode Fuzzy Hash: 5ec1d0793493be5a91ddb6fd6d97a7ea7d0e5131f6c3075dd585b75803cadf69
Instruction Fuzzy Hash: 8C618F30A0E78E8FEB669B6488286F97BB0FF0A314F0505BFD469C61E2DB785654C741

Function 00007FFD9B880610 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70c5ae16bc53edf3b3a90a05587ee2b8ac03ede53ec70b60f73e81148600358
Instruction ID: 00f0e228fb966f6dcfbaaf142a218c0100f8cd5f8a2b5b8415271d381bd0d48e
Opcode Fuzzy Hash: e70c5ae16bc53edf3b3a90a05587ee2b8ac03ede53ec70b60f73e81148600358
Instruction Fuzzy Hash: 69515735B0965A8FD31ABF78E8645E937A0FF85324B0545BBC099CA0E7DE38A449C750

Function 00007FFD9B88AC90 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6f7020c81bf6e271043fc456a5973891b6ad62de1945d758077cba6ca36465
Instruction ID: 6f9069fd3899ee588f9bdd16f8ce871b9d80a462647ab90902dc7ce50b100ae0
Opcode Fuzzy Hash: 5a6f7020c81bf6e271043fc456a5973891b6ad62de1945d758077cba6ca36465
Instruction Fuzzy Hash: 9E518330A1A68E8FDB59DFA4C8255FA3BE0FF19314F01057AE419D21A1DB38A6548B81

Function 00007FFD9B88C9E8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cfd98f64fbbcc9e2fd08c8034f41f8a33955097a4cf77f80cfcf83f95a4ba0
Instruction ID: 77c9b4f76dc38438b7ea2aca531e283453cd4aa6adefad29f49be17bc0aa2cb6
Opcode Fuzzy Hash: 35cfd98f64fbbcc9e2fd08c8034f41f8a33955097a4cf77f80cfcf83f95a4ba0
Instruction Fuzzy Hash: 4251827094A68E8FDB95EF64C8695FA3BF0FF19301F0105BBD818C21A1DB389555C741

Function 00007FFD9B88CA28 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fe49b23b4da5776f65f2158d252614e4a3337f3993e8745c5b9f453901d9c5
Instruction ID: 640121cc010335a49117a03c84de9f5d2bd31d69d680344989858b5e0f648074
Opcode Fuzzy Hash: 59fe49b23b4da5776f65f2158d252614e4a3337f3993e8745c5b9f453901d9c5
Instruction Fuzzy Hash: B2519230A0AA4E8FDB65AF64C8286FD7BB0FF09314F0105BED429D61E2DB386654C741

Function 00007FFD9B88A728 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5338fb175817a7b2d7b0e9e1fc026fea66c3f4735fb1118f1a221896bb85bb6a
Instruction ID: 2269b5b3e33e782d3c1a9ce13e37d49073874363daf681e111c29a51a10dc9f3
Opcode Fuzzy Hash: 5338fb175817a7b2d7b0e9e1fc026fea66c3f4735fb1118f1a221896bb85bb6a
Instruction Fuzzy Hash: EA51B330E1EA8E9FEB65AFA498255FD7BF0FF09300F0105BAD458C21E2DA38A644C751

Function 00007FFD9B882D79 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8503dfcbc658fe01de1de91e595b107b7dce55b169160bba6311d76c1346a6
Instruction ID: 5296b5e5287688a311280525a8c8f957644913c94063f3deb6634adf4eec35c2
Opcode Fuzzy Hash: 0b8503dfcbc658fe01de1de91e595b107b7dce55b169160bba6311d76c1346a6
Instruction Fuzzy Hash: 99519430A1E64E8FE7619FF488296FA7BF0EF0A314F0505B6D418D60E2DB78A648C751

Function 00007FFD9B88C9D5 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ff2cc8249ef295ab881abdac3fc5a78b995fdf4b0978f2611ebd3d53f0e5df
Instruction ID: f52b85919fbc9a5db8bad6eb722423bd417f86dc9f392671fa65458dcfb63401
Opcode Fuzzy Hash: 81ff2cc8249ef295ab881abdac3fc5a78b995fdf4b0978f2611ebd3d53f0e5df
Instruction Fuzzy Hash: 41518670A0E68E8FDB55EFA488252FA7BE0FF59304F01457BD818C21E5DB78A654C781

Function 00007FFD9B88CA30 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b5572779ce8ed9456b16d528cb1beb1bab3a661a136d74ec079156f1676c96
Instruction ID: c2d54fd0de75a51a1e7272d03b909ad67525ca638064c85f60212567b06b417e
Opcode Fuzzy Hash: 43b5572779ce8ed9456b16d528cb1beb1bab3a661a136d74ec079156f1676c96
Instruction Fuzzy Hash: 7D518F30A09A4E8FDB65EF64C8686F97BF0FF09314F1104BED429D71A6DA38A644C751

Function 00007FFD9B88CA9D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a950b7480d8027e1ace32ac6891e6125d7cbc71c6c3da1efe266ccf88465a550
Instruction ID: f8d58e8b9a29b1c15f7c01980c95e1ce75eb735b0c61899c5f33d5a3fe99d733
Opcode Fuzzy Hash: a950b7480d8027e1ace32ac6891e6125d7cbc71c6c3da1efe266ccf88465a550
Instruction Fuzzy Hash: E4510531B0D65A8FD726ABA8A8384FD7BB0EF09324F0501B7D019DA0E7DA3865858791

Function 00007FFD9B88C198 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c9ba35db4732d763d9c2b544ba1b0ab2dd2e0a535199fca3f7be64b57711ff
Instruction ID: f44ae716700e9bde94ea4a91f5418db5ce54fb856e8300120d513e4e02e0fafb
Opcode Fuzzy Hash: 12c9ba35db4732d763d9c2b544ba1b0ab2dd2e0a535199fca3f7be64b57711ff
Instruction Fuzzy Hash: E751983095EA8E8FEB659F6488692F97BF0FF19300F0505BBD418C61E6DB789644CB41

Function 00007FFD9B88C1A0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12f1d9dac1380efe0da00428f9936a404b4bdbb114c6475066ec66eba696414
Instruction ID: 648e8d2fd4eb17be3bbb7c02f8d1c83b8c6bdd8ab670155bf915c3182323ac85
Opcode Fuzzy Hash: d12f1d9dac1380efe0da00428f9936a404b4bdbb114c6475066ec66eba696414
Instruction Fuzzy Hash: 6F51853091EA8E8FEB659FA488292F97BF0FF09304F0505BBD428C61E6DB785644CB41

Function 00007FFD9B88275D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44779010c6008ef521d26587b07cc7ad0f80ac4a6aefdd5219b1fce7d405a05
Instruction ID: 9d4787c29785293ca7c1dad4c76d35099220cf372314246b3ca83e7a50abb1c7
Opcode Fuzzy Hash: f44779010c6008ef521d26587b07cc7ad0f80ac4a6aefdd5219b1fce7d405a05
Instruction Fuzzy Hash: E241493670D6568BD31ABF7CE8645E83B60FF85324B0545B7C098CA0E7DE38644A8351

Function 00007FFD9B88C91D Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf59e5a972a2c91bca01c2a5d7be4f3f00ca98294cdd1feb411f6dce84266c5
Instruction ID: 3feffa92c856e926c077d804219f840394e223b0ea430147bac15ba572249ef9
Opcode Fuzzy Hash: baf59e5a972a2c91bca01c2a5d7be4f3f00ca98294cdd1feb411f6dce84266c5
Instruction Fuzzy Hash: 8C510D70A0991D8FDBA4EBA8C8657FDB7B1FF58301F1141BAD00DE3295DE346A858B40

Function 00007FFD9B8811AD Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc89ebcc371215d4ca9bd8306d782459a90f6196883e3d4c313bf80a3bbc23a9
Instruction ID: 552116ce463d78d22aeae23aaf53fe1b921fb38a51810d9f884adcbc5c2bf00b
Opcode Fuzzy Hash: cc89ebcc371215d4ca9bd8306d782459a90f6196883e3d4c313bf80a3bbc23a9
Instruction Fuzzy Hash: 5B51A130A0AA4E4FEB95EBA8C8656F97BE0FF5D310F0500BAD02AD71E2DF3569448740

Function 00007FFD9B881AC5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fb033061a68f515955c241f6e6a88f65652c949a8a699011b4254871513e9a
Instruction ID: d75ff2c32c362eeba1292653da9edd03e41f92ae4d6ce2d5ba48c75f03ad2f05
Opcode Fuzzy Hash: 05fb033061a68f515955c241f6e6a88f65652c949a8a699011b4254871513e9a
Instruction Fuzzy Hash: 6B41C631A5EB8D4FDB66AB6488655E93FA0FF0E300F0501BED458C60E2EA79A654C741

Function 00007FFD9B88C9FD Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac3d8b411a2dc7c4afcd5ad62e18cac7cce29593a94d0babced8a655ecbd76
Instruction ID: f0387467aef7017b1f7d77df433c3412fb606ea66d687dbf7090cf0e9d605c61
Opcode Fuzzy Hash: e3ac3d8b411a2dc7c4afcd5ad62e18cac7cce29593a94d0babced8a655ecbd76
Instruction Fuzzy Hash: B641E031A1AA4E8FDB659F64C8292FD3BB0FF09310F05057ED429D71A2EB386614CB41

Function 00007FFD9B880500 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8888503f9202f755f3ab93d3a9546927d64d9226e3b4da5de2eb8da0bffe6716
Instruction ID: 5d4bc3d2dc06d1fd521fe7511b0dbce6819503c9c20b69c80cc4ea0c8f2edf6b
Opcode Fuzzy Hash: 8888503f9202f755f3ab93d3a9546927d64d9226e3b4da5de2eb8da0bffe6716
Instruction Fuzzy Hash: 9A416130A19A4E8FD756EFA4C8685A93BF0FF19304F4544BAD419C71B6DA38A654CB01

Function 00007FFD9B88C208 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d21154f1e92c820000561e789c0a2497c01bbe6f24f50c23cd1748e1778df17
Instruction ID: 2261d5f2dc31e97582b6efc62128ed3a6a1e9aba33f104d6a4143f5e87b64c47
Opcode Fuzzy Hash: 1d21154f1e92c820000561e789c0a2497c01bbe6f24f50c23cd1748e1778df17
Instruction Fuzzy Hash: 7241733090EA8E8FEB65DFA488292F97BB0FF19300F0505BBD429D61E6DB785644CB41

Function 00007FFD9B8830B0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86c702d2c21f93a90c33bfb9639db59b81720950e2564163aec3b0b3a613a86
Instruction ID: b25d28ec9873f36da6b47b8da74dd7cc2cadad57fbe4602417e252851da59846
Opcode Fuzzy Hash: e86c702d2c21f93a90c33bfb9639db59b81720950e2564163aec3b0b3a613a86
Instruction Fuzzy Hash: 8141A130A5EA4E8FE7669BA4C8256FD7BF0EF49300F41057AE419D61E2DF38AA44C741

Function 00007FFD9B88AF88 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e19fc5e0e07ee6eb5b6d8b532080101d3b59df7cef85146d41d7919c0262bf6
Instruction ID: 6962c013e66a1c7ccf55a1c81c0f38e8aa62c8f0b71ac284aa7a2d41a6ea7fad
Opcode Fuzzy Hash: 9e19fc5e0e07ee6eb5b6d8b532080101d3b59df7cef85146d41d7919c0262bf6
Instruction Fuzzy Hash: 96417130A0EA4E8FEB65DFA488282F97BB0FF09304F0505BBD429D61E6DB385644CB41

Function 00007FFD9B890EF9 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14749a91eda1c28f1119b83440d9721a9942bd6b0e93695499d506163ee53d12
Instruction ID: 2e9ed5aeb0637d1b0ca55437f82e2b5a073cdf76f70b86e797bed5472d968eb0
Opcode Fuzzy Hash: 14749a91eda1c28f1119b83440d9721a9942bd6b0e93695499d506163ee53d12
Instruction Fuzzy Hash: 6F417230A1D68E8FEB65EF6488296FA7BF0FF19304F05057AD418C71A1DB385654C741

Function 00007FFD9B88C9F0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f43cf391baf67f90a107e0590d8b9a97582623192ab48ec9e1ba74257deebb
Instruction ID: 23bd9502a3460dc0e2733737bafa228d07e99739606814f59d6ebf8bb6cb3d78
Opcode Fuzzy Hash: d6f43cf391baf67f90a107e0590d8b9a97582623192ab48ec9e1ba74257deebb
Instruction Fuzzy Hash: 3841937094A68E8FDBA5EF64C8695FA3BE0FF19301F0105BBE809C21A1DB38A555C741

Function 00007FFD9B88A7B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d84e613496b6e498aecdfa87efb9516503cbc3c1cd631a6813d313e27e2fca7
Instruction ID: 749f8aa332e3977c9bba0576c511e101d664a2dd3cf9bf421c242f3b788e2fb3
Opcode Fuzzy Hash: 2d84e613496b6e498aecdfa87efb9516503cbc3c1cd631a6813d313e27e2fca7
Instruction Fuzzy Hash: 19419631E5FA8D9FDB65ABA498255FD7BF0FF09300F0605BAD418C21E2EE3866458711

Function 00007FFD9B882E08 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95919a927b5d71b586db0df3aab7d52575722e12c552d9ae7d0187a595a4ee57
Instruction ID: 3b18e676f3307fd1e499bd2e9a67de996c1f81bd3bc23dc15b38c290e8cee722
Opcode Fuzzy Hash: 95919a927b5d71b586db0df3aab7d52575722e12c552d9ae7d0187a595a4ee57
Instruction Fuzzy Hash: 8A418170E1E64E8BE7229FF488252FA7BE0EF49314F0605B6D418D61E2DB78A614C751

Function 00007FFD9B8811C0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bd8bb99381115d2b1d051f681b1e94822ddc5ca6f3dc170e9ea9cb67678555
Instruction ID: 6201f9b8c4e122e4f99da8a2fc08de069208f58031c88eacbc9c27f035c95591
Opcode Fuzzy Hash: 77bd8bb99381115d2b1d051f681b1e94822ddc5ca6f3dc170e9ea9cb67678555
Instruction Fuzzy Hash: 7B31A231A1EA9E4FEBA5EBA888246F977E0FF5D310F05017AD029D71E2DF3869048741

Function 00007FFD9B88C407 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03dad9bc8206e337dcc90aa982c260caa4615942e52791ae1711487c8707172
Instruction ID: 2e8dbf9e89c8c030c0b2654f66d5453f7c4e7bc0d898362744965dd0fcf5b0e3
Opcode Fuzzy Hash: e03dad9bc8206e337dcc90aa982c260caa4615942e52791ae1711487c8707172
Instruction Fuzzy Hash: D431E570E19D1D9FEBA4EB98C8A96BCB7B1FF58300F515039D01DE32A6DE3469818B40

Function 00007FFD9B88D7A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d03ad81ab08736c87d84951f26be96a565b6f37617ca375ece41ae5231a60
Instruction ID: 60a95ecba6bcecaa94364982fcef2d22feff36ec4558033cf0fa81629ea76179
Opcode Fuzzy Hash: 3c5d03ad81ab08736c87d84951f26be96a565b6f37617ca375ece41ae5231a60
Instruction Fuzzy Hash: BA418130A0EA4E8FDB659F6888286FD7BB0FF09314F0105BED429D61E6DB785654C741

Function 00007FFD9B88E4F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f3d66e703f2d1231e83f39eaa33c9833c83f321c4e5f86c0ee47a0593c729f
Instruction ID: 104e1bc24a6d060ffd78a47d0b8865f202669afa335bb4001b9514168af21263
Opcode Fuzzy Hash: 92f3d66e703f2d1231e83f39eaa33c9833c83f321c4e5f86c0ee47a0593c729f
Instruction Fuzzy Hash: D8419330E1EA8E8FD766DF6488251F93BB0FF09301F0505BAD868C65E6EB38A654C741

Function 00007FFD9B8825FD Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8452303170ff1e06e4d29470564c481808843bc7f44477f246c387febb9b423
Instruction ID: 0add82ef7d98d62a9bba6333aeac3063a57145f82506f2bdbd0d8b1889707bc8
Opcode Fuzzy Hash: a8452303170ff1e06e4d29470564c481808843bc7f44477f246c387febb9b423
Instruction Fuzzy Hash: 68316F3091E7CD8FD766DFA488686A53FF0FF1A204F0544FAD458C60A2DB38A658C741

Function 00007FFD9B88C3AC Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9b3e51119a40abbf5a2f4f9e2bd63e64a8ff6728d79c835b77836358e99d0a
Instruction ID: 85b9b6b8975fb5bf5d7b3d9603a1a1050923ef5b203bb4e8ec3a509a7ac3252a
Opcode Fuzzy Hash: 6f9b3e51119a40abbf5a2f4f9e2bd63e64a8ff6728d79c835b77836358e99d0a
Instruction Fuzzy Hash: 7631C470E19D1D9FEBA4EB98C8A5ABCB7B1FF58300F515039D01DE3296DE3469819B40

Function 00007FFD9B88E822 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9210a8e22381ed8bc072c8e2d25ee3fd2367cc9b8df7659339122feb4803c197
Instruction ID: c43c40e44f1f773cb58ef2dc69d36d8cd3ed3f691f3e54aa4f4b833c0a6c7878
Opcode Fuzzy Hash: 9210a8e22381ed8bc072c8e2d25ee3fd2367cc9b8df7659339122feb4803c197
Instruction Fuzzy Hash: 9E413E71E19A5D8FDBA8DB189C557A9B3B1EF58302F5141EAD41DE3291DE3029828F40

Function 00007FFD9B88A828 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0736594d2e63f92986b1cf8909e8e7c6907734750fa1727fcd37256ade8c9db9
Instruction ID: 67b56c8df1029feb5ae7cf911eda264807998435c5984af875d30cbd7cf129be
Opcode Fuzzy Hash: 0736594d2e63f92986b1cf8909e8e7c6907734750fa1727fcd37256ade8c9db9
Instruction Fuzzy Hash: AA219331E1EA4D9BEB65ABA4A8356FD77E0FF49300F06047AE419D21E2EE3866048711

Function 00007FFD9B88C9F5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ed1fbfef2141dbbb7ed1bcc101f4c7ef977af2d32a137c3beabe2db9f23e08
Instruction ID: 7b00895bfdf35bffce57a26c3f46183bcfe3417deabc4ad9e81a77016683d20c
Opcode Fuzzy Hash: 32ed1fbfef2141dbbb7ed1bcc101f4c7ef977af2d32a137c3beabe2db9f23e08
Instruction Fuzzy Hash: 6A218070A4A64ECFDBA5EF68C8596FA7BE0FF18305F11057BE818C21A0DB34A6518781

