Edit tour

Windows Analysis Report
5tqXx7iu9m.exe

Overview

General Information

Sample name:	5tqXx7iu9m.exe renamed because original name is a hash value
Original sample name:	2CE997B7EEBEE4A876D0347A3489C945.exe
Analysis ID:	1502380
MD5:	2ce997b7eebee4a876d0347a3489c945
SHA1:	3f2bf00a16de610c0549385d214e6c75293d1141
SHA256:	de04994b9650e7f00f8f264ade023d530d292ab03ad672e0101d8e32b886d575
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with benign system names

Drops executable to a common third party application directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5tqXx7iu9m.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\5tqXx7iu9m.exe" MD5: 2CE997B7EEBEE4A876D0347A3489C945)

schtasks.exe (PID: 7604 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7620 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7640 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7656 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7672 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7688 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7704 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7720 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7736 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7752 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 5 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7768 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7784 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7800 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7816 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7832 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7848 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7864 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7928 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7944 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7960 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7976 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7992 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8008 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8024 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\backgroundTaskHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8040 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8056 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8072 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8112 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8136 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8164 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7172 cmdline: schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

backgroundTaskHost.exe (PID: 8096 cmdline: C:\Recovery\backgroundTaskHost.exe MD5: 2CE997B7EEBEE4A876D0347A3489C945)

backgroundTaskHost.exe (PID: 8128 cmdline: C:\Recovery\backgroundTaskHost.exe MD5: 2CE997B7EEBEE4A876D0347A3489C945)

dllhost.exe (PID: 8156 cmdline: "C:\Users\Default\Application Data\Microsoft\dllhost.exe" MD5: 2CE997B7EEBEE4A876D0347A3489C945)

dllhost.exe (PID: 8184 cmdline: "C:\Users\Default\Application Data\Microsoft\dllhost.exe" MD5: 2CE997B7EEBEE4A876D0347A3489C945)

fontdrvhost.exe (PID: 7240 cmdline: "C:\Program Files\Microsoft\fontdrvhost.exe" MD5: 2CE997B7EEBEE4A876D0347A3489C945)

fontdrvhost.exe (PID: 7232 cmdline: "C:\Program Files\Microsoft\fontdrvhost.exe" MD5: 2CE997B7EEBEE4A876D0347A3489C945)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"z\":\"!\",\"V\":\";\",\"I\":\".\",\"B\":\"%\",\"9\":\"-\",\"C\":\"`\",\"h\":\"#\",\"Z\":\"~\",\"c\":\"(\",\"A\":\"^\",\"3\":\"_\",\"J\":\">\",\"o\":\")\",\"i\":\"@\",\"j\":\",\",\"L\":\"&\",\"y\":\" \",\"H\":\"*\",\"n\":\"$\",\"U\":\"<\",\"R\":\"|\"}", "PCRT": "{\"M\":\"-\",\"X\":\")\",\"I\":\"&\",\"6\":\"(\",\"e\":\",\",\"x\":\"~\",\"=\":\"!\",\"f\":\"$\",\"y\":\"<\",\"Q\":\"%\",\"i\":\"|\",\"S\":\"`\",\"p\":\"@\",\"b\":\" \",\"c\":\"*\",\"j\":\"^\",\"w\":\";\",\"l\":\"#\",\"D\":\"_\",\"0\":\">\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Jvnje4W7CpjsZdJXvDjJ", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001E.00000002.1767136982.0000000002719000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1679281685.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.1767202182.0000000002737000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.1767202182.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.1774528305.0000000002B48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000024.00000002.1766950763.0000000002592000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.1767223313.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.1767136982.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.1767223313.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1679281685.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.1769916533.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.1774528305.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000024.00000002.1766950763.0000000002541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 5tqXx7iu9m.exe PID: 7552	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: backgroundTaskHost.exe PID: 8096	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: backgroundTaskHost.exe PID: 8128	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dllhost.exe PID: 8156	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dllhost.exe PID: 8184	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 7240	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 7232	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", CommandLine: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", ProcessId: 8156, ProcessName: dllhost.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\5tqXx7iu9m.exe, ProcessId: 7552, TargetFilename: C:\Users\Default\Application Data\Microsoft\dllhost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", CommandLine: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default\Application Data\Microsoft\dllhost.exe", ProcessId: 8156, ProcessName: dllhost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f, CommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\5tqXx7iu9m.exe", ParentImage: C:\Users\user\Desktop\5tqXx7iu9m.exe, ParentProcessId: 7552, ParentProcessName: 5tqXx7iu9m.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f, ProcessId: 7656, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.197.42