Function 00007FFD9B88CB7B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d47e30cc843c2b6fdcea8e488f5ab689594f2e557a9b99222535b5ae8032f12
Instruction ID: 0f3b8146c30417740052a45a2c9f462366d90b86f31282daddbc8bcff6b0a5b1
Opcode Fuzzy Hash: 0d47e30cc843c2b6fdcea8e488f5ab689594f2e557a9b99222535b5ae8032f12
Instruction Fuzzy Hash: 1B21B430A0E68E8FDB52EB64D8655FE7BF0EF0A314F0504BBD419D71A2DA386944C791

Function 00007FFD9B88ADE8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2128fa571660e09632aec8fff26cfd75777900ab89d6c6cbba6060460637f3
Instruction ID: e4154426462f682ae818b4e4b46009a56d280bf8e8237da26de46830bde46def
Opcode Fuzzy Hash: 4f2128fa571660e09632aec8fff26cfd75777900ab89d6c6cbba6060460637f3
Instruction Fuzzy Hash: 0B21A530A0E78E8FEB65EB6488256FA7BE1FF19300F02057AD419C31E1DB38AA148741

Function 00007FFD9B88CC10 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f7ef06ee3243bb6afc4b7f04b016fa515368e48e0e8c4a514dca61d626d001
Instruction ID: 8809afae28679604812341263a387a9222a773517a20d59c595ae544da666567
Opcode Fuzzy Hash: 58f7ef06ee3243bb6afc4b7f04b016fa515368e48e0e8c4a514dca61d626d001
Instruction Fuzzy Hash: 89218430E1A65E8FEB619BB48C286FA77F0FF19304F014576D419D21A5EF38A648CB81

Function 00007FFD9B884CAC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7fdc78b1e4d657c534ae443f07d1e77c2308266642824860874615a2eb40b2
Instruction ID: 57d6c50e3ac51cb5b1c66db8f64280b6b787290ccf7b0600e3e1610eab7c88ff
Opcode Fuzzy Hash: ee7fdc78b1e4d657c534ae443f07d1e77c2308266642824860874615a2eb40b2
Instruction Fuzzy Hash: 44316D74E0591D8FDB64DB54C8A0BE9B3B2FF98301F1185E9C01DA7295CA34AAC4DF50

Function 00007FFD9B880A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1057fbda92fc23b74e7a11b590e708d1fbcd34fd21d446ac8344e7ad2df070
Instruction ID: c2b46aa128723fd8d80a0d52ade8cba6b3b5138c5ad7d67f5c9cda20a25c51bd
Opcode Fuzzy Hash: db1057fbda92fc23b74e7a11b590e708d1fbcd34fd21d446ac8344e7ad2df070
Instruction Fuzzy Hash: 3211C431E2A90E4FE7A0EBA8C8595BD77E0FF58710F4145B6D42DC71A6EE34A6418740

Function 00007FFD9B8805F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0bbc0c1dac03eeddf378f3a30d9bae20e9a4159f3c7a96b0b366b29b60f038
Instruction ID: 075eb2b9fc1f3d6b018b0a7f47a94d4136c2b9f89b770a0137f3a929f4eac9cb
Opcode Fuzzy Hash: db0bbc0c1dac03eeddf378f3a30d9bae20e9a4159f3c7a96b0b366b29b60f038
Instruction Fuzzy Hash: 44218130A0AA8E8FEB69AF6488255FA37A0FF0D304F41457ED82DC21A1DE35A654C741

Function 00007FFD9B881F49 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be11627fdbf4288d10829a1a0ad2c2d9665c1a98b92d12226134c91bc66723
Instruction ID: e6fb7dfeaf9bcf6bdf01030964ff872b29a2adae1897487f1339a2e89d8b5957
Opcode Fuzzy Hash: d8be11627fdbf4288d10829a1a0ad2c2d9665c1a98b92d12226134c91bc66723
Instruction Fuzzy Hash: E711511164FAC65FDB6367B948744656F945F0B224B2E46FBD0E8CA0E3DE28594AC302

Function 00007FFD9B8804F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e77c48a558e6ccb9ee17471118acc22d14f0d605894f300a7b47c09e35f3c96
Instruction ID: 7e17c3c7c5fc5771bec6b30e932578491f3648632033e3f8ebe89c3b80169b5f
Opcode Fuzzy Hash: 9e77c48a558e6ccb9ee17471118acc22d14f0d605894f300a7b47c09e35f3c96
Instruction Fuzzy Hash: 5711363091EA8E8FD766EFA4C8291F93BE0FF19304F4504BAD429C61E5DA38A654C741

Function 00007FFD9B88A898 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ecff4755967651c929e6804fe8ed30fcfcfd50086606763fc3637eec1ee9b6
Instruction ID: 2d7c1eabd84ac0886b352281c2ac6fcd4b2942cc3798429fcf5e7fa816c0c950
Opcode Fuzzy Hash: 40ecff4755967651c929e6804fe8ed30fcfcfd50086606763fc3637eec1ee9b6
Instruction Fuzzy Hash: FC114231E1AA5D9BDF59EFE4E8216FCB7A1FF48310F01457AE419E31D2DE3826418611

Function 00007FFD9B88C5E0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317a99905e197ecbc059f57201b51e7930b7939b65cff70593b1d02ee0c58b4f
Instruction ID: 40f44761acb839f01833df519b493f03ed749ed8956ac217e7a55a4e6ecc8bfe
Opcode Fuzzy Hash: 317a99905e197ecbc059f57201b51e7930b7939b65cff70593b1d02ee0c58b4f
Instruction Fuzzy Hash: FE118C30A0AA8E8FDB95EF64C8685B97BB0FF19304F1114BFD429C71A6DA34A544CB01

Function 00007FFD9B890F90 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf84097f780ce7ae37327bd51a094ac9fa980a9a66422d51ab989fd676a705e
Instruction ID: e20e888e5098d822a5728756508aa59ea1954155e4579e4aace7f0f9113b9e43
Opcode Fuzzy Hash: baf84097f780ce7ae37327bd51a094ac9fa980a9a66422d51ab989fd676a705e
Instruction Fuzzy Hash: D9115E30A1AA8E8FEB95EB6488295B97BF0FF19305F0604BFD419D71E2DB34A644C741

Function 00007FFD9B8805D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fc28779534620e7571f8f5edb0279182e6948cc028bb141231b7cb2418b247
Instruction ID: 00004aa89ea701a8c16fa87dffc260582cbb4ffedc36fa1ebcf0109beb19b70a
Opcode Fuzzy Hash: 61fc28779534620e7571f8f5edb0279182e6948cc028bb141231b7cb2418b247
Instruction Fuzzy Hash: 9E015E30A0A90E8FEB98EF65C4656BA77A2FF5D304F51447ED42EC21A5CE36A650CB40

Function 00007FFD9B88BFC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction ID: 35b316a538efc06c333ac8da3d2df83a55ef34b0426b4969a43ce83bdf641633
Opcode Fuzzy Hash: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction Fuzzy Hash: 4E11D270E0950EDFDB28DF94D4A06FDB7B5FF98301F11402AE429A22A1DB786A40CF50

Function 00007FFD9B892490 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a424f5bba9b923e41cfe46712a16d3d28599f9c78874bbc636bf25df68e3a362
Instruction ID: a447bbf529bba4a066bde61a506c68c1cb3b1e2328b285ac14905e38b92ade02
Opcode Fuzzy Hash: a424f5bba9b923e41cfe46712a16d3d28599f9c78874bbc636bf25df68e3a362
Instruction Fuzzy Hash: A5018630A5A64D8FD756EBB488585E93BF0FF19314F0645F7D808C7076EA34A644C711

Function 00007FFD9B88BFA7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction ID: cb2a83184fdc975219f02d725422b0168d793972dacb306b217822d10a889c66
Opcode Fuzzy Hash: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction Fuzzy Hash: D011D0B0E0560EDFEB28DF94D4A06EDB7B1FF58315F11402AE425A22A1DB786A40CF50

Function 00007FFD9B88FBBB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa24123690635a4bf2d1b922a110acc42866708f341063225f36a4e8637d5a6
Instruction ID: e541b797db8373d2069d262aa620b0d7b21dd7f559800e48c03d521711f8dd8c
Opcode Fuzzy Hash: daa24123690635a4bf2d1b922a110acc42866708f341063225f36a4e8637d5a6
Instruction Fuzzy Hash: D401ED30A0AA1ECFEB75DF48C8547A977B1EB59342F1041B6D40D92295DF746E848F81

Function 00007FFD9B8805D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caea01656f6d054ddf43199625f52d9ded1796f4e2388e200c0be92bf1063868
Instruction ID: 6c10e5200a22552c5d5d52dd741c326508600f6472b1011d1e706d0fba083ea4
Opcode Fuzzy Hash: caea01656f6d054ddf43199625f52d9ded1796f4e2388e200c0be92bf1063868
Instruction Fuzzy Hash: 21F0C830A0A94E8FEB54EF6494655FA7791FF1D304F01047AE41DC20A1DE35A650C740

Function 00007FFD9B88ED3B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368e9ab2cd2fad4d5ec8cf0dd356f72ec8db5abab6d79ee75e1958378e076695
Instruction ID: 14c165d49105d2065ff648a6d9a9ff4735a9e101156b2c305db4f8768d1399b6
Opcode Fuzzy Hash: 368e9ab2cd2fad4d5ec8cf0dd356f72ec8db5abab6d79ee75e1958378e076695
Instruction Fuzzy Hash: 26011A30A0AA1E8FDBA4DF18CC547A977B1EB59342F1041E6940DD32A5DF346E808F81

Function 00007FFD9B88B9DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9e08aa2c4a05b135c851b2403282491a96fdde376bafa1d23c3945aced4ab2
Instruction ID: 220f7bc1abeffe6de45d13e54fbf086674b44041c3be992236eedec552f7ad91
Opcode Fuzzy Hash: 7c9e08aa2c4a05b135c851b2403282491a96fdde376bafa1d23c3945aced4ab2
Instruction Fuzzy Hash: 24F01D70E1991E8FEFA4EB58C854BA9B3B1EF98300F1182A6901DE2155DD34AEC58B40

Function 00007FFD9B880608 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe9378d91157956dc447c07f2f4e945adddaf1d8aaa79498dab876ce3afd64f
Instruction ID: 4c92cd2179f51ef44909ba555c66d462303d7e26ab5caa319774e23c15cc354e
Opcode Fuzzy Hash: ebe9378d91157956dc447c07f2f4e945adddaf1d8aaa79498dab876ce3afd64f
Instruction Fuzzy Hash: E8F06C30955A4ECBEB69BFA584241FA32D4FF08304F410879E42EC11E4DF346154C941

Function 00007FFD9B8826F9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938df668e849525da8240d46d50781ea720d9f89cc8cb5597c4bba12cc3484f
Instruction ID: be4cb4841adfa800a0c6dd8816cf972bd45667afe12a6177e0a0217caa4f5f60
Opcode Fuzzy Hash: c938df668e849525da8240d46d50781ea720d9f89cc8cb5597c4bba12cc3484f
Instruction Fuzzy Hash: 9EF0A73090A64ECFDB69AFA484681F937A0FF09304F00087DE42EC11E5DF799254CA40

Function 00007FFD9B88FD0B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9889badb96276be00167a728fbc59a38049b3f35a95d778ff8e585798bcbb940
Instruction ID: 19543a5e5ebfbdee89f167b91e02bc538ab6a7804d10f6e287651641edb7f230
Opcode Fuzzy Hash: 9889badb96276be00167a728fbc59a38049b3f35a95d778ff8e585798bcbb940
Instruction Fuzzy Hash: 7AF05E30A09B5E8FDB71DB44C8907ED77B1AB19711F5081E6D40DD2290DF386B808B45

Function 00007FFD9B8816B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction ID: 45883b962baeb082ef47f78c73f2c252a1ea8f5a8724084232db4bfb49afa7fc
Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction Fuzzy Hash: 98E0C920F0AC0A4BEA7473998495674A1D19F4C314FAA8675F03DC62F2EE38EE82C201

Function 00007FFD9B8823E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction ID: f72531a844e717468b42d98130de5c6d2cdc478ce9777084bd4b136de53f9287
Opcode Fuzzy Hash: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction Fuzzy Hash: D6F0AC30A5691ECBEB24DB44CD54BE9B3A0FF54311F0046A5D05AD72A5DF746A84CF40

Function 00007FFD9B888FFA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7052d1464cd02f884c10f4b27290f23d5589c8d2a4bb63556c9bfc1dc956f8
Instruction ID: f1d2f475456808c7d8664bfb6e878900aacf784b0c89b02492d0d6dfa6d38487
Opcode Fuzzy Hash: 9b7052d1464cd02f884c10f4b27290f23d5589c8d2a4bb63556c9bfc1dc956f8
Instruction Fuzzy Hash: 9EE09A39909D598FD764DF448C642AAB771FB98303F5111D9881EE36A1DE746A818F40

Function 00007FFD9B880F9A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4128f5abb847fdcba07159d2526c6914335b9146d8f5a1db5aae940f1184aa17
Instruction ID: 10e7b722f48a2bcd1f2613e0dd38150830bb85597c0c309248771d9d77dd7cbf
Opcode Fuzzy Hash: 4128f5abb847fdcba07159d2526c6914335b9146d8f5a1db5aae940f1184aa17
Instruction Fuzzy Hash: F4E01230E1980D8BF768EB54DC60FADBA71FF48304F5011B5D01DA3296DE346A818F40

Non-executed Functions

Function 00007FFD9B889F03 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36da43532b7a0db544f12256fa406bc2b50b1af413146a7b8ec6732929dcc4e1
Instruction ID: 0fbd206806c38cea4332fc4858a07d89970b50e952846efa8c416d5cf9423951
Opcode Fuzzy Hash: 36da43532b7a0db544f12256fa406bc2b50b1af413146a7b8ec6732929dcc4e1
Instruction Fuzzy Hash: 5B12603094EB8E8FDB56DF6488696A93FF0FF1A300F0605EBD459CB1A2DA389544C751

Function 00007FFD9B889F15 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914830724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_h1a1eHrclt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c2cb50091bb357bd6931aea75bdcf6cbeafb60df402ef58d8b6a1087337755
Instruction ID: 49607b84c336748996240eeefdea1a92802fa2cce7902ec5941f6a2e97bcf3ce
Opcode Fuzzy Hash: 33c2cb50091bb357bd6931aea75bdcf6cbeafb60df402ef58d8b6a1087337755
Instruction Fuzzy Hash: 84128F3094EB8E8FDB969F6488696E93FF0FF1A300F0605EBD459CB1A2D6389654C741

Analysis Process: RuntimeBroker.exePID: 7668, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B10AD Relevance: 10.3, Strings: 8, Instructions: 260COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B8B13B1
[, xrefs: 00007FFD9B8B11C7
", xrefs: 00007FFD9B8B1226
), xrefs: 00007FFD9B8B1C46
{, xrefs: 00007FFD9B8B1843
,, xrefs: 00007FFD9B8B1C72
/, xrefs: 00007FFD9B8B14B1
., xrefs: 00007FFD9B8B18D4

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: "$)$+$,$.$/$[${
API String ID: 0-3487457677
Opcode ID: 13c78c4b71349cea71689f1a68ea5b55c96d13e32c7379ce94342923198e2cb4
Instruction ID: 0642439fb9998a1bb3c8b9f51a8788b0ff0bb6d0ce071c3d3f2cbed4e4dd70a0
Opcode Fuzzy Hash: 13c78c4b71349cea71689f1a68ea5b55c96d13e32c7379ce94342923198e2cb4
Instruction Fuzzy Hash: 49C1B570E1963DCEEB68DFA4D8647EDB6B2BB08300F1145A9D04DAB291CB785A84CF50

Function 00007FFD9B8A35EA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56d384f2ab56cc3985c057e8a8f47753be3e05c732a54276b4c1f6c5c027e20
Instruction ID: 5bf46eeba93d89d87fbbad2f548520f467a11d9d6c8d6e7d8f7c86ba23069d2d
Opcode Fuzzy Hash: a56d384f2ab56cc3985c057e8a8f47753be3e05c732a54276b4c1f6c5c027e20
Instruction Fuzzy Hash: C2518462E1894D8FE758DBACD8257A87BE1EF9A350F9041BAD00DD72DADBB42402C741

Function 00007FFD9B8AC93D Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

{{L, xrefs: 00007FFD9B8AC93F

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: {{L
API String ID: 0-3227134785
Opcode ID: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction ID: 62218c2a1bc052fae4a3113bec0ee650c904fe759fa8fb9bb5a3390d1648027b
Opcode Fuzzy Hash: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction Fuzzy Hash: CB811663B0C12A8AE31ABBACBC294FC7754EF85339B054177D1498A0D3ED69348686E4

Function 00007FFD9B8AFDF3 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8AFE2A

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8af000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction ID: fa323f78f91c121b42d7e33a79b4da9ad4b2fccca213867cbd18ba8bcdc82804
Opcode Fuzzy Hash: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction Fuzzy Hash: B711F370E0962D8FEBA4DF55C8A0BF9B6B1AB18301F1040EA904DA22A0CB346EC0CF51

Function 00007FFD9B8B3468 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction ID: 674020a6ebb6cdd904e9a44968b993eff6f789eaa8abc7179610b715f65eb58b
Opcode Fuzzy Hash: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction Fuzzy Hash: 0421A760A0E7DA8FE7529BB488695A97FB0FF16304B0505F7D058CB0E7EA24A544C752

Function 00007FFD9B8ADB29 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction ID: 9d87cb43e5126a24bacbd25bdde841b4d92c23ce879f83dcb898c9864e59e4b4
Opcode Fuzzy Hash: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction Fuzzy Hash: 85E16B71E19A5D8FEBA8DB98D8647B8B7B1FF58300F4041BAD01DD32E6DA386941CB50

Function 00007FFD9B8B3A2F Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction ID: 53ec5ac44ed8a88045123b3e940b1205076a6d3573cce166bb74625e575e34c6
Opcode Fuzzy Hash: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction Fuzzy Hash: 5F917E237085768AD31ABBBCFC6A4F93B50EF4637570445BBC189CA0B7D925608ACBD1

Function 00007FFD9B8A1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction ID: a301a78a167f1214589a6816540aa8cebf094e6e75374c0ce6e78b802c62d475
Opcode Fuzzy Hash: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction Fuzzy Hash: 1781C131B0DA494FDB58EF5C88615A977E2FFD9300B15067AE49EC32A2DE34AD02C781

Function 00007FFD9B8A1C7D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction ID: db63c71d391848507bcf11cf47321d84bb690317a5562619ef56cafa3bc82b6b
Opcode Fuzzy Hash: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction Fuzzy Hash: BA51D031B08B894FDB58DF5888A15BA77E2FFD9300B15467ED45AC7292DE34E802C781