Timestamp:	2024-09-01T03:12:07.476989+0200
SID:	2034194
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5tqXx7iu9m.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Microsoft\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\backgroundTaskHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\System.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000022.00000002.1767223313.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"z\":\"!\",\"V\":\";\",\"I\":\".\",\"B\":\"%\",\"9\":\"-\",\"C\":\"`\",\"h\":\"#\",\"Z\":\"~\",\"c\":\"(\",\"A\":\"^\",\"3\":\"_\",\"J\":\">\",\"o\":\")\",\"i\":\"@\",\"j\":\",\",\"L\":\"&\",\"y\":\" \",\"H\":\"*\",\"n\":\"$\",\"U\":\"<\",\"R\":\"|\"}", "PCRT": "{\"M\":\"-\",\"X\":\")\",\"I\":\"&\",\"6\":\"(\",\"e\":\",\",\"x\":\"~\",\"=\":\"!\",\"f\":\"$\",\"y\":\"<\",\"Q\":\"%\",\"i\":\"|\",\"S\":\"`\",\"p\":\"@\",\"b\":\" \",\"c\":\"*\",\"j\":\"^\",\"w\":\";\",\"l\":\"#\",\"D\":\"_\",\"0\":\">\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Jvnje4W7CpjsZdJXvDjJ", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files\Microsoft\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Microsoft\RuntimeBroker.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files\Microsoft\fontdrvhost.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Recovery\System.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\System.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Recovery\backgroundTaskHost.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\backgroundTaskHost.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Recovery\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	ReversingLabs: Detection: 84%
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Users\user\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link
Source: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	Virustotal: Detection: 66%	Perma Link

Multi AV Scanner detection for submitted file

Source: 5tqXx7iu9m.exe	ReversingLabs: Detection: 84%
Source: 5tqXx7iu9m.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Recovery\backgroundTaskHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Recovery\System.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5tqXx7iu9m.exe

Joe Sandbox ML: detected

Source: 5tqXx7iu9m.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\fontdrvhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\5b884080fd4f94	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Windows Photo Viewer\95aaaff3431df3	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\886983d96e3d3e	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\95aaaff3431df3	Jump to behavior

Source: 5tqXx7iu9m.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49730 -> 141.8.197.42:80

Source: 5tqXx7iu9m.exe, 00000000.00000002.1679281685.00000000037BF000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\TAPI\95aaaff3431df3	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Performance\WinSAT\95aaaff3431df3	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Tasks\95aaaff3431df3	Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Code function: 0_2_00007FFD9B7F35A5	0_2_00007FFD9B7F35A5
Source: C:\Recovery\backgroundTaskHost.exe	Code function: 30_2_00007FFD9B7F35A5	30_2_00007FFD9B7F35A5
Source: C:\Recovery\backgroundTaskHost.exe	Code function: 32_2_00007FFD9B7E35A5	32_2_00007FFD9B7E35A5
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Code function: 34_2_00007FFD9B7E35A5	34_2_00007FFD9B7E35A5
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Code function: 36_2_00007FFD9B7D35A5	36_2_00007FFD9B7D35A5
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Code function: 38_2_00007FFD9B7E35A5	38_2_00007FFD9B7E35A5
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Code function: 39_2_00007FFD9B7E35A5	39_2_00007FFD9B7E35A5

Source: 5tqXx7iu9m.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: csrss.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sqPKQawpTnLujfRgyPwI.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sqPKQawpTnLujfRgyPwI.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sqPKQawpTnLujfRgyPwI.exe1.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 5tqXx7iu9m.exe, 00000000.00000000.1639179329.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5tqXx7iu9m.exe
Source: 5tqXx7iu9m.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5tqXx7iu9m.exe

Source: 5tqXx7iu9m.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5tqXx7iu9m.exe, WFDiCoBfJPUasZJt1j0.cs	Cryptographic APIs: 'TransformBlock'
Source: 5tqXx7iu9m.exe, WFDiCoBfJPUasZJt1j0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5tqXx7iu9m.exe, qiFryjdMa1ZYu0igrfk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5tqXx7iu9m.exe, qiFryjdMa1ZYu0igrfk.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@41/55@0/0

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Users\Default\Application Data\Microsoft\dllhost.exe

Jump to behavior

Source: C:\Program Files\Microsoft\fontdrvhost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\db4572b74068004bed83a2c48c379c40d48bc5db

Source: 5tqXx7iu9m.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5tqXx7iu9m.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5tqXx7iu9m.exe	ReversingLabs: Detection: 84%
Source: 5tqXx7iu9m.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File read: C:\Users\user\Desktop\5tqXx7iu9m.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5tqXx7iu9m.exe "C:\Users\user\Desktop\5tqXx7iu9m.exe"
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 5 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\System.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\backgroundTaskHost.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\backgroundTaskHost.exe C:\Recovery\backgroundTaskHost.exe
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\backgroundTaskHost.exe C:\Recovery\backgroundTaskHost.exe
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /f
Source: unknown	Process created: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe "C:\Users\Default\Application Data\Microsoft\dllhost.exe"
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe "C:\Users\Default\Application Data\Microsoft\dllhost.exe"
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Microsoft\fontdrvhost.exe "C:\Program Files\Microsoft\fontdrvhost.exe"
Source: unknown	Process created: C:\Program Files\Microsoft\fontdrvhost.exe "C:\Program Files\Microsoft\fontdrvhost.exe"
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\fontdrvhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\5b884080fd4f94	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Windows Photo Viewer\95aaaff3431df3	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Microsoft\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\886983d96e3d3e	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\95aaaff3431df3	Jump to behavior

Source: 5tqXx7iu9m.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 5tqXx7iu9m.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5tqXx7iu9m.exe, qiFryjdMa1ZYu0igrfk.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 5tqXx7iu9m.exe, vwN1f2sKlO4JE7m6NyT.cs	.Net Code: fGqX0jnRO0 System.AppDomain.Load(byte[])
Source: 5tqXx7iu9m.exe, vwN1f2sKlO4JE7m6NyT.cs	.Net Code: fGqX0jnRO0 System.Reflection.Assembly.Load(byte[])
Source: 5tqXx7iu9m.exe, vwN1f2sKlO4JE7m6NyT.cs	.Net Code: fGqX0jnRO0

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Code function: 0_2_00007FFD9B7F8A44 push edi; ret	0_2_00007FFD9B7F8A45
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Code function: 34_2_00007FFD9B7E8A44 push edi; ret	34_2_00007FFD9B7E8A45
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Code function: 36_2_00007FFD9B7D8A44 push edi; ret	36_2_00007FFD9B7D8A45

Source: 5tqXx7iu9m.exe, YANVR6X7530psWmfmpC.cs	High entropy of concatenated method names: 'zUHp16Ihpe', 'kBXpGNnUil', 'KqOpESgZAv', 'xlQpUSgeao', 'HdQpPoiswR', 'o6yjAST0oBlJ4AjYOwT', 'jOTUgETG5iQPiPI4wJ9', 'HgsBb8TskMFPx1Fof25', 'USv1aoTh7G39IIXTTJP', 'qE4FBjTLC4J0ivU1dKI'
Source: 5tqXx7iu9m.exe, urp1MtCX4Tnr3HiRk1G.cs	High entropy of concatenated method names: 'tgRiELpE2qZTkiuEr6h', 'QlqRhQpiVxXoPIdbpsZ', 'dpmTw0pvMKwsmXJtaV3', 'VPjcNxpT6aQcJ6owIJP', 'wqVZAmm9SW', 'oSLldOpfLgBv1nr3OhC', 'HZPBC5pa2P3Js4xXF4F', 'QTZaJ4pbSgGvGaXQvQW', 'ThcSjRpXxM53p8akmmm', 'X8cCmxpPGE9vhflM5nB'
Source: 5tqXx7iu9m.exe, uUXPfXBjERZESltYHl7.cs	High entropy of concatenated method names: 'BVXNLvGEUD', '_1kO', '_9v4', '_294', 'xmVNxV5PNG', 'euj', 'MUONAleulr', 'HmkNlGLynB', 'o87', 'i3tNtN2aei'
Source: 5tqXx7iu9m.exe, P3vRDmCDsAGjQ9srHo3.cs	High entropy of concatenated method names: 'Hc7lvykDXK', 'swll3tFIvX', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'wn3lNb6CJv', '_5f9', 'A6Y'
Source: 5tqXx7iu9m.exe, NbAncoLdktdswP3bME.cs	High entropy of concatenated method names: 'U1JADxv9W', 'eDplLw0pC', 'R7xt2lENU', 'gyCmhEhvW', 'm3cvN4lS7', 'op93ax9nY', 'vrvN8iq8R', 'O9Bd0ZALs9nXxv5lnLj', 'XvKtHwA9twqaBT9RMNW', 'XERMeMA54FOpix0A2qH'
Source: 5tqXx7iu9m.exe, h0wnXMC8Y37woqDa536.cs	High entropy of concatenated method names: 's1auJ6KhTPubAgO8tbs', 'xHTEcEK0Sv3WnJMLk7Q', 'bfnPrrKqBsYeM6TJ5jH', 'KaZMVpKsSaOlQxMI1wQ', 'oIgtOhKGNkUcpxNvHOd', 'W6jFyXKL8b6J6nmG9Vx', 'vjdFMBK9frkXqGVA4Mv'
Source: 5tqXx7iu9m.exe, EluA3o5KxLNmXIaYNol.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 5tqXx7iu9m.exe, ulwuVQXeTwNmdvqPKEa.cs	High entropy of concatenated method names: 'oTWK6Quv93', 'Y12KRYpwEw', 'XJjKwENoOO', 'lSlQ1RT7Q6UQpPXi9Wu', 'uQSU2JTdwoQ7jTAvg4v', 'cP1Qe9TVbRKHx6muF6N', 'jGgTbyTZYnLqdJlqxrI', 'PcGKBEjRRw', 'AVdKdav3FK', 'jtqKpr35QH'