Function 00007FFD9B8AAF70 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7280fbd66146358168730119b7b69ace6f922ec8990fbc1bd4d79eb3f430098e
Instruction ID: bdb9dfac51776cd06a067c4b2ffdfe18a2b6360b6357e65ad207f566b2150221
Opcode Fuzzy Hash: 7280fbd66146358168730119b7b69ace6f922ec8990fbc1bd4d79eb3f430098e
Instruction Fuzzy Hash: F9513861B0E54E5FE712EBBCC8A95E93BE0FF5A314F0545B6C028C70A7EE28A545C391

Function 00007FFD9B8B7139 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ff217d788a861c7d9d6de1b3373425aa98d3920209e3bb2b30c3c3c264b49a
Instruction ID: ecaf27b02d5f8e1eb8975afa270fbace3f9282aca6947e25f807adedc89294d3
Opcode Fuzzy Hash: c7ff217d788a861c7d9d6de1b3373425aa98d3920209e3bb2b30c3c3c264b49a
Instruction Fuzzy Hash: 1D61A234E0A62E8EEB64DFA0D8656FDB7B1FF49300F01413AD009D72A6DA3866448F91

Function 00007FFD9B8B542D Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fa110233ae3b8a13ab9300542969da018d5f4bd9398851d7fa3bb5bea7f030
Instruction ID: 7c497b4edca703f58a9f1d6115b838fe5911e862ac51820c7f0d58c661ffb5e2
Opcode Fuzzy Hash: f4fa110233ae3b8a13ab9300542969da018d5f4bd9398851d7fa3bb5bea7f030
Instruction Fuzzy Hash: 11513370E09A5D9FEBA4EBA8C4A9BECB7F1FF58301F41016AD00DD7296DE3569418B40

Function 00007FFD9B8B62C5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction ID: 007652dd1a85689f52ec6c7314deb73d8613f935b5da0d58a92aabbad16661dd
Opcode Fuzzy Hash: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction Fuzzy Hash: 585108B0E0962D8EEB68DBA4C8657ADB6B1FF59301F51017ED00D972A2CF386A44CF41

Function 00007FFD9B8A3175 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039d570d854a1df6868e56ca9f9725695cc4fac1f82abfbd90caf78c3a3ddf0c
Instruction ID: fb8656a8de5ccc2de18db8cb16a8e6e3a212a260a1fa72247808e5fe1aaf6a37
Opcode Fuzzy Hash: 039d570d854a1df6868e56ca9f9725695cc4fac1f82abfbd90caf78c3a3ddf0c
Instruction Fuzzy Hash: 73511B70E0A61E8FEB64EB98D4646EDB7F1FF48301F510179D009E72A5DB386A45CB50

Function 00007FFD9B8A2095 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5f761aece53410d73867bef9ca9de97ebb4ce3c9a27c6d130ceff155bf46b9
Instruction ID: 165bd3a492290e8f4ac2dbd1408c82f3631b2e975bf13c076ab2cb63602a3584
Opcode Fuzzy Hash: 3b5f761aece53410d73867bef9ca9de97ebb4ce3c9a27c6d130ceff155bf46b9
Instruction Fuzzy Hash: 73412A31B0E64A0FE765DBB898655B87BE0EF4A310B4645FBD04CC71A6DE28B9428351

Function 00007FFD9B8AAF88 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc227853329de3464e6f6d29a3a0d22055f700e995d3cf2e10ca63eb5b6c9637
Instruction ID: 137121a78615146cb93c784d5230b4adbefa90f208b49c213233606f676c5c34
Opcode Fuzzy Hash: dc227853329de3464e6f6d29a3a0d22055f700e995d3cf2e10ca63eb5b6c9637
Instruction Fuzzy Hash: 83414E62B0E59B6FE3169BBC98751E97FA0FF55204B0541B7C078C70D3EE28550A8392

Function 00007FFD9B8ABE99 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction ID: 3ff854e0b44d31c2efce63b5357bc49d6219f7dc1256e243ac2fb747e51272a5
Opcode Fuzzy Hash: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction Fuzzy Hash: 05410670E0A64D8FEB64DFA4C8646ED77F1BF08304F05413AE009E72A1DB78AA448B60

Function 00007FFD9B8B2D6C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction ID: 83abe781a8d8e66970530daa25ff6d521ca3d58771fb26b1004f8c188486bd7e
Opcode Fuzzy Hash: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction Fuzzy Hash: 5841B370E1461D8FDB54EFA8D8A5AEDBBB1FF18300F10416AD418A72A2DA346981CF40

Function 00007FFD9B8AC3AC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction ID: 36a5e50b4ecfef3ffb2c0cd90c623df0ab17bee30bf5dc443b5871f3e7f079a9
Opcode Fuzzy Hash: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction Fuzzy Hash: E531E570E1E91D8FEBA8EB98C8A5ABCB7B5FF58300F515039D00DE3292DE3469418B50

Function 00007FFD9B8B3BD3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction ID: 67376a0371fbbd6aacafb6a4e581a48ba9dab7ad4d05d370a32c27e569f667d7
Opcode Fuzzy Hash: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction Fuzzy Hash: 85213F22B0E6AA4FE721ABFCAC751F93B90EF46261F0504B7C148CB0A3D9255205C791

Function 00007FFD9B8AC420 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction ID: 9a31f0843136c568ffc4020befa09d36f70d71911cade6ecac5493db6bb40b5c
Opcode Fuzzy Hash: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction Fuzzy Hash: 88212D70E1D91D8FEBA4EB9888A56BCBBB5FF5D300F511129D00DE3292CE3468418B50

Function 00007FFD9B8B6E51 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction ID: 25269eb0af75f121c8c0b46eb94cfc05b7b7aff8f5f036f4fb54c8b41c1fe852
Opcode Fuzzy Hash: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction Fuzzy Hash: 3C21B170A0A65E8FEB64DFA4C4655BD7BA0FF18300F10057AD41DC61A5DE34A5508B80

Function 00007FFD9B8B2C42 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction ID: 23ef39804bec674a24ba9606fc015529231265ecbe7b3390b41f8b005af4b7ff
Opcode Fuzzy Hash: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction Fuzzy Hash: 7731BB70E0995D8EDBA4EF98C899BACBBB5FB58301F1141AA800DE3265DE345A948F40

Function 00007FFD9B8B7015 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction ID: 93f59aee810b61faaca44357fdf305e8b7addf15f7d70f5dff972b21828ebfce
Opcode Fuzzy Hash: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction Fuzzy Hash: 3521F771E0E64E8AFB659BB488756B976E0FF19310F0504BED41DC21E3DD28A545CA81

Function 00007FFD9B8B7601 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction ID: cdbb82b4b4f5263cf994faa763645eebe3fe598f6f4811aedaabc8ddaa41f1e7
Opcode Fuzzy Hash: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction Fuzzy Hash: 9C213035A0A65E8EEB61EBB8C8585FD77E4FF19301F010576D419D2165DA38A2409B90

Function 00007FFD9B8B6239 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction ID: 7b3eb44e930b9002f07c198fdd8010299a745610b72745ddcd12e612799e7b3f
Opcode Fuzzy Hash: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction Fuzzy Hash: D7218370E0E65F4FFB65ABB488696B9B7E0FF19300F0505B6D41CC30A6DE38A6508B41

Function 00007FFD9B8A32A2 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2fb4e92285795439584e86cdc0005f8d7edab6b622afb1c1540ebaa932b630
Instruction ID: 1f4927ff9a1a1b49672a5af26fa5ce31e20a5c09c2fceee1e5329b8dabd2deed
Opcode Fuzzy Hash: af2fb4e92285795439584e86cdc0005f8d7edab6b622afb1c1540ebaa932b630
Instruction Fuzzy Hash: 2021F770E0951E8FDB64EF98C4A4AECB7F1FF98301F55413AD009E72A5DA786940CB60

Function 00007FFD9B8AA885 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a665abdf2c7a1313657a5af5aa9c5ef46e7516d6ffd3a99bf80eb884f53b63
Instruction ID: 3612e381f33a10dd1d5009b89f89fdc7c5db95020966c95224845bbc28731465
Opcode Fuzzy Hash: 33a665abdf2c7a1313657a5af5aa9c5ef46e7516d6ffd3a99bf80eb884f53b63
Instruction Fuzzy Hash: 7C218C31E19A4D9BDB69EBA4D8256FCB7B1FF5C310F01057AD009E31E2DE3866018B21

Function 00007FFD9B8A3401 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction ID: 8fbb4e380d8a7cc93e106eaae28d5008898f8809a3ab87aed4131d8eaaf35202
Opcode Fuzzy Hash: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction Fuzzy Hash: FC215E30E0A60E8FEB65EFA4C8292BA77E0FF18305F0109BAD41DC61A5DF39A640C751

Function 00007FFD9B8A335F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction ID: 51bcd9f43b484f534117fee13ab635595e79333fe9eb2cde97e508b5952cb7ca
Opcode Fuzzy Hash: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction Fuzzy Hash: 9821803194E7CA4FD743AB7488685A93FF0EF5B300B0944EBD059CB0A3DA28954AC761

Function 00007FFD9B8B6F95 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction ID: 23a6079c47d5f4fad9728319df99daed9ae9efecdf8d33a4f4088fb3e4cac10e
Opcode Fuzzy Hash: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction Fuzzy Hash: 5221D471E0A55E8FEB65EBB484695FD77E0FF18310F0144BAD41CC21A6EE34E5448B80

Function 00007FFD9B8A3485 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction ID: 6dd6aa33338f039f858a8b503edf78fde691dbb4a115a23f30f97b2335a744ae
Opcode Fuzzy Hash: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction Fuzzy Hash: DA215C30A0B64E8FDBAADFA4C8256BD37A4FF28304F0104BED41DC61A1DB38A640C710

Function 00007FFD9B8B28C3 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction ID: 0f7d0cf6a782e4637116489c247257c8936a59cd0fbdbc4dafe13ede0f1692ed
Opcode Fuzzy Hash: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction Fuzzy Hash: D011CD3094E39E4FDB579BB098745E97FB0AF0A310F0604EBC45AC60E3DA296945CB92

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d513139670cf467ec69043246ae2659b0a10c0122b45d109402c875ce55c8f64
Instruction ID: d9f79058fba0c16b18b2ed19545749a1bf40acd4dd82e1ffe185e425649dcd74
Opcode Fuzzy Hash: d513139670cf467ec69043246ae2659b0a10c0122b45d109402c875ce55c8f64
Instruction Fuzzy Hash: 3211B230E1A50E4FE790EBA888695BD77E1FF58700F4146B6D41CC70A6EE34B6458750

Function 00007FFD9B8B6EF5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction ID: cd8f1baade61581dbd79bd47c5343d7c2aa3dbd9d9eebd486921ce9af39e699b
Opcode Fuzzy Hash: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction Fuzzy Hash: 9311A270A0965E8FEB98EF6884656B97BA0FF58300F0105BED41DC72A6DA34A550CB81

Function 00007FFD9B8B4885 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction ID: 475a6abe0f558cc27268efffd0e758e6dc15894d0917138b5c2769a02879cecf
Opcode Fuzzy Hash: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction Fuzzy Hash: 5411BB30A0965E8FDB59DF78C4665BD7BA1FF58300F05057ED41DC71A6DA356140CB81

Function 00007FFD9B8A1F49 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction ID: ff81397d06d3e1aa73d4cde9edbfe0a71d947865dee96b2c10c60bfa839ad8f0
Opcode Fuzzy Hash: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction Fuzzy Hash: 81117011A4F6C65EEB3367B948744656F945F07224B2E46FFD0D8CF0E3DA08594AC322

Function 00007FFD9B8B47E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction ID: 4686360d497779b56dae666f839a7f7091b82c6d775396108aa2405042012be5
Opcode Fuzzy Hash: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction Fuzzy Hash: 4B219330A0A69E8FDB59DF6484662BD3BA0FF59301F0505BFD41DC71A2DA346540CB81

Function 00007FFD9B8B26C1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction ID: 15578e2573dea49063b7476ddaffa70ffbf4acdde403be39210f7550be053814
Opcode Fuzzy Hash: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction Fuzzy Hash: A511AC30A0964E8FDB58DF68D8A55E93BE0FF5D314F02026EE80AC32A1CA34A544CB85

Function 00007FFD9B8B7571 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction ID: 176d75aeca5470010ee9aeca17b8afd957bc8d35141810e35339c8474c5017d8
Opcode Fuzzy Hash: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction Fuzzy Hash: B711A334A0D65E8FEB61EBB8C854AFD37E1FF5D300F010572D018D71A2DA28E2108B90

Function 00007FFD9B8B4DA9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction ID: f38fcac70d15a3b1ec54d21f19224c61a0068b6b43ced88bcb7ceadb5789ef51
Opcode Fuzzy Hash: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction Fuzzy Hash: CA11E931A0EA8D4FEB69DB7488762B93BE0FF19304F0901FED01DC65E2DA256555CB41

Function 00007FFD9B8B2AB1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction ID: 1e192382c1b7a9ded2d8d666020011e18e6adb723b800d521c4b23caedfbe804
Opcode Fuzzy Hash: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction Fuzzy Hash: 5E116530A1A56E8FEB61EFB498985F97FF0FF19300F0545B6D418C70A5DA3492458B81

Function 00007FFD9B8ACB20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction ID: 86d43ea58b1976eeb57c1eaac1ec564cd46f50680dc7d735cce46535d9db27c8
Opcode Fuzzy Hash: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction Fuzzy Hash: F9116D30A0A65E8FEB56AFA4C8685B97BB0FF09304F0104BBD419C61E2DE356685CB51

Function 00007FFD9B8B5199 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction ID: ac52a4898550fa1e5a501ad63db582804447d2de81d93df09d05c905f665041c
Opcode Fuzzy Hash: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction Fuzzy Hash: 44119030A0A68E8FEB59EB6488792F97BE0FF19300F0504BFD42DC65A2DA3466408B41

Function 00007FFD9B8B510D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction ID: be1c08faeb971bb7beb97bfe009605cfe2896731cbfd6e3ade2f8758841872da
Opcode Fuzzy Hash: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction Fuzzy Hash: A9118270A0965E8FEB59DB7488796F97BA0FF18304F0105BED419C61A2DA35A640CB81

Function 00007FFD9B8ABE15 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction ID: dee7a5241a616afc25352041d236750a1abacbe340430559f863b5abf17ffef5
Opcode Fuzzy Hash: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction Fuzzy Hash: B2118E30A0A64E8FEB55EF68C8682BD7BE0FF18300F0105BED419C61A2DB35A650C710

Function 00007FFD9B8B6457 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction ID: beeab372829a97951c26f7f13324d78232407cb6c11d2c64b61159a332c4e658
Opcode Fuzzy Hash: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction Fuzzy Hash: F121C5B4E0962D8FEB68DF94C8647EDB6B1FB58301F1141BED009A72A1CB785A94CF40

Function 00007FFD9B8B4F49 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction ID: a39c66be5724568352a96a1e209fc399e68ad3f9e45893ff81414d25c2657367
Opcode Fuzzy Hash: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction Fuzzy Hash: 6D119330A0D68E4FEB59DB74886A5B97BF0FF19304F0505BED419C72A6DA34A544CB41

Function 00007FFD9B8A11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction ID: 4b327fdfc00f1b72c778f5b161271d5acd0c96503d2e049121b28747a6bafa3f
Opcode Fuzzy Hash: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction Fuzzy Hash: 8111B230E0E64E4FEB69EBA4C4796B97BE0EF5A304F0104BED01AC60E1EE295640C710

Function 00007FFD9B8B70AD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction ID: 0edf8b3dfdbb2a93a4719fd4c36c0328f70f8a3cd8cdadd08b3cf27578835b90
Opcode Fuzzy Hash: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction Fuzzy Hash: 8711C434A0A64E4FEB68DF64C4696B97BE0FF19310F0101BFD41DC61E2DA3465418B81

Function 00007FFD9B8B2555 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction ID: 52ce50a629bbd5bd018572986b1b7e86e0208d1e61c4856542995f911706e616
Opcode Fuzzy Hash: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction Fuzzy Hash: 5B019230A4A65D4FDB99DFB4C4759B93BA0FF19300F1105BED41AC61E6DA35E640CB81

Function 00007FFD9B8AD80D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction ID: 286125223bb8c88ceb6c2215e3c5b4e43d0e35d85e2dc6575145dee1058ef675
Opcode Fuzzy Hash: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction Fuzzy Hash: F3115E30A0964D8FDB65EF68C4696F97BB0FF18314F4108BED41DC61A6DB759650C710

Function 00007FFD9B8A2DF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction ID: 6bfcdea3fa00117ced6452aa1705c930707a9989123874dbc62c613eaf3faf29
Opcode Fuzzy Hash: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction Fuzzy Hash: 1301A230A5A20E4FE761EFA4C5595A97BE1EF19300F0645B6C40CC71B7EF38E5918710

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction ID: 6243a5088431f0d9c220811987aef98062155312fee3f901e0e5054dac3d82d1
Opcode Fuzzy Hash: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction Fuzzy Hash: B5019E30A4A50E8FEB58EF64C0656BA77A1FF5E304F11047ED41EC21A5CA36A650CB50

Function 00007FFD9B8ABFC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction ID: c5291e58266627e8581c28aedbef3e50b24d68c1f449e0285022d491db75d341
Opcode Fuzzy Hash: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction Fuzzy Hash: 8711C070E0910EDFDB68DFD4D4A06FDB7B5FF58305F15402AE409A22A1DA786A40CF60

Function 00007FFD9B8AABB9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction ID: 3e7bc51580f8498fdf007eee5f7a2ad6d1a19ed3e8894bd49abe7557a90f445a
Opcode Fuzzy Hash: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction Fuzzy Hash: 20017530A4E64D5FE762EB7888695A97BE1EF09300F0649F6D008C74F6DA38A5448711

Function 00007FFD9B8A2E69 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction ID: 1dd5f15caf5bde153a4ee8ca717972f6cde812e0d79921e0b0a7088dbd4494fb
Opcode Fuzzy Hash: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction Fuzzy Hash: 3F01D830A0E64D4FD771AFB489585A93BE0EF5A300F0605B3D408C60B7DA28A5948310

Function 00007FFD9B8B7D99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction ID: 0204c4c51acdafab8b8f86e4258de8be1b95d86f82089e44872503a697e53a90
Opcode Fuzzy Hash: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction Fuzzy Hash: 68018030A0B78E4FDB5AAB74C8655B93BA0FF1A304F0604FAD419C70E6DA25A654CB41

Function 00007FFD9B8A27CD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction ID: a2d60a12324aa5015ca09da835c86989cc87d9c0a0ac0c7825f5f30841268a08
Opcode Fuzzy Hash: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction Fuzzy Hash: 0F018430A1E54E8FE761EFA489595B9BBE0FF19310F0645B6D40CC60A6DE38E6448751

Function 00007FFD9B8B7E0D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction ID: 7ef8328179d3b1f4db675ad3a30ebec71526adbffb1b0acb25c38c7866a93a62
Opcode Fuzzy Hash: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction Fuzzy Hash: 6201B134A0A28E4FDB59DB74C4695BE3BA0EF09304F0204BED01EC61E2DB35AA50CB81

Function 00007FFD9B8B7789 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction ID: 0b6bc7cd99a2e80eeb980a0a2c1d295889f6061822b12ccc27f79e6d14706292
Opcode Fuzzy Hash: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction Fuzzy Hash: EC018470A0E64A8FD752E77488695A93BE1EF0A310F0645F6C418C71B7DE28A544C751

Function 00007FFD9B8ABFA7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction ID: ff5b79f2e4522be08b05821ffcbebe73ca1366a532c7c784e884a416640f41cb
Opcode Fuzzy Hash: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction Fuzzy Hash: FD11D0B0E0520EDFEB68DFD4D4A06EDB7B1FF58315F15402AE415A22A1DB786A44CF60

Function 00007FFD9B8A1BFD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction ID: 3c1f7f856b5ca7b0088be25c1a954f78b7568e87106cc17871e20504aec538fe
Opcode Fuzzy Hash: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction Fuzzy Hash: 0301D630A0A68E8FDB65EF64C8655B97BA1FF1A300F45117ED40CC61A2DB39D650C740

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction ID: fbe0316b3e76c10188313fd22bb4bf429161e91a99c7e5a66029d70d98fd5c9d
Opcode Fuzzy Hash: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction Fuzzy Hash: B7018130A19A0ECAEB69EFA4C4686B977E0FF1D305F5108BED41EC61E5DE35B650CA10

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction ID: 1e3602a4f2499e542797834e49ed311614ad02b78114bdb99ceb25e8f97840d8
Opcode Fuzzy Hash: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction Fuzzy Hash: F7016D30A1950E8AEB69EFA4C4686BA72E0FF18304F11087EE41EC21E5DE35B650CA10

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction ID: 5b2faabf8e020f73ec785366ea71733b368c5042655ea349384787ef60b91dac
Opcode Fuzzy Hash: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction Fuzzy Hash: C7F0C230A0A65E8FEB68EF6494656FA77A0EF1A308F01047AE80DC20A1DA35A660C750

Function 00007FFD9B8A11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction ID: 8b3030f9907788146cace5ad983291175dc7f27073347e8a94f4ea5efd001ef1
Opcode Fuzzy Hash: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction Fuzzy Hash: F7F0C830E1A55F4AFBA4EBE498392F977E4FF5A304F00147AD41DC20E1EF285654C650

Function 00007FFD9B8A275D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction ID: 613ae377e73cd8bb4aa64cda2046d88d0630fa792c27c6edda36b2604853c5fe
Opcode Fuzzy Hash: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction Fuzzy Hash: 2DF09630A0E78ECFDB799FA889651B93BA0FF09200F4145BED419C51E6DB38A654CB11

Function 00007FFD9B8A26E9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction ID: 6b365c62ce8095193d3f3387cbc7bf138228eb77f742539fa644b219a7c94465
Opcode Fuzzy Hash: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction Fuzzy Hash: 26F0623090E78D8FDB6A9FA488391A93BA0FF1A304F4604BAD409C61E2DA28A654C711

Function 00007FFD9B8AB9DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8aa000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709faa2dbe715e78b607c0feeca8ba39f8d7c2ee963712a5401c9ce82302fc6a
Instruction ID: b04762a80f2a802e3f3c192b380e93df3371f511cad40e376128214b10974ec0
Opcode Fuzzy Hash: 709faa2dbe715e78b607c0feeca8ba39f8d7c2ee963712a5401c9ce82302fc6a
Instruction Fuzzy Hash: 37F01D70E1991E9EEBB4EB588894BA9B3B1EF58300F1182A6840DE2155DE30AEC58B50

Function 00007FFD9B8B2C05 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8b1000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction ID: 3ebe6d552788025e6f93cfdc43276c1ad4cbf94a0d40ab48d6df45832b1ba929
Opcode Fuzzy Hash: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction Fuzzy Hash: 7CF0D430E4951D8FDB69EF90C8656EC77E1FB58300F1145BAC409E22A2DE786F908F90

Function 00007FFD9B8A16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction ID: 6e2e35be49913c4e84c149b58e7bbd1bd7b411ce16cb45634c4ca0908c3cf9bc
Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction Fuzzy Hash: 7EE0E520F0A44A4AEB747359849557461D15F4A314FBA8675F01DC61F1EB2CDE81C311

Function 00007FFD9B8A0F9A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5ba9a2a05029da988fc3b692131791d16620da9b41c815b514667de3ca213b
Instruction ID: 193d2c0ca7fea460e83bc813b5531e067b2336c03a3a265e4ef9d041350ee9cf
Opcode Fuzzy Hash: 9f5ba9a2a05029da988fc3b692131791d16620da9b41c815b514667de3ca213b
Instruction Fuzzy Hash: 54E01230E1940D8AF768EB54DC61BEDBAB1FF48304F5001B5D00DA3196DE346A81CF50

Function 00007FFD9B8AFD1D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1837538980.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b8af000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction ID: f69b59e37332b10044547aa25c10d0a6283bd5d8eed39880939b1a0546f4598f
Opcode Fuzzy Hash: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction Fuzzy Hash: 91D09270909B2D8FEBA6DF18C8A47AC76B5AF1C700F5040E9A00DE22A0CF342BC09F54

Analysis Process: RuntimeBroker.exePID: 7708, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A35EA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4858eac0b7158a6889ba3cd463e84b6c864f2ca2abe605471bea3b42e4a9be
Instruction ID: eb056be56cdcc55e6a59fad7b700758b86315fc50810ed5a737859e8c3b87cdc
Opcode Fuzzy Hash: aa4858eac0b7158a6889ba3cd463e84b6c864f2ca2abe605471bea3b42e4a9be
Instruction Fuzzy Hash: 9C519662F1894D8FE758DBACD8257AC7BE1EF99350F9001BAD00DD32DADBB414068751

Function 00007FFD9B8AE702 Relevance: 3.8, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

h, xrefs: 00007FFD9B8AE70F
{, xrefs: 00007FFD9B8AFF84
k, xrefs: 00007FFD9B8B00CD

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: h$k${
API String ID: 0-848141867
Opcode ID: 6f339a14785d6597fbd1a1a538c57d0204d5ccfec84a90f4a48c55ecf9fb1574
Instruction ID: 5f42e05fcf1c015d4dd0365c174d4069c66de1ba39db2ca646fdda88dd6241a2
Opcode Fuzzy Hash: 6f339a14785d6597fbd1a1a538c57d0204d5ccfec84a90f4a48c55ecf9fb1574
Instruction Fuzzy Hash: DE31E870E0962ECEEB79DF55C8647EA76B1AB48301F1141F9D04DA2290CB382E84CF45

Function 00007FFD9B8AED09 Relevance: 2.5, Strings: 2, Instructions: 41COMMON

Download Yara Rule

Strings

<, xrefs: 00007FFD9B8AED2A
{, xrefs: 00007FFD9B8AED1D

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: <${
API String ID: 0-3826224372
Opcode ID: 294f087d72ce5744a65584161976afeedabc1428fbee8c84419dc84b8a2b1862
Instruction ID: 2b460ae70557664352d9d16c7e1dbb23b8a19ece79a1da1da6a161bcd8db8ff2
Opcode Fuzzy Hash: 294f087d72ce5744a65584161976afeedabc1428fbee8c84419dc84b8a2b1862
Instruction Fuzzy Hash: F0114830A0962ECFEB75CF10C8A47A9B7B2AB18701F1041E9D00D922A0CB382BC4CF41

Function 00007FFD9B8AC93D Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

{{L, xrefs: 00007FFD9B8AC93F

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: {{L
API String ID: 0-3227134785
Opcode ID: b23261a259318621046352c9c952cbcf4ef3564edd50b479fe40289ccfc106e6
Instruction ID: 62218c2a1bc052fae4a3113bec0ee650c904fe759fa8fb9bb5a3390d1648027b
Opcode Fuzzy Hash: b23261a259318621046352c9c952cbcf4ef3564edd50b479fe40289ccfc106e6
Instruction Fuzzy Hash: CB811663B0C12A8AE31ABBACBC294FC7754EF85339B054177D1498A0D3ED69348686E4

Function 00007FFD9B8AEAB2 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFD9B8AEABF

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 4c92800b4a17f51e084a3241685af4c445a6a2e029eb4fabb92ebcb36f45a6cc
Instruction ID: 9483af9edc100d36410dd00b96a43dc3368b1566609264d5c4f6524497e4ee99
Opcode Fuzzy Hash: 4c92800b4a17f51e084a3241685af4c445a6a2e029eb4fabb92ebcb36f45a6cc
Instruction Fuzzy Hash: 5C414C31E19A5D8BDBA8DB58CC557AAB3B1EF58302F1001FAD40DE3291DE346A828F41

Function 00007FFD9B8ADB29 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4378fd922b30ba87efc1d0e35eb3b3db22690679cdb62fe2e697bdf8f35124
Instruction ID: 9d87cb43e5126a24bacbd25bdde841b4d92c23ce879f83dcb898c9864e59e4b4
Opcode Fuzzy Hash: ca4378fd922b30ba87efc1d0e35eb3b3db22690679cdb62fe2e697bdf8f35124
Instruction Fuzzy Hash: 85E16B71E19A5D8FEBA8DB98D8647B8B7B1FF58300F4041BAD01DD32E6DA386941CB50

Function 00007FFD9B8A1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction ID: a301a78a167f1214589a6816540aa8cebf094e6e75374c0ce6e78b802c62d475
Opcode Fuzzy Hash: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction Fuzzy Hash: 1781C131B0DA494FDB58EF5C88615A977E2FFD9300B15067AE49EC32A2DE34AD02C781

Function 00007FFD9B8A1C7D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction ID: db63c71d391848507bcf11cf47321d84bb690317a5562619ef56cafa3bc82b6b
Opcode Fuzzy Hash: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction Fuzzy Hash: BA51D031B08B894FDB58DF5888A15BA77E2FFD9300B15467ED45AC7292DE34E802C781

Function 00007FFD9B8AAF70 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ccac0eed777a35c3f64a25f52a70ae5c7623f6751499430eef940660a460ae
Instruction ID: 7c57ba7e25a9abaede5cb388a615b75c7a19474e91e781cce2b08ab41d621e17
Opcode Fuzzy Hash: 36ccac0eed777a35c3f64a25f52a70ae5c7623f6751499430eef940660a460ae
Instruction Fuzzy Hash: FE513A61B0E54E5FE712EBBCC8A95E93BE0FF59314F0541B6C028C70A7EE28A545C391

Function 00007FFD9B8A3175 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93395e19365ce84232e278d81ad62655ae7b49f6529e90dd61028ab10483179
Instruction ID: 3c96e2c56f3f313c86cb8d8cb129d4273be272e0c840bcb0a45565ca0119e940
Opcode Fuzzy Hash: d93395e19365ce84232e278d81ad62655ae7b49f6529e90dd61028ab10483179
Instruction Fuzzy Hash: 91512930E0A50E8EEB64EB98D4646EDB7F1EF48301F51017AD009E72A5DB78AA45CB60

Function 00007FFD9B8A2095 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88f7b867bdf9c6fb0c7fa7cc3a39daf57a928b91a55e2ce73437a84f8967545
Instruction ID: 49107c4e93a9bb784bffa6ec54043f67aeacf7f0ba5deba8b8220227cc42f245
Opcode Fuzzy Hash: d88f7b867bdf9c6fb0c7fa7cc3a39daf57a928b91a55e2ce73437a84f8967545
Instruction Fuzzy Hash: C8412A31B0E64A0FE765DBB898655B87BE0EF4A310B4645FBD04CC71A6DE28B9428351

Function 00007FFD9B8AAF88 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09bb1946279bdbfd7ced1888046c1904e2524fcae6d4ccc6491a3ce020bfdfb
Instruction ID: 03a590b3d4df102db2412d31ff65339f9132f6ef4beb37f41835e572337ffb39
Opcode Fuzzy Hash: d09bb1946279bdbfd7ced1888046c1904e2524fcae6d4ccc6491a3ce020bfdfb
Instruction Fuzzy Hash: E3415F62B0E59B6FE3169BBC98751E97FA0FF55204F0541B7C078C70D3EE28550A8392

Function 00007FFD9B8ABE99 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1bd8c784df03f28897b29a5d48c06d4614a2d256540398024d33d97aa9d55c
Instruction ID: 3ff854e0b44d31c2efce63b5357bc49d6219f7dc1256e243ac2fb747e51272a5
Opcode Fuzzy Hash: ba1bd8c784df03f28897b29a5d48c06d4614a2d256540398024d33d97aa9d55c
Instruction Fuzzy Hash: 05410670E0A64D8FEB64DFA4C8646ED77F1BF08304F05413AE009E72A1DB78AA448B60

Function 00007FFD9B8AC3AC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934c12db5daa27858bfa075df6b725c88614e76f1ebfc7c10c4b6aabed40e2c8
Instruction ID: 36a5e50b4ecfef3ffb2c0cd90c623df0ab17bee30bf5dc443b5871f3e7f079a9
Opcode Fuzzy Hash: 934c12db5daa27858bfa075df6b725c88614e76f1ebfc7c10c4b6aabed40e2c8
Instruction Fuzzy Hash: E531E570E1E91D8FEBA8EB98C8A5ABCB7B5FF58300F515039D00DE3292DE3469418B50

Function 00007FFD9B8AE825 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2727d3384d2b512e0606126dd58df1a2da3caf0a848119304a2f4b988674c71c
Instruction ID: d3d974450dc5d54803e2f5f9e135a41bd99b0b8fbcc819a0634631651b2064d3
Opcode Fuzzy Hash: 2727d3384d2b512e0606126dd58df1a2da3caf0a848119304a2f4b988674c71c
Instruction Fuzzy Hash: 03314F71E18A5D8FDBA8DB589C557A9B3B1EF58302F5101FAD40DE3291DE316D828F40

Function 00007FFD9B8AC420 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233f3ce48f1dbeb892d1d9a158c876c06f6efbbce7edaca71bcd16e06a5d1533
Instruction ID: 9a31f0843136c568ffc4020befa09d36f70d71911cade6ecac5493db6bb40b5c
Opcode Fuzzy Hash: 233f3ce48f1dbeb892d1d9a158c876c06f6efbbce7edaca71bcd16e06a5d1533
Instruction Fuzzy Hash: 88212D70E1D91D8FEBA4EB9888A56BCBBB5FF5D300F511129D00DE3292CE3468418B50

Function 00007FFD9B8A32A2 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beddabef0a2e438e94b1356a18bce6f0209ed937bd64df29ec97461f79225b88
Instruction ID: b20270214ee9aa2883b678d000108098bd8a5e7af1e90cde886c46618213b1c0
Opcode Fuzzy Hash: beddabef0a2e438e94b1356a18bce6f0209ed937bd64df29ec97461f79225b88
Instruction Fuzzy Hash: C021F670E0951E8FDB64EF98C4A4AECB7F1FB98301F55013AD009E72A5DA786941CB60

Function 00007FFD9B8A3401 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction ID: 8fbb4e380d8a7cc93e106eaae28d5008898f8809a3ab87aed4131d8eaaf35202
Opcode Fuzzy Hash: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction Fuzzy Hash: FC215E30E0A60E8FEB65EFA4C8292BA77E0FF18305F0109BAD41DC61A5DF39A640C751

Function 00007FFD9B8A335F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction ID: 51bcd9f43b484f534117fee13ab635595e79333fe9eb2cde97e508b5952cb7ca
Opcode Fuzzy Hash: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction Fuzzy Hash: 9821803194E7CA4FD743AB7488685A93FF0EF5B300B0944EBD059CB0A3DA28954AC761

Function 00007FFD9B8A3485 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction ID: 6dd6aa33338f039f858a8b503edf78fde691dbb4a115a23f30f97b2335a744ae
Opcode Fuzzy Hash: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction Fuzzy Hash: DA215C30A0B64E8FDBAADFA4C8256BD37A4FF28304F0104BED41DC61A1DB38A640C710

Function 00007FFD9B8AA671 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346cb063250059fc79a2408b78fd3d2d3d05d4d91eb8d0806bf7e8c1f1373ad2
Instruction ID: 0dc62937644280ea3710dbc72d6bfc4ca9d8f99d3f89fd5b6c86b0efeafc9173
Opcode Fuzzy Hash: 346cb063250059fc79a2408b78fd3d2d3d05d4d91eb8d0806bf7e8c1f1373ad2
Instruction Fuzzy Hash: 33214D70A1864D9FDB85EF68C859AB93BE0FF2D305F0101AAE819D72A5DB34E550CB81

Function 00007FFD9B8A4CAC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9813af63565fa2efe0fe02c18f01f4efe6188d00f766006b2ed1bfa7e8c90dfe
Instruction ID: 8e2f7bd30a27b9aba60af2364d5420d16e76482d5752eab1c2f50fb6a8415edb
Opcode Fuzzy Hash: 9813af63565fa2efe0fe02c18f01f4efe6188d00f766006b2ed1bfa7e8c90dfe
Instruction Fuzzy Hash: 7C314F74E0591D8FDB65DB54C8A47E9B3B2FB98301F1045E9C00DA7295DA346AC4DF50

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f3523b5da06732b130526795837c67ac4e8777b6ea27856be8c1e0cd4a7c02
Instruction ID: 22c3235e1f2004c27a5e40bb3714527245ed9492291772c141e43ab82b1e6b30
Opcode Fuzzy Hash: 27f3523b5da06732b130526795837c67ac4e8777b6ea27856be8c1e0cd4a7c02
Instruction Fuzzy Hash: 4611B230E1A50E4FE790EBA888695BD77E1FF58700F4146B6D41CC70A6EE38B6458750

Function 00007FFD9B8A1F49 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction ID: ff81397d06d3e1aa73d4cde9edbfe0a71d947865dee96b2c10c60bfa839ad8f0
Opcode Fuzzy Hash: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction Fuzzy Hash: 81117011A4F6C65EEB3367B948744656F945F07224B2E46FFD0D8CF0E3DA08594AC322