Source: 5tqXx7iu9m.exe, WiFNDABxNwFsPaS1v9n.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'LEPtAfaT8U', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 5tqXx7iu9m.exe, vwN1f2sKlO4JE7m6NyT.cs	High entropy of concatenated method names: 'itSXOScpq3', 'Y3wXS8kebH', 'z5lXTUP5cq', 'GbaXajGMEr', 'mS2Xub7PQQ', 'SOMXnCPG3N', 'Ar3X8gVKJ1', 'zpCFqLWbKv19aiitEmP', 'YEqNecWE0O5MLUZJXtp', 'ckVHjPWiLQZpOIqD9gK'
Source: 5tqXx7iu9m.exe, t65RwGXYuyjIfb7gSC8.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'pbZFV8rTAQ', 'V6xRhDgimh', 'ft3FhMdsK9', 'pGZRtSAUaG', 'VTyYsIiKkGUWcAwNmqe', 'xKuT1hiY2ltXeC0i062', 'sILX9kiwaoKHvyiFnrq'
Source: 5tqXx7iu9m.exe, w1kJZnCmFJUOe5my7H1.cs	High entropy of concatenated method names: 'oHTA8fApeQ', 'KRRA96ogKD', 'DgZAoyeiLm', 'f3ZA4AhNEg', 'zpPA2jH2p1', 'GD5dM5oPZpEPCjGeDZu', 'W89DUKofshKDXLDklVh', 'sDSXE8oaXD3ejmu1Z56', 'OKdMo7oMj7CRB0PTVXj', 'fcjlYRo2R72fRtw50md'
Source: 5tqXx7iu9m.exe, CDrb9nCOooU2VfkNvxe.cs	High entropy of concatenated method names: 'qxGA1Wsce1', 'jiPAGgTPJL', 'h4yAEJ0dHC', 'x4lAULDBe8', 'YkqAP77UyY', 'jcHAct8pnc', 'vxoUylog4YUv7VHWN2X', 'EsEaXton0kGdtXhcdSG', 'kuTqUVoxiN3619PR6Hw', 'qqOkiBoSpFjoDcta9Uv'
Source: 5tqXx7iu9m.exe, qEW2rugK4OhO0tCOch8.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'ehxZj0GGHFdpjbbSfTv', 'ODibQTGLslT5snA5fey', 'nFRWmwG9NUlVJI2kpqZ', 'CuaRk7G5wu3EvY7eDVA', 'my9UyrGtfql3Z6QT2Uw', 'fqeTmIGCJvKXBZuXnT7'
Source: 5tqXx7iu9m.exe, MebmLkXyfJ1lVs8Nb8K.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'Bu2RBD20fM', '_168', 'abHU4QiXHWpfKryrwpP', 'd1mAlGifa9Qmy9G7b15', 'Bj1IQNiabI1AvstbdgV', 'wRa1BCiPriwDDTY7jtV', 'X8F6HaiMSGTNHX11nLC'
Source: 5tqXx7iu9m.exe, iGQRlggDW1QBwweoHac.cs	High entropy of concatenated method names: 'bYKsLpIZ7E', 'P2rsxu4OhO', 'ntCsAOch8w', 'tBEl8LCtwD0UtV6aH9j', 'hns3IeC9XbevdlxvPNv', 'e2VoGoC5WZk5SZIqlZh', 'qNflyqCCQ3bnhLrFrLx', 'JYZwmtCDbYPUjbxAQRD', 'QiSBNeCWAmjHUYW8i62', 'QbbMlnCrAbEUia37kCf'
Source: 5tqXx7iu9m.exe, AjTwlqCPdYT7nWO9uKS.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'xS4lxbvOOp', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 5tqXx7iu9m.exe, kHxaQsgQl5RZIGAXbr2.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'rPbXCHLbIu6b31gsPSK', 'eUj0f3LXmWPxDGoqXMy', 'yB7ITfLfdWdKodOFKKQ', 'vEsGHTLaeHySFnBY2Tr', 'upE8vKLP0sJUrC9EgB7', 'hPVxM5LMTicAIYxwC2n'
Source: 5tqXx7iu9m.exe, e16UFuCqbjqc2O9b2oa.cs	High entropy of concatenated method names: 'Ll5Ab0xKdL', 'lfXAycdsM0', 'gbKAjDXH2T', 'XOed4coQJYtF3n9FhBV', 'VRtPvZoK6Yw8YVCUx93', 'jteLpHoYQvnZQ8jKyk3', 'QWMRi2odIgDwgjNM76Y', 'IBJcCeoVJRLJ0jg5k8Y', 'HLNADBo7BrA8urnhcQo', 'MgntKjoZDfTFP1v3is6'
Source: 5tqXx7iu9m.exe, po1pOSBSI2xCctpmTMO.cs	High entropy of concatenated method names: 'Dx5wNB7sKgB37dIZC0C', 'ra11S57hLS7CWbU1w27', 'N7Y4fT7UnaG8UtQgsAR', 'AqKT6R7qv9RmG40EPMe', 'JcgmTvRpMS', 'WM4', '_499', 'FAImapSB1g', 'pPFmuhXBkJ', 'KrvmnSkSoA'