Function 00007FFD9B8ACB20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e0ffaa01c73a118ed0b9ea5404c999f779ed456b7cb8177c02b7de45d4aee2
Instruction ID: 86d43ea58b1976eeb57c1eaac1ec564cd46f50680dc7d735cce46535d9db27c8
Opcode Fuzzy Hash: 80e0ffaa01c73a118ed0b9ea5404c999f779ed456b7cb8177c02b7de45d4aee2
Instruction Fuzzy Hash: F9116D30A0A65E8FEB56AFA4C8685B97BB0FF09304F0104BBD419C61E2DE356685CB51

Function 00007FFD9B8ACF10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db75497f87cd0aa15354229c3f2957f7e4e4d23b504ed87f1e9492789e90e841
Instruction ID: 8d90306b0d9eba577c71e4033f73f19765ca7941d80cf601c7c96b325f81f353
Opcode Fuzzy Hash: db75497f87cd0aa15354229c3f2957f7e4e4d23b504ed87f1e9492789e90e841
Instruction Fuzzy Hash: 7A119470E0991E8EEB98EF68C4656BDB6E1FF58301F10057ED41DC22A5DE34A650CB81

Function 00007FFD9B8ABE15 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26eb56a969fbb125df16e9608efbe1a8c4b48d53ecaa58d6ff191154bf3957d
Instruction ID: dee7a5241a616afc25352041d236750a1abacbe340430559f863b5abf17ffef5
Opcode Fuzzy Hash: f26eb56a969fbb125df16e9608efbe1a8c4b48d53ecaa58d6ff191154bf3957d
Instruction Fuzzy Hash: B2118E30A0A64E8FEB55EF68C8682BD7BE0FF18300F0105BED419C61A2DB35A650C710

Function 00007FFD9B8A11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction ID: 4b327fdfc00f1b72c778f5b161271d5acd0c96503d2e049121b28747a6bafa3f
Opcode Fuzzy Hash: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction Fuzzy Hash: 8111B230E0E64E4FEB69EBA4C4796B97BE0EF5A304F0104BED01AC60E1EE295640C710

Function 00007FFD9B8AD80D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f528e631b2a9b11b85a61e70b4c56f3987d1072419e783915b2e2d546d7d22c1
Instruction ID: 286125223bb8c88ceb6c2215e3c5b4e43d0e35d85e2dc6575145dee1058ef675
Opcode Fuzzy Hash: f528e631b2a9b11b85a61e70b4c56f3987d1072419e783915b2e2d546d7d22c1
Instruction Fuzzy Hash: F3115E30A0964D8FDB65EF68C4696F97BB0FF18314F4108BED41DC61A6DB759650C710

Function 00007FFD9B8A2DF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction ID: 6bfcdea3fa00117ced6452aa1705c930707a9989123874dbc62c613eaf3faf29
Opcode Fuzzy Hash: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction Fuzzy Hash: 1301A230A5A20E4FE761EFA4C5595A97BE1EF19300F0645B6C40CC71B7EF38E5918710

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction ID: 6243a5088431f0d9c220811987aef98062155312fee3f901e0e5054dac3d82d1
Opcode Fuzzy Hash: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction Fuzzy Hash: B5019E30A4A50E8FEB58EF64C0656BA77A1FF5E304F11047ED41EC21A5CA36A650CB50

Function 00007FFD9B8ABFC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction ID: c5291e58266627e8581c28aedbef3e50b24d68c1f449e0285022d491db75d341
Opcode Fuzzy Hash: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction Fuzzy Hash: 8711C070E0910EDFDB68DFD4D4A06FDB7B5FF58305F15402AE409A22A1DA786A40CF60

Function 00007FFD9B8AABB9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e5be776c3b71cc36b665a88acda941679dc73eafb4d31008f93187bd1badb4
Instruction ID: 3e7bc51580f8498fdf007eee5f7a2ad6d1a19ed3e8894bd49abe7557a90f445a
Opcode Fuzzy Hash: 19e5be776c3b71cc36b665a88acda941679dc73eafb4d31008f93187bd1badb4
Instruction Fuzzy Hash: 20017530A4E64D5FE762EB7888695A97BE1EF09300F0649F6D008C74F6DA38A5448711

Function 00007FFD9B8A2E69 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction ID: 1dd5f15caf5bde153a4ee8ca717972f6cde812e0d79921e0b0a7088dbd4494fb
Opcode Fuzzy Hash: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction Fuzzy Hash: 3F01D830A0E64D4FD771AFB489585A93BE0EF5A300F0605B3D408C60B7DA28A5948310

Function 00007FFD9B8A27CD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction ID: a2d60a12324aa5015ca09da835c86989cc87d9c0a0ac0c7825f5f30841268a08
Opcode Fuzzy Hash: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction Fuzzy Hash: 0F018430A1E54E8FE761EFA489595B9BBE0FF19310F0645B6D40CC60A6DE38E6448751

Function 00007FFD9B8A1BFD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction ID: 3c1f7f856b5ca7b0088be25c1a954f78b7568e87106cc17871e20504aec538fe
Opcode Fuzzy Hash: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction Fuzzy Hash: 0301D630A0A68E8FDB65EF64C8655B97BA1FF1A300F45117ED40CC61A2DB39D650C740

Function 00007FFD9B8ABFA7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction ID: ff5b79f2e4522be08b05821ffcbebe73ca1366a532c7c784e884a416640f41cb
Opcode Fuzzy Hash: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction Fuzzy Hash: FD11D0B0E0520EDFEB68DFD4D4A06EDB7B1FF58315F15402AE415A22A1DB786A44CF60

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction ID: fbe0316b3e76c10188313fd22bb4bf429161e91a99c7e5a66029d70d98fd5c9d
Opcode Fuzzy Hash: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction Fuzzy Hash: B7018130A19A0ECAEB69EFA4C4686B977E0FF1D305F5108BED41EC61E5DE35B650CA10

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction ID: 1e3602a4f2499e542797834e49ed311614ad02b78114bdb99ceb25e8f97840d8
Opcode Fuzzy Hash: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction Fuzzy Hash: F7016D30A1950E8AEB69EFA4C4686BA72E0FF18304F11087EE41EC21E5DE35B650CA10

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction ID: 5b2faabf8e020f73ec785366ea71733b368c5042655ea349384787ef60b91dac
Opcode Fuzzy Hash: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction Fuzzy Hash: C7F0C230A0A65E8FEB68EF6494656FA77A0EF1A308F01047AE80DC20A1DA35A660C750

Function 00007FFD9B8A11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction ID: 8b3030f9907788146cace5ad983291175dc7f27073347e8a94f4ea5efd001ef1
Opcode Fuzzy Hash: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction Fuzzy Hash: F7F0C830E1A55F4AFBA4EBE498392F977E4FF5A304F00147AD41DC20E1EF285654C650

Function 00007FFD9B8A275D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction ID: 613ae377e73cd8bb4aa64cda2046d88d0630fa792c27c6edda36b2604853c5fe
Opcode Fuzzy Hash: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction Fuzzy Hash: 2DF09630A0E78ECFDB799FA889651B93BA0FF09200F4145BED419C51E6DB38A654CB11

Function 00007FFD9B8A26E9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction ID: 6b365c62ce8095193d3f3387cbc7bf138228eb77f742539fa644b219a7c94465
Opcode Fuzzy Hash: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction Fuzzy Hash: 26F0623090E78D8FDB6A9FA488391A93BA0FF1A304F4604BAD409C61E2DA28A654C711

Function 00007FFD9B8AB9DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b093327d48b7bd64b34a7b214ce01764cc42b7ed5eb66466875ddfa3d39edc6f
Instruction ID: 1a0d636aac9db97d7af70094687485cd518c359c6a809cdd7e9a243e6f81104c
Opcode Fuzzy Hash: b093327d48b7bd64b34a7b214ce01764cc42b7ed5eb66466875ddfa3d39edc6f
Instruction Fuzzy Hash: 9CF01270E1951E9EDBA4DB588454BA9B3B1EF58300F1182A6840DE2155DE34AEC58B50

Function 00007FFD9B8A16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction ID: 6e2e35be49913c4e84c149b58e7bbd1bd7b411ce16cb45634c4ca0908c3cf9bc
Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction Fuzzy Hash: 7EE0E520F0A44A4AEB747359849557461D15F4A314FBA8675F01DC61F1EB2CDE81C311

Function 00007FFD9B8A8FFA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7052d1464cd02f884c10f4b27290f23d5589c8d2a4bb63556c9bfc1dc956f8
Instruction ID: 91d6fd4bfedefd3ff0072f362b9a88bed5ca1d3b0b00af4070d524551574e935
Opcode Fuzzy Hash: 9b7052d1464cd02f884c10f4b27290f23d5589c8d2a4bb63556c9bfc1dc956f8
Instruction Fuzzy Hash: 83E09A34909D598EDB64DF448C642AAB771FB98303F1111D9C80EE36A1DE746A818F40

Function 00007FFD9B8A0F9A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1837313549.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8a0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da91713e8691d05b281cd844f4b63a9ae44c20cf691c23d1bb88617d4a0e124
Instruction ID: 08591c6d9b209b025e207c0b24063bd93a98fa6c1c98c0aa19f487efeea0298f
Opcode Fuzzy Hash: 2da91713e8691d05b281cd844f4b63a9ae44c20cf691c23d1bb88617d4a0e124
Instruction Fuzzy Hash: 6CE01230E1940D8AF768EB54DC60BADBAB1FF48304F5001B5D00DA3196DE346A81CF50

Analysis Process: UQXKdqQetSFpkBwLVgNixbuHXutP.exePID: 7724, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B10AD Relevance: 10.3, Strings: 8, Instructions: 260COMMON

Download Yara Rule

Strings

,, xrefs: 00007FFD9B8B1C72
[, xrefs: 00007FFD9B8B11C7
), xrefs: 00007FFD9B8B1C46
., xrefs: 00007FFD9B8B18D4
{, xrefs: 00007FFD9B8B1843
/, xrefs: 00007FFD9B8B14B1
", xrefs: 00007FFD9B8B1226
+, xrefs: 00007FFD9B8B13B1

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: "$)$+$,$.$/$[${
API String ID: 0-3487457677
Opcode ID: 71a2e6ca19b2bc35e5151e37a48ab80e1528ac3c90988ffeea0006ece03ca3ea
Instruction ID: 044c4d9dbcddc12f7d7fed2c98291e3d38e786e95d0748ba80b10699df5c332e
Opcode Fuzzy Hash: 71a2e6ca19b2bc35e5151e37a48ab80e1528ac3c90988ffeea0006ece03ca3ea
Instruction Fuzzy Hash: 41C1B570E1963DCEEB68DFA4D8647EDB6B2BB08300F1145A9D04DAB291CB785A84CF50

Function 00007FFD9B8A35EA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2549c78dd0c9b23ec616c943aa3fe91d6e63dd1578d6cfeeef6ed61c536038
Instruction ID: 28cdc87edc5a10ac8ad2c8e5b007751d6f9ed2b9494f51184bab9035588938ac
Opcode Fuzzy Hash: ad2549c78dd0c9b23ec616c943aa3fe91d6e63dd1578d6cfeeef6ed61c536038
Instruction Fuzzy Hash: 3151C871B1894D8FE758DBACD8257AC7BE1EF99350F9401BAD00CD32DADBB414028791

Function 00007FFD9B8AC93D Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

{{L, xrefs: 00007FFD9B8AC93F

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: {{L
API String ID: 0-3227134785
Opcode ID: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction ID: 62218c2a1bc052fae4a3113bec0ee650c904fe759fa8fb9bb5a3390d1648027b
Opcode Fuzzy Hash: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction Fuzzy Hash: CB811663B0C12A8AE31ABBACBC294FC7754EF85339B054177D1498A0D3ED69348686E4

Function 00007FFD9B8AFDF3 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8AFE2A

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8af000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction ID: fa323f78f91c121b42d7e33a79b4da9ad4b2fccca213867cbd18ba8bcdc82804
Opcode Fuzzy Hash: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction Fuzzy Hash: B711F370E0962D8FEBA4DF55C8A0BF9B6B1AB18301F1040EA904DA22A0CB346EC0CF51

Function 00007FFD9B8B3468 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction ID: 674020a6ebb6cdd904e9a44968b993eff6f789eaa8abc7179610b715f65eb58b
Opcode Fuzzy Hash: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction Fuzzy Hash: 0421A760A0E7DA8FE7529BB488695A97FB0FF16304B0505F7D058CB0E7EA24A544C752

Function 00007FFD9B8ADB29 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction ID: 9d87cb43e5126a24bacbd25bdde841b4d92c23ce879f83dcb898c9864e59e4b4
Opcode Fuzzy Hash: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction Fuzzy Hash: 85E16B71E19A5D8FEBA8DB98D8647B8B7B1FF58300F4041BAD01DD32E6DA386941CB50

Function 00007FFD9B8B3A2F Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction ID: 53ec5ac44ed8a88045123b3e940b1205076a6d3573cce166bb74625e575e34c6
Opcode Fuzzy Hash: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction Fuzzy Hash: 5F917E237085768AD31ABBBCFC6A4F93B50EF4637570445BBC189CA0B7D925608ACBD1

Function 00007FFD9B8A1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction ID: a301a78a167f1214589a6816540aa8cebf094e6e75374c0ce6e78b802c62d475
Opcode Fuzzy Hash: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction Fuzzy Hash: 1781C131B0DA494FDB58EF5C88615A977E2FFD9300B15067AE49EC32A2DE34AD02C781

Function 00007FFD9B8A1C7D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction ID: db63c71d391848507bcf11cf47321d84bb690317a5562619ef56cafa3bc82b6b
Opcode Fuzzy Hash: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction Fuzzy Hash: BA51D031B08B894FDB58DF5888A15BA77E2FFD9300B15467ED45AC7292DE34E802C781

Function 00007FFD9B8AAF70 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b9a33752231a6656cd0f720dfb8ce5548d988c65c8fad4a3249ee642adefa7
Instruction ID: 7817361f76b257e5f0ec3c6a5619a71599a68748a65c5509c82f2ed9a0b08cae
Opcode Fuzzy Hash: 30b9a33752231a6656cd0f720dfb8ce5548d988c65c8fad4a3249ee642adefa7
Instruction Fuzzy Hash: B7513961B0E54E5FE712EBBCC8A95E93BE0FF59314F0541B6C028C70A7EE28A545C391

Function 00007FFD9B8B7139 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d80526b60f290ce252bd6b9caa2b78d5b55ab04fa3e5fc681e7d3fee31854e6
Instruction ID: e2381f4e12ac0a0f1c8028bd304c88c45dcdb16f83f1c366292e18e601354019
Opcode Fuzzy Hash: 3d80526b60f290ce252bd6b9caa2b78d5b55ab04fa3e5fc681e7d3fee31854e6
Instruction Fuzzy Hash: FE61B334E0A62E8FEB64DFA4D8656FDB7B1FF49300F01413AD009D72A6DA3866448F91

Function 00007FFD9B8B62C5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction ID: 007652dd1a85689f52ec6c7314deb73d8613f935b5da0d58a92aabbad16661dd
Opcode Fuzzy Hash: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction Fuzzy Hash: 585108B0E0962D8EEB68DBA4C8657ADB6B1FF59301F51017ED00D972A2CF386A44CF41

Function 00007FFD9B8A3175 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb470da53dc3cc238025a8ab6e9833d615cc2ddceabd1b151fc1db47a9f80a93
Instruction ID: c98962f794a7a63adfa9ffb0e352af13654eae4ec953c4e7a57972a2c4ea1aac
Opcode Fuzzy Hash: cb470da53dc3cc238025a8ab6e9833d615cc2ddceabd1b151fc1db47a9f80a93
Instruction Fuzzy Hash: E2511A30E0951E8FEB64EB98D4646EDB7F1FF48301F55017AD009E72A5DB38AA458B60

Function 00007FFD9B8A2095 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd7976a19b86fd59063c3e38b94fa7eae8a64f18f90a5c79e683ea0399668ef
Instruction ID: b5eac845f91715e893eca6702eec254762df998f10cb01d5d58e2a9a6d2f3a7a
Opcode Fuzzy Hash: 5dd7976a19b86fd59063c3e38b94fa7eae8a64f18f90a5c79e683ea0399668ef
Instruction Fuzzy Hash: 73415B31B0E64A0FE765DFB888655B87BE0EF4A300B0645FBD04CC71A7DE28B9428351

Function 00007FFD9B8AAF88 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4254fa61675d30e752d7d4abfb69321db702b027ea89da8a2b9752ddf92bf764
Instruction ID: 6b190a09cea789edc47de980784e4527eeaa7070f1b7047067e01159f9707795
Opcode Fuzzy Hash: 4254fa61675d30e752d7d4abfb69321db702b027ea89da8a2b9752ddf92bf764
Instruction Fuzzy Hash: F5414E61B0E59B6FE3169BBC98751E97FA0FF55304B0541B7C078C70D3ED28550A8392

Function 00007FFD9B8ABE99 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction ID: 3ff854e0b44d31c2efce63b5357bc49d6219f7dc1256e243ac2fb747e51272a5
Opcode Fuzzy Hash: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction Fuzzy Hash: 05410670E0A64D8FEB64DFA4C8646ED77F1BF08304F05413AE009E72A1DB78AA448B60

Function 00007FFD9B8B2D6C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction ID: 83abe781a8d8e66970530daa25ff6d521ca3d58771fb26b1004f8c188486bd7e
Opcode Fuzzy Hash: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction Fuzzy Hash: 5841B370E1461D8FDB54EFA8D8A5AEDBBB1FF18300F10416AD418A72A2DA346981CF40

Function 00007FFD9B8AC3AC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction ID: 36a5e50b4ecfef3ffb2c0cd90c623df0ab17bee30bf5dc443b5871f3e7f079a9
Opcode Fuzzy Hash: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction Fuzzy Hash: E531E570E1E91D8FEBA8EB98C8A5ABCB7B5FF58300F515039D00DE3292DE3469418B50

Function 00007FFD9B8B3BD3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction ID: 67376a0371fbbd6aacafb6a4e581a48ba9dab7ad4d05d370a32c27e569f667d7
Opcode Fuzzy Hash: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction Fuzzy Hash: 85213F22B0E6AA4FE721ABFCAC751F93B90EF46261F0504B7C148CB0A3D9255205C791

Function 00007FFD9B8AC420 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction ID: 9a31f0843136c568ffc4020befa09d36f70d71911cade6ecac5493db6bb40b5c
Opcode Fuzzy Hash: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction Fuzzy Hash: 88212D70E1D91D8FEBA4EB9888A56BCBBB5FF5D300F511129D00DE3292CE3468418B50

Function 00007FFD9B8B6E51 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction ID: 25269eb0af75f121c8c0b46eb94cfc05b7b7aff8f5f036f4fb54c8b41c1fe852
Opcode Fuzzy Hash: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction Fuzzy Hash: 3C21B170A0A65E8FEB64DFA4C4655BD7BA0FF18300F10057AD41DC61A5DE34A5508B80

Function 00007FFD9B8B2C42 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction ID: 23ef39804bec674a24ba9606fc015529231265ecbe7b3390b41f8b005af4b7ff
Opcode Fuzzy Hash: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction Fuzzy Hash: 7731BB70E0995D8EDBA4EF98C899BACBBB5FB58301F1141AA800DE3265DE345A948F40

Function 00007FFD9B8B7015 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction ID: 93f59aee810b61faaca44357fdf305e8b7addf15f7d70f5dff972b21828ebfce
Opcode Fuzzy Hash: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction Fuzzy Hash: 3521F771E0E64E8AFB659BB488756B976E0FF19310F0504BED41DC21E3DD28A545CA81

Function 00007FFD9B8B7601 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction ID: cdbb82b4b4f5263cf994faa763645eebe3fe598f6f4811aedaabc8ddaa41f1e7
Opcode Fuzzy Hash: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction Fuzzy Hash: 9C213035A0A65E8EEB61EBB8C8585FD77E4FF19301F010576D419D2165DA38A2409B90

Function 00007FFD9B8A32A2 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d9aaef7aea8e37618f906832fc857f7c94471eea63fa0d649d874c414702c9
Instruction ID: aec38ff07767c14dde9d159005e99a4601b7eae7d473f9285cfb0d53980e8e51
Opcode Fuzzy Hash: d3d9aaef7aea8e37618f906832fc857f7c94471eea63fa0d649d874c414702c9
Instruction Fuzzy Hash: 2E21D770E0951E8FDB64EF98C4A4AECBBF1FF98301F55417AD009E72A5DA786940CB60

Function 00007FFD9B8B6239 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction ID: 7b3eb44e930b9002f07c198fdd8010299a745610b72745ddcd12e612799e7b3f
Opcode Fuzzy Hash: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction Fuzzy Hash: D7218370E0E65F4FFB65ABB488696B9B7E0FF19300F0505B6D41CC30A6DE38A6508B41

Function 00007FFD9B8A3401 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction ID: 8fbb4e380d8a7cc93e106eaae28d5008898f8809a3ab87aed4131d8eaaf35202
Opcode Fuzzy Hash: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction Fuzzy Hash: FC215E30E0A60E8FEB65EFA4C8292BA77E0FF18305F0109BAD41DC61A5DF39A640C751

Function 00007FFD9B8A335F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction ID: 51bcd9f43b484f534117fee13ab635595e79333fe9eb2cde97e508b5952cb7ca
Opcode Fuzzy Hash: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction Fuzzy Hash: 9821803194E7CA4FD743AB7488685A93FF0EF5B300B0944EBD059CB0A3DA28954AC761

Function 00007FFD9B8A3485 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction ID: 6dd6aa33338f039f858a8b503edf78fde691dbb4a115a23f30f97b2335a744ae
Opcode Fuzzy Hash: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction Fuzzy Hash: DA215C30A0B64E8FDBAADFA4C8256BD37A4FF28304F0104BED41DC61A1DB38A640C710

Function 00007FFD9B8B6F95 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction ID: 23a6079c47d5f4fad9728319df99daed9ae9efecdf8d33a4f4088fb3e4cac10e
Opcode Fuzzy Hash: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction Fuzzy Hash: 5221D471E0A55E8FEB65EBB484695FD77E0FF18310F0144BAD41CC21A6EE34E5448B80

Function 00007FFD9B8B28C3 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction ID: 0f7d0cf6a782e4637116489c247257c8936a59cd0fbdbc4dafe13ede0f1692ed
Opcode Fuzzy Hash: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction Fuzzy Hash: D011CD3094E39E4FDB579BB098745E97FB0AF0A310F0604EBC45AC60E3DA296945CB92

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdb4a89f71f69e7ed96f9552c8d210c22abbeebd7072d6bb2575983343b73da
Instruction ID: cb98b42b81728051fdf9ce14dddb15ed5610cbae1995da5d51b10b11083bfc67
Opcode Fuzzy Hash: 6cdb4a89f71f69e7ed96f9552c8d210c22abbeebd7072d6bb2575983343b73da
Instruction Fuzzy Hash: 9611E230E1A50E4FE790EBA888585BD77E0FF18700F4106B6C01CC70A6EE34B5448750

Function 00007FFD9B8B3309 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e03d9e13d0d79994364b482a3475b2ef854c8907ba2df2bc0f47d8ef1364d3
Instruction ID: 76ca3f298f41fb75b4aecce08667aa70adbc8416fde2ff38c54356b54c2ec11c
Opcode Fuzzy Hash: d0e03d9e13d0d79994364b482a3475b2ef854c8907ba2df2bc0f47d8ef1364d3
Instruction Fuzzy Hash: 9221C63190E69A5FE752DBB49C695AA7BF0FF1E300F0505FBD448C70A2DD28A245C751

Function 00007FFD9B8A1F49 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction ID: ff81397d06d3e1aa73d4cde9edbfe0a71d947865dee96b2c10c60bfa839ad8f0
Opcode Fuzzy Hash: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction Fuzzy Hash: 81117011A4F6C65EEB3367B948744656F945F07224B2E46FFD0D8CF0E3DA08594AC322

Function 00007FFD9B8B6EF5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction ID: cd8f1baade61581dbd79bd47c5343d7c2aa3dbd9d9eebd486921ce9af39e699b
Opcode Fuzzy Hash: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction Fuzzy Hash: 9311A270A0965E8FEB98EF6884656B97BA0FF58300F0105BED41DC72A6DA34A550CB81

Function 00007FFD9B8B4885 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction ID: 475a6abe0f558cc27268efffd0e758e6dc15894d0917138b5c2769a02879cecf
Opcode Fuzzy Hash: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction Fuzzy Hash: 5411BB30A0965E8FDB59DF78C4665BD7BA1FF58300F05057ED41DC71A6DA356140CB81

Function 00007FFD9B8B47E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction ID: 4686360d497779b56dae666f839a7f7091b82c6d775396108aa2405042012be5
Opcode Fuzzy Hash: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction Fuzzy Hash: 4B219330A0A69E8FDB59DF6484662BD3BA0FF59301F0505BFD41DC71A2DA346540CB81

Function 00007FFD9B8B26C1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction ID: 15578e2573dea49063b7476ddaffa70ffbf4acdde403be39210f7550be053814
Opcode Fuzzy Hash: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction Fuzzy Hash: A511AC30A0964E8FDB58DF68D8A55E93BE0FF5D314F02026EE80AC32A1CA34A544CB85

Function 00007FFD9B8B7571 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction ID: 176d75aeca5470010ee9aeca17b8afd957bc8d35141810e35339c8474c5017d8
Opcode Fuzzy Hash: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction Fuzzy Hash: B711A334A0D65E8FEB61EBB8C854AFD37E1FF5D300F010572D018D71A2DA28E2108B90

Function 00007FFD9B8B4DA9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction ID: f38fcac70d15a3b1ec54d21f19224c61a0068b6b43ced88bcb7ceadb5789ef51
Opcode Fuzzy Hash: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction Fuzzy Hash: CA11E931A0EA8D4FEB69DB7488762B93BE0FF19304F0901FED01DC65E2DA256555CB41

Function 00007FFD9B8B2AB1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction ID: 1e192382c1b7a9ded2d8d666020011e18e6adb723b800d521c4b23caedfbe804
Opcode Fuzzy Hash: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction Fuzzy Hash: 5E116530A1A56E8FEB61EFB498985F97FF0FF19300F0545B6D418C70A5DA3492458B81

Function 00007FFD9B8ACB20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction ID: 86d43ea58b1976eeb57c1eaac1ec564cd46f50680dc7d735cce46535d9db27c8
Opcode Fuzzy Hash: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction Fuzzy Hash: F9116D30A0A65E8FEB56AFA4C8685B97BB0FF09304F0104BBD419C61E2DE356685CB51

Function 00007FFD9B8B5199 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction ID: ac52a4898550fa1e5a501ad63db582804447d2de81d93df09d05c905f665041c
Opcode Fuzzy Hash: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction Fuzzy Hash: 44119030A0A68E8FEB59EB6488792F97BE0FF19300F0504BFD42DC65A2DA3466408B41

Function 00007FFD9B8ABE15 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction ID: dee7a5241a616afc25352041d236750a1abacbe340430559f863b5abf17ffef5
Opcode Fuzzy Hash: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction Fuzzy Hash: B2118E30A0A64E8FEB55EF68C8682BD7BE0FF18300F0105BED419C61A2DB35A650C710

Function 00007FFD9B8B510D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction ID: be1c08faeb971bb7beb97bfe009605cfe2896731cbfd6e3ade2f8758841872da
Opcode Fuzzy Hash: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction Fuzzy Hash: A9118270A0965E8FEB59DB7488796F97BA0FF18304F0105BED419C61A2DA35A640CB81

Function 00007FFD9B8A11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction ID: 4b327fdfc00f1b72c778f5b161271d5acd0c96503d2e049121b28747a6bafa3f
Opcode Fuzzy Hash: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction Fuzzy Hash: 8111B230E0E64E4FEB69EBA4C4796B97BE0EF5A304F0104BED01AC60E1EE295640C710

Function 00007FFD9B8B6457 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction ID: beeab372829a97951c26f7f13324d78232407cb6c11d2c64b61159a332c4e658
Opcode Fuzzy Hash: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction Fuzzy Hash: F121C5B4E0962D8FEB68DF94C8647EDB6B1FB58301F1141BED009A72A1CB785A94CF40

Function 00007FFD9B8B4F49 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction ID: a39c66be5724568352a96a1e209fc399e68ad3f9e45893ff81414d25c2657367
Opcode Fuzzy Hash: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction Fuzzy Hash: 6D119330A0D68E4FEB59DB74886A5B97BF0FF19304F0505BED419C72A6DA34A544CB41

Function 00007FFD9B8B70AD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction ID: 0edf8b3dfdbb2a93a4719fd4c36c0328f70f8a3cd8cdadd08b3cf27578835b90
Opcode Fuzzy Hash: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction Fuzzy Hash: 8711C434A0A64E4FEB68DF64C4696B97BE0FF19310F0101BFD41DC61E2DA3465418B81

Function 00007FFD9B8A2DF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction ID: 6bfcdea3fa00117ced6452aa1705c930707a9989123874dbc62c613eaf3faf29
Opcode Fuzzy Hash: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction Fuzzy Hash: 1301A230A5A20E4FE761EFA4C5595A97BE1EF19300F0645B6C40CC71B7EF38E5918710

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction ID: 6243a5088431f0d9c220811987aef98062155312fee3f901e0e5054dac3d82d1
Opcode Fuzzy Hash: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction Fuzzy Hash: B5019E30A4A50E8FEB58EF64C0656BA77A1FF5E304F11047ED41EC21A5CA36A650CB50

Function 00007FFD9B8AD80D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction ID: 286125223bb8c88ceb6c2215e3c5b4e43d0e35d85e2dc6575145dee1058ef675
Opcode Fuzzy Hash: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction Fuzzy Hash: F3115E30A0964D8FDB65EF68C4696F97BB0FF18314F4108BED41DC61A6DB759650C710

Function 00007FFD9B8B2555 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction ID: 52ce50a629bbd5bd018572986b1b7e86e0208d1e61c4856542995f911706e616
Opcode Fuzzy Hash: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction Fuzzy Hash: 5B019230A4A65D4FDB99DFB4C4759B93BA0FF19300F1105BED41AC61E6DA35E640CB81

Function 00007FFD9B8ABFC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction ID: c5291e58266627e8581c28aedbef3e50b24d68c1f449e0285022d491db75d341
Opcode Fuzzy Hash: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction Fuzzy Hash: 8711C070E0910EDFDB68DFD4D4A06FDB7B5FF58305F15402AE409A22A1DA786A40CF60

Function 00007FFD9B8A2E69 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction ID: 1dd5f15caf5bde153a4ee8ca717972f6cde812e0d79921e0b0a7088dbd4494fb
Opcode Fuzzy Hash: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction Fuzzy Hash: 3F01D830A0E64D4FD771AFB489585A93BE0EF5A300F0605B3D408C60B7DA28A5948310

Function 00007FFD9B8AABB9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction ID: 3e7bc51580f8498fdf007eee5f7a2ad6d1a19ed3e8894bd49abe7557a90f445a
Opcode Fuzzy Hash: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction Fuzzy Hash: 20017530A4E64D5FE762EB7888695A97BE1EF09300F0649F6D008C74F6DA38A5448711

Function 00007FFD9B8B7D99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction ID: 0204c4c51acdafab8b8f86e4258de8be1b95d86f82089e44872503a697e53a90
Opcode Fuzzy Hash: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction Fuzzy Hash: 68018030A0B78E4FDB5AAB74C8655B93BA0FF1A304F0604FAD419C70E6DA25A654CB41

Function 00007FFD9B8A27CD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction ID: a2d60a12324aa5015ca09da835c86989cc87d9c0a0ac0c7825f5f30841268a08
Opcode Fuzzy Hash: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction Fuzzy Hash: 0F018430A1E54E8FE761EFA489595B9BBE0FF19310F0645B6D40CC60A6DE38E6448751

Function 00007FFD9B8B7E0D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction ID: 7ef8328179d3b1f4db675ad3a30ebec71526adbffb1b0acb25c38c7866a93a62
Opcode Fuzzy Hash: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction Fuzzy Hash: 6201B134A0A28E4FDB59DB74C4695BE3BA0EF09304F0204BED01EC61E2DB35AA50CB81

Function 00007FFD9B8B7789 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction ID: 0b6bc7cd99a2e80eeb980a0a2c1d295889f6061822b12ccc27f79e6d14706292
Opcode Fuzzy Hash: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction Fuzzy Hash: EC018470A0E64A8FD752E77488695A93BE1EF0A310F0645F6C418C71B7DE28A544C751

Function 00007FFD9B8A1BFD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction ID: 3c1f7f856b5ca7b0088be25c1a954f78b7568e87106cc17871e20504aec538fe
Opcode Fuzzy Hash: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction Fuzzy Hash: 0301D630A0A68E8FDB65EF64C8655B97BA1FF1A300F45117ED40CC61A2DB39D650C740

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction ID: fbe0316b3e76c10188313fd22bb4bf429161e91a99c7e5a66029d70d98fd5c9d
Opcode Fuzzy Hash: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction Fuzzy Hash: B7018130A19A0ECAEB69EFA4C4686B977E0FF1D305F5108BED41EC61E5DE35B650CA10

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction ID: 1e3602a4f2499e542797834e49ed311614ad02b78114bdb99ceb25e8f97840d8
Opcode Fuzzy Hash: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction Fuzzy Hash: F7016D30A1950E8AEB69EFA4C4686BA72E0FF18304F11087EE41EC21E5DE35B650CA10

Function 00007FFD9B8ABFA7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction ID: ff5b79f2e4522be08b05821ffcbebe73ca1366a532c7c784e884a416640f41cb
Opcode Fuzzy Hash: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction Fuzzy Hash: FD11D0B0E0520EDFEB68DFD4D4A06EDB7B1FF58315F15402AE415A22A1DB786A44CF60

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction ID: 5b2faabf8e020f73ec785366ea71733b368c5042655ea349384787ef60b91dac
Opcode Fuzzy Hash: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction Fuzzy Hash: C7F0C230A0A65E8FEB68EF6494656FA77A0EF1A308F01047AE80DC20A1DA35A660C750

Function 00007FFD9B8A11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction ID: 8b3030f9907788146cace5ad983291175dc7f27073347e8a94f4ea5efd001ef1
Opcode Fuzzy Hash: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction Fuzzy Hash: F7F0C830E1A55F4AFBA4EBE498392F977E4FF5A304F00147AD41DC20E1EF285654C650

Function 00007FFD9B8A275D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction ID: 613ae377e73cd8bb4aa64cda2046d88d0630fa792c27c6edda36b2604853c5fe
Opcode Fuzzy Hash: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction Fuzzy Hash: 2DF09630A0E78ECFDB799FA889651B93BA0FF09200F4145BED419C51E6DB38A654CB11

Function 00007FFD9B8A26E9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction ID: 6b365c62ce8095193d3f3387cbc7bf138228eb77f742539fa644b219a7c94465
Opcode Fuzzy Hash: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction Fuzzy Hash: 26F0623090E78D8FDB6A9FA488391A93BA0FF1A304F4604BAD409C61E2DA28A654C711

Function 00007FFD9B8AB9DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a22e383cfe778468a19f89e3c2e41d1a8dd65c02493855710ce9ceb6e26d07
Instruction ID: 88da657c0761be9aa54a2a5faa97fa9fc429aeb37f24d92a68968842615cd795
Opcode Fuzzy Hash: 32a22e383cfe778468a19f89e3c2e41d1a8dd65c02493855710ce9ceb6e26d07
Instruction Fuzzy Hash: E5F01D70E1991E8EEBA4EB588894BA9B3B1EF58300F1582E6840DE2155DD34AEC58B50

Function 00007FFD9B8B2C05 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction ID: 3ebe6d552788025e6f93cfdc43276c1ad4cbf94a0d40ab48d6df45832b1ba929
Opcode Fuzzy Hash: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction Fuzzy Hash: 7CF0D430E4951D8FDB69EF90C8656EC77E1FB58300F1145BAC409E22A2DE786F908F90

Function 00007FFD9B8A16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction ID: 6e2e35be49913c4e84c149b58e7bbd1bd7b411ce16cb45634c4ca0908c3cf9bc
Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction Fuzzy Hash: 7EE0E520F0A44A4AEB747359849557461D15F4A314FBA8675F01DC61F1EB2CDE81C311

Function 00007FFD9B8A23E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction ID: 5c5da4174699649d15086bc7106d3403bee07242903cfc067727e661be1ed611
Opcode Fuzzy Hash: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction Fuzzy Hash: 40F01530A1A51ECBEB20EB84CD54BE9B3A0FB55701F0042A9C04AD32A1DF786A84CF50