Source: 5tqXx7iu9m.exe, QU7to85GO7TdWkZZKHL.cs	High entropy of concatenated method names: 'Ma50cXBXuR', 'ivS0Ti7hWO', 'Vqi0a2frRJ', 'wnf0uqiSTA', 'GSy0nCkUGt', 'B5908ZdrUL', 'vgb09CfKIQ', 'Kx50ov3VNa', 'YD704MhhrU', 'shO02mEkEq'
Source: 5tqXx7iu9m.exe, NbupVPg7LHDu5RBiANp.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'nKbE0MLHl6h6gdmx8au', 'oWtnjFLA3KwmeYJL0wg', 'bboWySLUIwwAF0X8UA4', 'XhjlwdLqes3uMGs77vi', 'fuvepFLsIpUqoP6UwVM', 'TVl4I1LhjVXZP4BPE25'
Source: 5tqXx7iu9m.exe, msL2JCXGi8arKs7Itod.cs	High entropy of concatenated method names: '_269', '_5E7', 'JOgRMJi1AC', 'Mz8', 'LEmRoSL26v', 'fbjLCticbEF7244GKWX', 'XXSpvsilOwjIIFhhZHl', 'gYLS5pi4tgFq0oOl0lZ', 'n3Cd65iOBjHtvQfAi8s', 'DyqZJhiuVPvwLBY7jKN'
Source: 5tqXx7iu9m.exe, ec6Y0bgxpJahxY3Y0Rx.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'fPPxo8L1cqY8evMhyH3', 'EKixURLwJ7OnRuxxXwc', 'ocQ7gYLo5ql8JTql2hl', 'Ne0kx7LKNE6xE9RosXI', 'UuplV2LYVu29sWZNaNA', 'XlxKXpLQdB6Oy3AOUpL'
Source: 5tqXx7iu9m.exe, b4OmQ8yWy70t4pnKBE.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'IXYvClh0oDjkLS1K6gR', 'qZjgkrhGTFntjpDFdCJ', 'PRVnLwhLM1ApJJnJAHM', 'da0yvrh9ys70MRjPkSN', 'pWK6f1h5e9qjuyNbbdE', 'ffqn77htQpJ9UeM0nCL'
Source: 5tqXx7iu9m.exe, WFDiCoBfJPUasZJt1j0.cs	High entropy of concatenated method names: 'YSZlkaWOau', 'eyClWkKAYQ', 'f4wlbQVHiE', 'osZlyNTbXY', 'k15ljDIn7P', 'TxalYFW3PQ', '_838', 'vVb', 'g24', '_9oL'
Source: 5tqXx7iu9m.exe, EW8k9C5AwA5kvxAPQDT.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'po1MfpOSI2', '_3il', 'vCcMgtpmTM', 'ESIMsLacAi', '_78N', 'z3K'
Source: 5tqXx7iu9m.exe, eraifk5jpbtEdXd7xod.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'uon06xiahy', 'UJd0RIuV82', 'r8j', 'LS1', '_55S'
Source: 5tqXx7iu9m.exe, QGyg8ngnYrFEI3wtGcR.cs	High entropy of concatenated method names: 'LecgcVllH0', 'YbDj5M5odPx925avD2n', 'RCMmYA5K7M0Nms58vHx', 'jKWq3o51nlJvUsgIGQT', 'QoM1XU5wg5Oth9Qr6Yt', 'JFVQ9w5YowTnQSLspge', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 5tqXx7iu9m.exe, mQnCkPBBNCxrI76BR4g.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 5tqXx7iu9m.exe, beaoud5iQoiswRlPnCF.cs	High entropy of concatenated method names: 'RxuhaPlCI8', 'TyShu6sn0J', 'yW3hnvRDms', 'xGjh8Q9srH', 'L3wh95ck9F', 'oZnRorXIWtRRUKDIkAt', 'CqJYLoXzqnjxRpWdW4k', 'I2etr9XJ1wr0k1ZcygX', 'fUaJjuXRMLxoqemOYiy', 'XuAKsxfHhaT8mLRsb1D'
Source: 5tqXx7iu9m.exe, EHcBXugYvPPioY5rIOq.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'z9blrQtFFxGL6xrpt06', 'VfCXDutpKZlvES6yQRh', 'LcEBDJtBSqrYMlwchBu', 'WlHwlQt1blZiHjtXg2u', 'fwIX1GtwrcT0mP7OG7U', 'RToM01to6KTtJkIl9PA'