Function 00007FFD9B8A0F9A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7cbc33a1ccf5fa90f99f70e8f91d1f05ebd8f74042249a4f642e5f481047bd
Instruction ID: 683e7e599d5ca9c6c1af6b47bd6c9f2e788c773247c2c44f0a06065481c17f01
Opcode Fuzzy Hash: ca7cbc33a1ccf5fa90f99f70e8f91d1f05ebd8f74042249a4f642e5f481047bd
Instruction Fuzzy Hash: 13E0EC30E1940D8AE768EB58DC64BADAAB1FF48304F5101B5D00DA3196DE3469818F90

Function 00007FFD9B8B559B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718c8f8ba5787c569d58de92062c5928293dc55eee2df40d185695e7d0b84989
Instruction ID: 4a5683ea8cdd142cef999c48459e27514111d69e5fa667efd89a3db430f8c875
Opcode Fuzzy Hash: 718c8f8ba5787c569d58de92062c5928293dc55eee2df40d185695e7d0b84989
Instruction Fuzzy Hash: 18D0C971E5AE199FEBA0DF6884DE79CB7F1FF59301B41412AE44893191DF2054019B40

Function 00007FFD9B8AFD1D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1837338422.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8af000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction ID: f69b59e37332b10044547aa25c10d0a6283bd5d8eed39880939b1a0546f4598f
Opcode Fuzzy Hash: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction Fuzzy Hash: 91D09270909B2D8FEBA6DF18C8A47AC76B5AF1C700F5040E9A00DE22A0CF342BC09F54

Analysis Process: UQXKdqQetSFpkBwLVgNixbuHXutP.exePID: 7756, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B10AD Relevance: 10.3, Strings: 8, Instructions: 260COMMON

Download Yara Rule

Strings

), xrefs: 00007FFD9B8B1C46
+, xrefs: 00007FFD9B8B13B1
", xrefs: 00007FFD9B8B1226
/, xrefs: 00007FFD9B8B14B1
,, xrefs: 00007FFD9B8B1C72
., xrefs: 00007FFD9B8B18D4
{, xrefs: 00007FFD9B8B1843
[, xrefs: 00007FFD9B8B11C7

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: "$)$+$,$.$/$[${
API String ID: 0-3487457677
Opcode ID: e534d1699be512b0c24fd9c7873b940bce73e12e55e497c805e368b68f5d07d1
Instruction ID: 37cee5a7f0484416b710f70e0875d5e9a4e390282c5c32482299fd7b25e4745a
Opcode Fuzzy Hash: e534d1699be512b0c24fd9c7873b940bce73e12e55e497c805e368b68f5d07d1
Instruction Fuzzy Hash: C1C1B570E1963DCEEB68DFA4D8647EDB6B2BF08300F1145A9D04DAB291CB785A84CF50

Function 00007FFD9B8A35EA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde571019e724909daed6912bdf4537377fdb533fa8364d5ce33bd160398f3dd
Instruction ID: 784aabd22e9fe7d4ba6d41369dc240eadc0591bf68a9f0a9b6c77043b75b2932
Opcode Fuzzy Hash: cde571019e724909daed6912bdf4537377fdb533fa8364d5ce33bd160398f3dd
Instruction Fuzzy Hash: C2519862B5894D8FE758DBACD8257AC7BE1EF9A354F9001BAD00DD33DADBB414028742

Function 00007FFD9B8AC93D Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

{{L, xrefs: 00007FFD9B8AC93F

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: {{L
API String ID: 0-3227134785
Opcode ID: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction ID: 62218c2a1bc052fae4a3113bec0ee650c904fe759fa8fb9bb5a3390d1648027b
Opcode Fuzzy Hash: fb8d20dc986e26a0bd6c4b2a47565c20710c38fa375733dd03e762c92085503b
Instruction Fuzzy Hash: CB811663B0C12A8AE31ABBACBC294FC7754EF85339B054177D1498A0D3ED69348686E4

Function 00007FFD9B8AFDF3 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8AFE2A

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8af000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction ID: fa323f78f91c121b42d7e33a79b4da9ad4b2fccca213867cbd18ba8bcdc82804
Opcode Fuzzy Hash: 134af21aa725722f4fb08a0131a8f6944e5ec19ba2c48cc0a4535325b98b07b6
Instruction Fuzzy Hash: B711F370E0962D8FEBA4DF55C8A0BF9B6B1AB18301F1040EA904DA22A0CB346EC0CF51

Function 00007FFD9B8B3468 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction ID: 674020a6ebb6cdd904e9a44968b993eff6f789eaa8abc7179610b715f65eb58b
Opcode Fuzzy Hash: 90176bd4557041c86840afd5cea5485c7e487c0905715ce93cd2e0e43cd1fecf
Instruction Fuzzy Hash: 0421A760A0E7DA8FE7529BB488695A97FB0FF16304B0505F7D058CB0E7EA24A544C752

Function 00007FFD9B8ADB29 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction ID: 9d87cb43e5126a24bacbd25bdde841b4d92c23ce879f83dcb898c9864e59e4b4
Opcode Fuzzy Hash: cda38512692cb66aeb9146a5bae8db4b95ce0deb1406fc90b8fb4f6ef79aaeea
Instruction Fuzzy Hash: 85E16B71E19A5D8FEBA8DB98D8647B8B7B1FF58300F4041BAD01DD32E6DA386941CB50

Function 00007FFD9B8B3A2F Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction ID: 53ec5ac44ed8a88045123b3e940b1205076a6d3573cce166bb74625e575e34c6
Opcode Fuzzy Hash: 999ceef4307a2cf08f1504b3afad2a8887122e4396506ab6fe6c6538cad252e7
Instruction Fuzzy Hash: 5F917E237085768AD31ABBBCFC6A4F93B50EF4637570445BBC189CA0B7D925608ACBD1

Function 00007FFD9B8A1648 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction ID: a301a78a167f1214589a6816540aa8cebf094e6e75374c0ce6e78b802c62d475
Opcode Fuzzy Hash: 97bb1750ac9da4fcc3696ecbfcb01cd839c18e9ec247864f3e5e976ae08ddc48
Instruction Fuzzy Hash: 1781C131B0DA494FDB58EF5C88615A977E2FFD9300B15067AE49EC32A2DE34AD02C781

Function 00007FFD9B8A1C7D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction ID: db63c71d391848507bcf11cf47321d84bb690317a5562619ef56cafa3bc82b6b
Opcode Fuzzy Hash: bf29a4e81efb791224ba3c9ddcddb3574846619b29ab11c1d6af83248d928e3f
Instruction Fuzzy Hash: BA51D031B08B894FDB58DF5888A15BA77E2FFD9300B15467ED45AC7292DE34E802C781

Function 00007FFD9B8AAF70 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3680fae94e95f92a67388a4aef6b446b743b39994f809382cb45777efde36b0
Instruction ID: a59e35c97cf526028bcd2962c3945880be37ca22342f455205af9304d618e524
Opcode Fuzzy Hash: c3680fae94e95f92a67388a4aef6b446b743b39994f809382cb45777efde36b0
Instruction Fuzzy Hash: D2513861B0E54E5FE712EBBCC8A95E93BE0FF5A314F0541B6C028C70A7EE28A545C391

Function 00007FFD9B8B7139 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6252300d4fa951839e16811a1377470bb3d4f72ce1417294f87e3ed593ded18a
Instruction ID: 3a7f8576105bc583c2884af048bedf544bcff225bd7504051d521a3c63eaf6f5
Opcode Fuzzy Hash: 6252300d4fa951839e16811a1377470bb3d4f72ce1417294f87e3ed593ded18a
Instruction Fuzzy Hash: 2F61A334E0A62E8FEB64DFA4D8656FDB7B1FF59300F01413AD009D72A6DA3866448F91

Function 00007FFD9B8B62C5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction ID: 007652dd1a85689f52ec6c7314deb73d8613f935b5da0d58a92aabbad16661dd
Opcode Fuzzy Hash: 8e214a2454626b5ab6314e4777bd7206137b950e99d427b9ad6dd74372b4dcb8
Instruction Fuzzy Hash: 585108B0E0962D8EEB68DBA4C8657ADB6B1FF59301F51017ED00D972A2CF386A44CF41

Function 00007FFD9B8A3175 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb44e3bcbb92cbbb6f7f1fab079e467e2b06ff60013d7b708557e6f212b600cc
Instruction ID: a8e4ac204717274a81239c2d9c7339d841f8281759a2b26f987c54e11374abe6
Opcode Fuzzy Hash: eb44e3bcbb92cbbb6f7f1fab079e467e2b06ff60013d7b708557e6f212b600cc
Instruction Fuzzy Hash: C2511870E0961E8FEB64EB98D4646EDB7F1FF48301F51017AD009E72A5DB38AA458B60

Function 00007FFD9B8A2095 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2f1e214f5dae60fb3b5742500b981e069638f6bc1ce9ab12046b6111f5c849
Instruction ID: d3d2115ffe2cb558a5445311b49814c3bff156b13942d7af322fa88fe5adee82
Opcode Fuzzy Hash: cd2f1e214f5dae60fb3b5742500b981e069638f6bc1ce9ab12046b6111f5c849
Instruction Fuzzy Hash: B7415B31B0E64A0FE765DFB888655B87BE0EF4A300B4645FBD04CC71A7DE28B9428351

Function 00007FFD9B8AAF88 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fbfa269d9df00acacc9d4da0efd41ab443796d49ef2316f5bc017dae06cf0d
Instruction ID: 86ccd6b02de596ea674063b94b083ec0b71b91f2c564e8f216935eb32f524243
Opcode Fuzzy Hash: 09fbfa269d9df00acacc9d4da0efd41ab443796d49ef2316f5bc017dae06cf0d
Instruction Fuzzy Hash: 59415F62B0E59B6FE3169BBC98751E97FA0FF55244F0541B7C078C70D3ED28550A8392

Function 00007FFD9B8ABE99 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction ID: 3ff854e0b44d31c2efce63b5357bc49d6219f7dc1256e243ac2fb747e51272a5
Opcode Fuzzy Hash: 8b5c4b2d221e5049cecaf36712f2d54d7ab533eaedffa240f7b0f4e64ee247ef
Instruction Fuzzy Hash: 05410670E0A64D8FEB64DFA4C8646ED77F1BF08304F05413AE009E72A1DB78AA448B60

Function 00007FFD9B8B2D6C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction ID: 83abe781a8d8e66970530daa25ff6d521ca3d58771fb26b1004f8c188486bd7e
Opcode Fuzzy Hash: 356c1f103a31d396e306e212fd95d6577d377175ed9bd4e9a06dd59262f20e27
Instruction Fuzzy Hash: 5841B370E1461D8FDB54EFA8D8A5AEDBBB1FF18300F10416AD418A72A2DA346981CF40

Function 00007FFD9B8AC3AC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction ID: 36a5e50b4ecfef3ffb2c0cd90c623df0ab17bee30bf5dc443b5871f3e7f079a9
Opcode Fuzzy Hash: 7399659724d9397069551112d74283e59fcb5d3525305837241f4f1c1c232079
Instruction Fuzzy Hash: E531E570E1E91D8FEBA8EB98C8A5ABCB7B5FF58300F515039D00DE3292DE3469418B50

Function 00007FFD9B8B3BD3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction ID: 67376a0371fbbd6aacafb6a4e581a48ba9dab7ad4d05d370a32c27e569f667d7
Opcode Fuzzy Hash: c1cf74d6fd28668b4acb8fd5ae8e52d7d27cfd2c12229405fc15a8eb78f3d576
Instruction Fuzzy Hash: 85213F22B0E6AA4FE721ABFCAC751F93B90EF46261F0504B7C148CB0A3D9255205C791

Function 00007FFD9B8AC420 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction ID: 9a31f0843136c568ffc4020befa09d36f70d71911cade6ecac5493db6bb40b5c
Opcode Fuzzy Hash: 68d553fa6c8a659ee2cba02fbca26be7872d5308bc7b37c02762522afd9ddacf
Instruction Fuzzy Hash: 88212D70E1D91D8FEBA4EB9888A56BCBBB5FF5D300F511129D00DE3292CE3468418B50

Function 00007FFD9B8B6E51 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction ID: 25269eb0af75f121c8c0b46eb94cfc05b7b7aff8f5f036f4fb54c8b41c1fe852
Opcode Fuzzy Hash: 45a9d830dea9b312a3df7bfd88e7d0142cb846173a2082db16338cb8972178d0
Instruction Fuzzy Hash: 3C21B170A0A65E8FEB64DFA4C4655BD7BA0FF18300F10057AD41DC61A5DE34A5508B80

Function 00007FFD9B8B2C42 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction ID: 23ef39804bec674a24ba9606fc015529231265ecbe7b3390b41f8b005af4b7ff
Opcode Fuzzy Hash: f7f95880e9d8ff0332aa6c6bf7c62ded63f8a6b5d807b2dda0f0868ef7547fb8
Instruction Fuzzy Hash: 7731BB70E0995D8EDBA4EF98C899BACBBB5FB58301F1141AA800DE3265DE345A948F40

Function 00007FFD9B8B7015 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction ID: 93f59aee810b61faaca44357fdf305e8b7addf15f7d70f5dff972b21828ebfce
Opcode Fuzzy Hash: b7aee2f10743b23fb01fc05e8b26a767dc8172fd27272ab5ed67a95c4b366301
Instruction Fuzzy Hash: 3521F771E0E64E8AFB659BB488756B976E0FF19310F0504BED41DC21E3DD28A545CA81

Function 00007FFD9B8B7601 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction ID: cdbb82b4b4f5263cf994faa763645eebe3fe598f6f4811aedaabc8ddaa41f1e7
Opcode Fuzzy Hash: a5dbc2596ecd09e03bc61c5c2b1b604ba282d53ab54cebbbc6dfaeb7e7914516
Instruction Fuzzy Hash: 9C213035A0A65E8EEB61EBB8C8585FD77E4FF19301F010576D419D2165DA38A2409B90

Function 00007FFD9B8B6239 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction ID: 7b3eb44e930b9002f07c198fdd8010299a745610b72745ddcd12e612799e7b3f
Opcode Fuzzy Hash: 113970e9bb1da016d3ec929c957b1b2b74c08ae61797be7e8abdff24b73c4086
Instruction Fuzzy Hash: D7218370E0E65F4FFB65ABB488696B9B7E0FF19300F0505B6D41CC30A6DE38A6508B41

Function 00007FFD9B8A3401 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction ID: 8fbb4e380d8a7cc93e106eaae28d5008898f8809a3ab87aed4131d8eaaf35202
Opcode Fuzzy Hash: ec18aa5f6afda6bf5765971ee3f73752b1cfe9cc30ae12a899eea1ebb3e0b843
Instruction Fuzzy Hash: FC215E30E0A60E8FEB65EFA4C8292BA77E0FF18305F0109BAD41DC61A5DF39A640C751

Function 00007FFD9B8A335F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction ID: 51bcd9f43b484f534117fee13ab635595e79333fe9eb2cde97e508b5952cb7ca
Opcode Fuzzy Hash: 6654cd3a5225e1c59704f4c51f3fc81696c4c3d5ed781b8b0a2746d8e235d689
Instruction Fuzzy Hash: 9821803194E7CA4FD743AB7488685A93FF0EF5B300B0944EBD059CB0A3DA28954AC761

Function 00007FFD9B8B6F95 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction ID: 23a6079c47d5f4fad9728319df99daed9ae9efecdf8d33a4f4088fb3e4cac10e
Opcode Fuzzy Hash: d556353f8a43e4fafecadf14293831fd11d6284f14101f5dadae2695ac537356
Instruction Fuzzy Hash: 5221D471E0A55E8FEB65EBB484695FD77E0FF18310F0144BAD41CC21A6EE34E5448B80

Function 00007FFD9B8A3485 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction ID: 6dd6aa33338f039f858a8b503edf78fde691dbb4a115a23f30f97b2335a744ae
Opcode Fuzzy Hash: 3a9a120e85aab8eaf0e5bd2f02e22b5ac0f1402d158c201dd243338ecf016bef
Instruction Fuzzy Hash: DA215C30A0B64E8FDBAADFA4C8256BD37A4FF28304F0104BED41DC61A1DB38A640C710

Function 00007FFD9B8B28C3 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction ID: 0f7d0cf6a782e4637116489c247257c8936a59cd0fbdbc4dafe13ede0f1692ed
Opcode Fuzzy Hash: 81b7a639f2b29a39094fca9c1f23bde6a5d69301ffb15d814e579c7a391c8447
Instruction Fuzzy Hash: D011CD3094E39E4FDB579BB098745E97FB0AF0A310F0604EBC45AC60E3DA296945CB92

Function 00007FFD9B8A0A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc488a55e45633019c2584927740b7bab9011bfae5450fedb80450737fb0ae4d
Instruction ID: fedcb0da3004a80ce987591b33262044f5969c15da94573fb7f936514bf9840a
Opcode Fuzzy Hash: bc488a55e45633019c2584927740b7bab9011bfae5450fedb80450737fb0ae4d
Instruction Fuzzy Hash: EB11EF30E2A90E4FEBA0EBA8C8685BD77E0FF18700F4106B6C01CC71A6EE34B6408710

Function 00007FFD9B8B6EF5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction ID: cd8f1baade61581dbd79bd47c5343d7c2aa3dbd9d9eebd486921ce9af39e699b
Opcode Fuzzy Hash: 7b77010fe0c86f347045f0540582822f598c733170dc685ea00677dac2e64811
Instruction Fuzzy Hash: 9311A270A0965E8FEB98EF6884656B97BA0FF58300F0105BED41DC72A6DA34A550CB81

Function 00007FFD9B8B4885 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction ID: 475a6abe0f558cc27268efffd0e758e6dc15894d0917138b5c2769a02879cecf
Opcode Fuzzy Hash: a0883e665c1e53d1854388fc38d9dcfb646dce83f12b6105f9a742356ecb3c11
Instruction Fuzzy Hash: 5411BB30A0965E8FDB59DF78C4665BD7BA1FF58300F05057ED41DC71A6DA356140CB81

Function 00007FFD9B8A1F49 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction ID: ff81397d06d3e1aa73d4cde9edbfe0a71d947865dee96b2c10c60bfa839ad8f0
Opcode Fuzzy Hash: 563bc4a9951a9ab05ddd73b05f222c1a45401e93f72c81038a1e4387cf9a82e0
Instruction Fuzzy Hash: 81117011A4F6C65EEB3367B948744656F945F07224B2E46FFD0D8CF0E3DA08594AC322

Function 00007FFD9B8B47E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction ID: 4686360d497779b56dae666f839a7f7091b82c6d775396108aa2405042012be5
Opcode Fuzzy Hash: e9f64c38940fd1ceab8c969f2067c973b10a408cf28be9d0e180669b9e1eada8
Instruction Fuzzy Hash: 4B219330A0A69E8FDB59DF6484662BD3BA0FF59301F0505BFD41DC71A2DA346540CB81