Source: 5tqXx7iu9m.exe, RhYOCOdVhyEQe9Qonxi.cs	High entropy of concatenated method names: 'yIrXD3TT7JIrI', 'fxiUTknmcFLMOew0D8l', 'K5gu2Rn8BZKk3R75s6v', 'TMZGw2negt4dgOeNtNt', 'y0D8YHn6UE2raX3uWJJ', 'Dsu4E0nyOPFegyBidU3', 'WTwBPZnW47hCBr3COev', 'zMloennrsHg4TL9PH4S', 'DyFc0GnN6fKt9AgxP52', 'F3Pj8Sn31rxMiYmNFbO'
Source: 5tqXx7iu9m.exe, Fyq8rpXIjd1VrF8mUpi.cs	High entropy of concatenated method names: '_5u9', 'eFiRbS4Zbo', 'NaxFfQYGnF', 'ToWRaU4S4C', 'poBFpjEJKkrhkkFMcRu', 'L6NavxERaZdkdu1HLAo', 'U4CK9XEIpmFN8Ka2l97', 'A5abrdEOeHqxfLCcl1M', 'NAe7s9EuBaFPxMLiB0C', 'MeDDoNEzpIlNhecl3dX'
Source: 5tqXx7iu9m.exe, i9v253dNOcENnRHTPq.cs	High entropy of concatenated method names: 'z25M3NOcE', 'WBI3sspaK049dXiZyQ', 'l4UokFjfvHCAwHJEKO', 'sgsow3F2BSg4Re5rWu', 'S8DnkIBAQkvjmtyOH9', 'vbrnDB1yYbLtYG7wOA', 'bhPsOY4rr', 'a3CXhpRks', 'FAK5dTqEm', 'H0NC7Cetx'
Source: 5tqXx7iu9m.exe, I7gPi5BQkfnkjldahxF.cs	High entropy of concatenated method names: 'KpptZF9ufF', 'FjjtHPCyZP', 'rnCtQxAZJ8', 'jGFtLBnovX', 'LDUtxtTa0N', 'MHXLuMQJVHQScD3cs6g', 'kqnIq3QR66TOG8i1i5n', 'YVh3WVQIP626xSh9Jhc', 'Pv2eV1QzwkLmrTSmko6', 'OGKxBOdH6SWDDfsnUba'
Source: 5tqXx7iu9m.exe, K3D12Y5HpwEwPJjENoO.cs	High entropy of concatenated method names: 'oAUiSEvwG2', 'PgYiTesPiF', 'CDAiaNwFsP', 'GS1iuv9n2t', 'u9jinybI3S', 'VOuaA9f1WARALTYelh6', 'bC5F6WfwcYDqHaEepgf', 'tYZFurfpTHiGFId1v1y', 'LZHxjXfBe6Cv5NaKZIW', 'JhQTC1foLm0iZb2NljM'
Source: 5tqXx7iu9m.exe, Rdvir3ge4hFIwRvdDfY.cs	High entropy of concatenated method names: 'Fy3gNfUSQS', 'Tk7wylL64QIXpQw1nTh', 'IX9aLvLyd5AnjPuRnaW', 'yKYWSlL8x98iKq71VI7', 'mVmxvSLeThE7a6WMrDu', 'gqJZupLNX8wHNsN0doD', 'JnLZleL3j9pUqq8w5RG', 'HFDylILv1T8EgrW8WX3', 'XlGba0LTbtmSVJDeODo', 'f28'
Source: 5tqXx7iu9m.exe, DIpPurWKUNs41RLlAu.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'mrAhljs7aTR6C1trYXI', 'fA5JUpsZ7I4LCvyWelG', 'VTFUBpsnHEU8NSHwR64', 'OL8TMZsxS2gIEPHlkeA', 'PAD0n5sgPfiCnZNCHHr', 'Dk12ojsSTkYUaWsFfpZ'
Source: 5tqXx7iu9m.exe, ndK9NnX5h9FkieBFikK.cs	High entropy of concatenated method names: 'JOLd4MOybn', 'l6xd20bgWe', 'pvNdI7wPrO', 'XHFdkLyy0c', 'oC1dWd2UPv', 'yGWdb7i4Ge', 'Uwq9DWNMxDsBfqqmUme', 'swsB7INaTIQbx8vDeoT', 'aOddifNP1CHcIr1MykV', 'YQ7i9rN29tCIF3huiiR'
Source: 5tqXx7iu9m.exe, qyXeygsJZxH9dl7Uryt.cs	High entropy of concatenated method names: 'aVMXzBTsVa', 'cdN5focq2r', 'gQ45gqF1KR', 'fM85s8V2W2', 'UHg5XHPlCU', 'ex1558mYYL', 'xeN5Ctmucb', 'rPq5BE8WWR', 'cgL5dodgEM', 'EQZ5pA8oud'
Source: 5tqXx7iu9m.exe, ud2l8f5mmuXjtU4mk8F.cs	High entropy of concatenated method names: 'lHkMSqPvMt', 'LZRMTEabNP', 'fJwMabXYv2', 'NDRMumUFH8', 'K3OMnhB2SK', 'LnRru7aNCtX0VQV9OGQ', 'PxWxZra6lokePL6sbCr', 'HNl3g4ayvQxESlRtXwW', 'NqIGe7a3McjbTBIgnUD', 'kvQBNSavI1p1GyYTiNO'