Function 00007FFD9B8B26C1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction ID: 15578e2573dea49063b7476ddaffa70ffbf4acdde403be39210f7550be053814
Opcode Fuzzy Hash: 5489ce7842aed8eff0454e447cd6d5b822bf69568961b48ef37e53e73aaf70fd
Instruction Fuzzy Hash: A511AC30A0964E8FDB58DF68D8A55E93BE0FF5D314F02026EE80AC32A1CA34A544CB85

Function 00007FFD9B8B7571 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction ID: 176d75aeca5470010ee9aeca17b8afd957bc8d35141810e35339c8474c5017d8
Opcode Fuzzy Hash: 941556ed4b27184a1d570c90894fbcb9731b13534c4f5c3b8352981ba66f85d6
Instruction Fuzzy Hash: B711A334A0D65E8FEB61EBB8C854AFD37E1FF5D300F010572D018D71A2DA28E2108B90

Function 00007FFD9B8B4DA9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction ID: f38fcac70d15a3b1ec54d21f19224c61a0068b6b43ced88bcb7ceadb5789ef51
Opcode Fuzzy Hash: 976fb8583917844ac1c3863734853c1eac15e3f594d9fc9b8695d8f4318089d3
Instruction Fuzzy Hash: CA11E931A0EA8D4FEB69DB7488762B93BE0FF19304F0901FED01DC65E2DA256555CB41

Function 00007FFD9B8B2AB1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction ID: 1e192382c1b7a9ded2d8d666020011e18e6adb723b800d521c4b23caedfbe804
Opcode Fuzzy Hash: f6364d5dd74ceceae7b582ed7cb6bc2ac6473500950e5334b4b847310ea795ab
Instruction Fuzzy Hash: 5E116530A1A56E8FEB61EFB498985F97FF0FF19300F0545B6D418C70A5DA3492458B81

Function 00007FFD9B8ACB20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction ID: 86d43ea58b1976eeb57c1eaac1ec564cd46f50680dc7d735cce46535d9db27c8
Opcode Fuzzy Hash: fa9dc481df12e18d6c5eaa1107f5e800eb10d5098ca3ccf1ea321a34cf27a1ad
Instruction Fuzzy Hash: F9116D30A0A65E8FEB56AFA4C8685B97BB0FF09304F0104BBD419C61E2DE356685CB51

Function 00007FFD9B8B5199 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction ID: ac52a4898550fa1e5a501ad63db582804447d2de81d93df09d05c905f665041c
Opcode Fuzzy Hash: db4c0da17409e2d118c60b52f8eb785d874c85b5d5bd3fd0971918b1d9ee4dee
Instruction Fuzzy Hash: 44119030A0A68E8FEB59EB6488792F97BE0FF19300F0504BFD42DC65A2DA3466408B41

Function 00007FFD9B8B510D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction ID: be1c08faeb971bb7beb97bfe009605cfe2896731cbfd6e3ade2f8758841872da
Opcode Fuzzy Hash: a7c58799e7c818ecbaa4b3826e6bb8d5c277f898dacd616477971c9125ca8d22
Instruction Fuzzy Hash: A9118270A0965E8FEB59DB7488796F97BA0FF18304F0105BED419C61A2DA35A640CB81

Function 00007FFD9B8ABE15 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction ID: dee7a5241a616afc25352041d236750a1abacbe340430559f863b5abf17ffef5
Opcode Fuzzy Hash: 439bbc1d3a2ed1cc60b3f1bcbb1fa2d87717ff7df6244b95a0c6c25aa36cd7bd
Instruction Fuzzy Hash: B2118E30A0A64E8FEB55EF68C8682BD7BE0FF18300F0105BED419C61A2DB35A650C710

Function 00007FFD9B8B6457 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction ID: beeab372829a97951c26f7f13324d78232407cb6c11d2c64b61159a332c4e658
Opcode Fuzzy Hash: 90eb71e48de1b971cbfcdc015720a14bca4cefb9370df759b1aac18561f76b8f
Instruction Fuzzy Hash: F121C5B4E0962D8FEB68DF94C8647EDB6B1FB58301F1141BED009A72A1CB785A94CF40

Function 00007FFD9B8B4F49 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction ID: a39c66be5724568352a96a1e209fc399e68ad3f9e45893ff81414d25c2657367
Opcode Fuzzy Hash: 27e49805397f9c6424ff1e294c2ec25e792b095ad45d713d76a682da25310f1c
Instruction Fuzzy Hash: 6D119330A0D68E4FEB59DB74886A5B97BF0FF19304F0505BED419C72A6DA34A544CB41

Function 00007FFD9B8A11AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction ID: 4b327fdfc00f1b72c778f5b161271d5acd0c96503d2e049121b28747a6bafa3f
Opcode Fuzzy Hash: 4a2858d3ae3cb1f2a5719ed9d63389f1f6d0f328445569ebc833ba0703dab93c
Instruction Fuzzy Hash: 8111B230E0E64E4FEB69EBA4C4796B97BE0EF5A304F0104BED01AC60E1EE295640C710

Function 00007FFD9B8B70AD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction ID: 0edf8b3dfdbb2a93a4719fd4c36c0328f70f8a3cd8cdadd08b3cf27578835b90
Opcode Fuzzy Hash: 50aed92205043ce8fe088d13b625ff9bce45a3497a4af35752470ab0f7ec1a66
Instruction Fuzzy Hash: 8711C434A0A64E4FEB68DF64C4696B97BE0FF19310F0101BFD41DC61E2DA3465418B81

Function 00007FFD9B8B2555 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction ID: 52ce50a629bbd5bd018572986b1b7e86e0208d1e61c4856542995f911706e616
Opcode Fuzzy Hash: ce38fafda8c4b59ee10e57d8974ca4d78958438b8cc45fd61a36506e87d732ff
Instruction Fuzzy Hash: 5B019230A4A65D4FDB99DFB4C4759B93BA0FF19300F1105BED41AC61E6DA35E640CB81

Function 00007FFD9B8AD80D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction ID: 286125223bb8c88ceb6c2215e3c5b4e43d0e35d85e2dc6575145dee1058ef675
Opcode Fuzzy Hash: d00bfb235c6b2f81aba4ebf2faeaab212340e55939ea5c6fa95ea57377fd433b
Instruction Fuzzy Hash: F3115E30A0964D8FDB65EF68C4696F97BB0FF18314F4108BED41DC61A6DB759650C710

Function 00007FFD9B8A2DF1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction ID: 6bfcdea3fa00117ced6452aa1705c930707a9989123874dbc62c613eaf3faf29
Opcode Fuzzy Hash: f93ac60924c0f8611ae7dcc8db90046f60bdc81846f9f00bbfd8a543ba82c89f
Instruction Fuzzy Hash: 1301A230A5A20E4FE761EFA4C5595A97BE1EF19300F0645B6C40CC71B7EF38E5918710

Function 00007FFD9B8A05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction ID: 6243a5088431f0d9c220811987aef98062155312fee3f901e0e5054dac3d82d1
Opcode Fuzzy Hash: ba7668ae8af7dd368b03e88b72f78b19dae9056544d243f1d01b4fa218dbe478
Instruction Fuzzy Hash: B5019E30A4A50E8FEB58EF64C0656BA77A1FF5E304F11047ED41EC21A5CA36A650CB50

Function 00007FFD9B8ABFC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction ID: c5291e58266627e8581c28aedbef3e50b24d68c1f449e0285022d491db75d341
Opcode Fuzzy Hash: 64acfe760a73a5e92cc75596b96a656b401eaf666448c7c40c184b64625c9a71
Instruction Fuzzy Hash: 8711C070E0910EDFDB68DFD4D4A06FDB7B5FF58305F15402AE409A22A1DA786A40CF60

Function 00007FFD9B8AABB9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction ID: 3e7bc51580f8498fdf007eee5f7a2ad6d1a19ed3e8894bd49abe7557a90f445a
Opcode Fuzzy Hash: 87fec10e9f1967bfc90dad3cb69b0edae490cb872722c75b69944f1ffa9be9a5
Instruction Fuzzy Hash: 20017530A4E64D5FE762EB7888695A97BE1EF09300F0649F6D008C74F6DA38A5448711

Function 00007FFD9B8A2E69 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction ID: 1dd5f15caf5bde153a4ee8ca717972f6cde812e0d79921e0b0a7088dbd4494fb
Opcode Fuzzy Hash: c83628615dc1b439411be5c75bdbc6bfaffb9684f69e76da20faf77430e5cc33
Instruction Fuzzy Hash: 3F01D830A0E64D4FD771AFB489585A93BE0EF5A300F0605B3D408C60B7DA28A5948310

Function 00007FFD9B8B7D99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction ID: 0204c4c51acdafab8b8f86e4258de8be1b95d86f82089e44872503a697e53a90
Opcode Fuzzy Hash: 0625ec8b9de6175d8213820a5b466766fa05f6118070268eeec34c8e1bf64a3e
Instruction Fuzzy Hash: 68018030A0B78E4FDB5AAB74C8655B93BA0FF1A304F0604FAD419C70E6DA25A654CB41

Function 00007FFD9B8A27CD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction ID: a2d60a12324aa5015ca09da835c86989cc87d9c0a0ac0c7825f5f30841268a08
Opcode Fuzzy Hash: ec9f42fee926d9425026f87f81225922616326f54bb98ff30bddb281b9694b82
Instruction Fuzzy Hash: 0F018430A1E54E8FE761EFA489595B9BBE0FF19310F0645B6D40CC60A6DE38E6448751

Function 00007FFD9B8B7E0D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction ID: 7ef8328179d3b1f4db675ad3a30ebec71526adbffb1b0acb25c38c7866a93a62
Opcode Fuzzy Hash: fdc2287c4e0888b8540dc00e5b23d4d3464997fd2b51427027edda7a34a1f886
Instruction Fuzzy Hash: 6201B134A0A28E4FDB59DB74C4695BE3BA0EF09304F0204BED01EC61E2DB35AA50CB81

Function 00007FFD9B8B7789 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction ID: 0b6bc7cd99a2e80eeb980a0a2c1d295889f6061822b12ccc27f79e6d14706292
Opcode Fuzzy Hash: 0a390dba3490a9454e78b0e09a3848a148bb02316cc8784bd0717225b513d929
Instruction Fuzzy Hash: EC018470A0E64A8FD752E77488695A93BE1EF0A310F0645F6C418C71B7DE28A544C751

Function 00007FFD9B8ABFA7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction ID: ff5b79f2e4522be08b05821ffcbebe73ca1366a532c7c784e884a416640f41cb
Opcode Fuzzy Hash: 2b524f80e5a71c13e0f77736984af139dc74ba68729183e0aec478c465080ce3
Instruction Fuzzy Hash: FD11D0B0E0520EDFEB68DFD4D4A06EDB7B1FF58315F15402AE415A22A1DB786A44CF60

Function 00007FFD9B8A1BFD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction ID: 3c1f7f856b5ca7b0088be25c1a954f78b7568e87106cc17871e20504aec538fe
Opcode Fuzzy Hash: e679a831f74409bd77248680b03ec0ca9d80eddd8d671e5311cabe8706d6f86b
Instruction Fuzzy Hash: 0301D630A0A68E8FDB65EF64C8655B97BA1FF1A300F45117ED40CC61A2DB39D650C740

Function 00007FFD9B8A0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction ID: fbe0316b3e76c10188313fd22bb4bf429161e91a99c7e5a66029d70d98fd5c9d
Opcode Fuzzy Hash: 77795b7571c470f2c2ae8529a4437c41fb72e31ce837f3d134519b1fbc54d801
Instruction Fuzzy Hash: B7018130A19A0ECAEB69EFA4C4686B977E0FF1D305F5108BED41EC61E5DE35B650CA10

Function 00007FFD9B8A0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction ID: 1e3602a4f2499e542797834e49ed311614ad02b78114bdb99ceb25e8f97840d8
Opcode Fuzzy Hash: 67b93d5c7a3d01fb124950408826ee10b27d2b93b5adf95130178f55c72920bb
Instruction Fuzzy Hash: F7016D30A1950E8AEB69EFA4C4686BA72E0FF18304F11087EE41EC21E5DE35B650CA10

Function 00007FFD9B8A05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction ID: 5b2faabf8e020f73ec785366ea71733b368c5042655ea349384787ef60b91dac
Opcode Fuzzy Hash: ca8ef6a9dd11c5dbcdd9957cceb07c068f986a78f019d3ead84f474a32251381
Instruction Fuzzy Hash: C7F0C230A0A65E8FEB68EF6494656FA77A0EF1A308F01047AE80DC20A1DA35A660C750

Function 00007FFD9B8A11C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction ID: 8b3030f9907788146cace5ad983291175dc7f27073347e8a94f4ea5efd001ef1
Opcode Fuzzy Hash: e8794a52b91a255d163e2bd8e10fd9918986ed6664f9bf65c925e71dfbcc52d3
Instruction Fuzzy Hash: F7F0C830E1A55F4AFBA4EBE498392F977E4FF5A304F00147AD41DC20E1EF285654C650

Function 00007FFD9B8A275D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction ID: 613ae377e73cd8bb4aa64cda2046d88d0630fa792c27c6edda36b2604853c5fe
Opcode Fuzzy Hash: 171f7d0c39a0a6b3c552c89bdbf35a6db001fbd59353c1d20e99202290655407
Instruction Fuzzy Hash: 2DF09630A0E78ECFDB799FA889651B93BA0FF09200F4145BED419C51E6DB38A654CB11

Function 00007FFD9B8A26E9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction ID: 6b365c62ce8095193d3f3387cbc7bf138228eb77f742539fa644b219a7c94465
Opcode Fuzzy Hash: ecc0bef01c15cdc41416f5bdfcd301cd5aa159c67a53d570743e2518ba10f833
Instruction Fuzzy Hash: 26F0623090E78D8FDB6A9FA488391A93BA0FF1A304F4604BAD409C61E2DA28A654C711

Function 00007FFD9B8AB9DF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8aa000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0753cc2e9d6a408858941e2c25ff5561dcdbdd57c92204a8154e053c42c80d73
Instruction ID: bc52ca03759fe25db18a7159f9df1d85089768e7057484299dbaab5443a467f1
Opcode Fuzzy Hash: 0753cc2e9d6a408858941e2c25ff5561dcdbdd57c92204a8154e053c42c80d73
Instruction Fuzzy Hash: 38F01D70E1991E8EEBA4EB58C894BA9B3B1EF58300F1182A6840DE2155DD30AEC58B50

Function 00007FFD9B8B2C05 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction ID: 3ebe6d552788025e6f93cfdc43276c1ad4cbf94a0d40ab48d6df45832b1ba929
Opcode Fuzzy Hash: 6af0bc8bb90c51e997c91ef35237fb6b7c3528e748052d98364edbc9441d031e
Instruction Fuzzy Hash: 7CF0D430E4951D8FDB69EF90C8656EC77E1FB58300F1145BAC409E22A2DE786F908F90

Function 00007FFD9B8A16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction ID: 6e2e35be49913c4e84c149b58e7bbd1bd7b411ce16cb45634c4ca0908c3cf9bc
Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
Instruction Fuzzy Hash: 7EE0E520F0A44A4AEB747359849557461D15F4A314FBA8675F01DC61F1EB2CDE81C311

Function 00007FFD9B8A23E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction ID: 5c5da4174699649d15086bc7106d3403bee07242903cfc067727e661be1ed611
Opcode Fuzzy Hash: 16cf6610798a117e6533c541fea822eb56f6ad88096d0422d44dcffccbb6937c
Instruction Fuzzy Hash: 40F01530A1A51ECBEB20EB84CD54BE9B3A0FB55701F0042A9C04AD32A1DF786A84CF50

Function 00007FFD9B8A0F9A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02295cf6e1669206da33acb5a16d5dcc210f501fd01d7e796d40f834140b7bf
Instruction ID: 1d6a481ed247345b84ccc6304e10fe22727c7fc7d1c3fe846ffce8a66dc82f53
Opcode Fuzzy Hash: d02295cf6e1669206da33acb5a16d5dcc210f501fd01d7e796d40f834140b7bf
Instruction Fuzzy Hash: 29E01230E1940D8AF768EB54DC60BADBAB1FF48304F5001B5D00DA3296DE346A81CF50

Function 00007FFD9B8B559B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8b1000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718c8f8ba5787c569d58de92062c5928293dc55eee2df40d185695e7d0b84989
Instruction ID: 4a5683ea8cdd142cef999c48459e27514111d69e5fa667efd89a3db430f8c875
Opcode Fuzzy Hash: 718c8f8ba5787c569d58de92062c5928293dc55eee2df40d185695e7d0b84989
Instruction Fuzzy Hash: 18D0C971E5AE199FEBA0DF6884DE79CB7F1FF59301B41412AE44893191DF2054019B40

Function 00007FFD9B8AFD1D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8AF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8af000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction ID: f69b59e37332b10044547aa25c10d0a6283bd5d8eed39880939b1a0546f4598f
Opcode Fuzzy Hash: 7fbc1bb34ee1f11ce49f214e11302a9be94af02eb6df9e3c27e1e64a0480cf5b
Instruction Fuzzy Hash: 91D09270909B2D8FEBA6DF18C8A47AC76B5AF1C700F5040E9A00DE22A0CF342BC09F54

Function 00007FFD9B8A0FD3 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1837350318.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9b8a0000_UQXKdqQetSFpkBwLVgNixbuHXutP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80589d759b28151bdf7fc45b26b33c53e55db66aac14800000ef3b3957d80fe7
Instruction ID: e64b56fbf57748c8849bbfcccee0646e5708b2be36efae6213cc4fb9a220f000
Opcode Fuzzy Hash: 80589d759b28151bdf7fc45b26b33c53e55db66aac14800000ef3b3957d80fe7
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h1a1eHrclt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9

C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5EAD.tmp

C:\Program Files (x86)\Microsoft.NET\RedistList\RCX5F5A.tmp

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe:Zone.Identifier

C:\Program Files (x86)\Windows Defender\en-GB\RCX5AD2.tmp

C:\Program Files (x86)\Windows Defender\en-GB\RCX5B70.tmp

C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

C:\Program Files (x86)\Windows Defender\en-GB\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

C:\Program Files (x86)\Windows Defender\en-GB\b090c5ff0df038

C:\Program Files (x86)\Windows NT\RCX70B8.tmp

C:\Program Files (x86)\Windows NT\RCX7165.tmp

C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe

C:\Program Files (x86)\Windows NT\UQXKdqQetSFpkBwLVgNixbuHXutP.exe:Zone.Identifier

C:\Program Files (x86)\Windows NT\b090c5ff0df038

C:\Program Files (x86)\jDownloader\RCX646E.tmp

Windows Analysis Report
h1a1eHrclt.exe