Source: 5tqXx7iu9m.exe, Y0Kih5cJlG7ufTKwYT.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'd0Fiqqh4vypm646KTA1', 'b6YJNQhOAS4Qr58A4oL', 'oQ3WKyhukEFtuVqBcKO', 'gVFsjPhJZJ73inCEk6m', 'AjB7Z1hRk7E3pvxOqat', 'jxKI9ehIAfHEMMSlv57'
Source: 5tqXx7iu9m.exe, zYB0lB5CUaDLSk0ERBw.cs	High entropy of concatenated method names: 'e2thw5Cxtx', 'v2GDDUXyXF3JoqyYjRE', 'DueUdeXNO1uEwwkeIqB', 'tB3ZvAXepPOapM5PDdR', 'Had506X6tAlrNBU7u5T', 'BeBFqf0Ewc', 'rx7Fr9y3ZV', 'QbTFOwnwSb', 'wpsFSwOwSa', 'mTuFTx4OMH'
Source: 5tqXx7iu9m.exe, zr1B0IgyqeQ2R6BQM2G.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'PRDkqStvi1t0iGiBX1Q', 'GfqFrttTyydop5iUOdd', 'nPUOkQtEIWfGejHioNt', 'QeeorNtiVDC5kC7ffyf', 'yOPiPAtbQ5qLqN0jjLO', 'zxfotxtX7jXjheUdJp9'
Source: 5tqXx7iu9m.exe, vUs5KLBr6WchAKyQHch.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'ltQmlXW290', 'O7rmtNvh6f', 'WdfmmbpHMC', 'SDmmv6Pvo2', 'qSmm3wbw6F', 'WsHmNeYleJ', 'vuFfSfVoYNySBOl2ttE'
Source: 5tqXx7iu9m.exe, e6NRgLsnNd6ePtegppP.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'r2oCTNQmMi', 'mblCaEC6NR', 'bLNCud6ePt', 'sgpCnpPneR', 'N1qC8Bp0Mg', 'OOn9Ug69ubcAsiqpCMI', 'uaw9ST65rwlnsbobFXf', 'KUEW476Gbi6qqsvsK43'
Source: 5tqXx7iu9m.exe, iNFmsZs9xM7TWSDxiYi.cs	High entropy of concatenated method names: 'EfuBpni12X', 'CiFBKQggU5', 'SEGodC6OdPGrZvBXSxq', 'FenDKg6uXJNOydZY0Z4', 'SEEnAM6l737oYIVZO6U', 'SCg4Z964m8U08BFLnVK', 'jcvBwqF8Bw', 'm1TC1PyHhgqMTUffXpu', 'pokl9FyAhEoGcp0VvnM', 'rAX6C56Iu8HFNuG1igB'
Source: 5tqXx7iu9m.exe, C4JBDDgmaj6vNA5fOhp.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'nuQXqfLI1ph8o3KmiLO', 'm9mBtQLzvCPYlyZWv2b', 'wUfRHQ9HfMCFsvgySQq', 'Pbs16U9Asxg5AeXorqW', 'DUgwGo9UTDFW2iDAsCQ', 'klTE5J9qtW0qeTmRMcY'
Source: 5tqXx7iu9m.exe, gc4vRy9DSpTrlxr88F.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'SMPyfKquWcqltkVlRCq', 'VVsf3ZqJ7GdfWLOhnvZ', 'I0dBR1qRSGj6anAsfH4', 'r7H6O4qITFZHuiCOUGi', 'wWZHJ5qz96jQh3S2j6o', 'sDg2N5sHwVCoo7N3cZt'
Source: 5tqXx7iu9m.exe, oLcnyCYtq31dwTl1gg.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'uRmf54hmpnHXUKtndjy', 'rGypVSh8HRDgGSXrpZP', 'NfCwlZheH3evCYeF09n', 'IdE1lTh6dTXtNF7wqtZ', 'XLecKThyQcbMSPLflrJ', 'Tpetp9hNyWIgHOL3f6c'
Source: 5tqXx7iu9m.exe, xMsAKoBmbBxPW3XoZBW.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 5tqXx7iu9m.exe, DkXVixsL6gjVuQUdGrM.cs	High entropy of concatenated method names: 'qwt5HaAVeZ', 'lwN5QqbHDK', 'SRZ5LoJ7Lc', 'UAr5xlpPKX', 'l9p5Ab7qYY', 'QOOSpb8HMSKau7WNrPd', 'kqZfx68ACUwI14kxrJW', 'yOMXrkmI2pd292vefJX', 'SpEr0omzPMOG71b1Yje', 'dCVrbs8U9QNfy39Ix28'
Source: 5tqXx7iu9m.exe, eU5x18gUmYYLleNtmuc.cs	High entropy of concatenated method names: 'Po7se8ZJ96', 'PYBUVUC0A62ZOrIBTHP', 'XEXQ9QCG3juO6NELSSI', 'l82jAgCsgWHrY686iQ5', 'HnUGehChlUYQhovS4Hb', 'oe0MV2CLywwl4Yk5fKe', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 5tqXx7iu9m.exe, PwImWd5cfGB5Gb0BMZP.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 5tqXx7iu9m.exe, dy4mJkXz0TryLQSrheS.cs	High entropy of concatenated method names: 'pkbFvwImWd', 'aGBF35Gb0B', 'mZPFNATuT4', 'RxNUX1bdCgt8QMWjjYH', 'GFv8tqbVEovblodV6VT', 'W3L508bYQHGdDU5W1n7', 'meh0i4bQ8LuKHaaxOEa', 'R2gUJdb7X9awNKggIDa', 'pAlgkebZ4p5qLvw4GOV', 'uYOtFIbnxtdwgjBFIa2'
Source: 5tqXx7iu9m.exe, elUP5cgoqTbajGMErMS.cs	High entropy of concatenated method names: 'rlGsg7ufTK', 'pYTsskA1uq', 'BtSsXsXrN1', 'Bpou4U5cfDNPm5PDxpG', 'K5bit85lrrFrFQl2oGE', 'QlS0vu5SFuFIoq7kRGH', 'bmuFhd5k1lcyTOEUc3c', 'orB9br54dn6GAOAUQk3', 'S16uyU5OKcd7yyIGw2U', 'tj4JLt5u05w6tVhS2oJ'
Source: 5tqXx7iu9m.exe, qvKwKYs3vrkjTem2IJN.cs	High entropy of concatenated method names: 'xuY5cWsaIb', 'S9Y5DVL37V', 'UOi5znULEM', 'kwOCfC7RkC', 'ac5Cg2c12i', 'vskCsheKwU', 'jFZCXpRpV9', 'EseC5Tlxwb', 'Pt0CC7rkXV', 'cKDcWD8OEdlrTnrXRZ2'
Source: 5tqXx7iu9m.exe, BZHfD9S2ymIvuPmXn7.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'mZl2SQlSM', 'H0p6GZU1PprD3elVGZh', 'e1l3rGUwW73qTEOGPwT', 'Gdp0amUoT0LHoZTLIUA', 'PA4ebUUKQ1MrCdgwZIx', 'eAeU0IUYSqcQihuAiy1'
Source: 5tqXx7iu9m.exe, TMHI4DglhApMV2IbUbZ.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'MtrsMELxmjEBb645OnP', 'vutsaCLgiSKWJMT5dDu', 'Nk2bABLSSbZRlS4103o', 'NBSqpZLkUQLB1V7RkCQ', 'W1oHcrLcKUvb4WFkl1I', 'PchPJ9Ll3fZOqK8ZnOB'
Source: 5tqXx7iu9m.exe, igwANFCKqORcQVCjofO.cs	High entropy of concatenated method names: 'aQrAZXAPSk', 'kRNAHvN7A2', 'Qek8U2w4Z7tAAjgD5nZ', 'KIVL7RwOICihHjhGCZa', 'QY62qWwux5mp4OsDlkq', 'r7O0dFwJMhD7OoOVbxZ', 'Hb6wApwRpjhPjjSgfWy', 'gAj85EwIIBki7jbdMiR', 'jblN0awzOyTwry3IDMV', 'egHF6BoH1bHETppoC2e'
Source: 5tqXx7iu9m.exe, uuamBosw4DPGMNJf2Hc.cs	High entropy of concatenated method names: 'OOqXcRf0H3', 'aDIXDKB4be', 'JAGEiXrND8L6e2IKQt5', 'J6MpbDr3DsTgRDa6WDY', 'x4CgU5rvD6vpTUCD6Nn', 'jBn4hsrTtZuo5CkZgA8', 'qJSR2HrEklZ6K2AanZe', 'Xem3N0rid3kpVXWcMOl', 'UBjPqBrbY5t7Dq7Us1e', 'eMvZIgrXhXZ0praitSd'
Source: 5tqXx7iu9m.exe, mPhUNEnXPaQ0iV4TMy.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'jFrot5qw2ZiTDwPanf2', 'iUdJcYqo3STZdQlCG0D', 'gMIcbfqKAvo7IllHPc3', 'NKapFgqYHBysIlaYt88', 'fpCGbcqQUsdlH8LDIGw', 'A6FHPmqdyOwwqe3kkOw'
Source: 5tqXx7iu9m.exe, lH7pvpgg07wb2Eh0eZu.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'TKdDRg0NQjFncjUImt7', 'yJtbwA03H82DhVd3ePF', 'luZH0r0vPDMqSAp6px6', 'usmdie0T8Rf6nXSf5pw', 'qQc0lR0ETE39w6IfBpc', 'lTdrMn0iKZ8vZWPemel'
Source: 5tqXx7iu9m.exe, jFcvqFsD8BwBQR3oJrZ.cs	High entropy of concatenated method names: 'osRdl0Hqwu', 'sgdr7WykJioL1bZFBIn', 'uOp0owygXRYFWUWOaq3', 'yux28HySb3VErPMtTAo', 'dvaQtiycni3FaaEtP5P', 'VQFQT6ylyePxmciumE5', 'E45dJN1DxD', 'xdGdeRA0Xm', 'sUIdZb0Ttg', 'EOUdHefgIR'
Source: 5tqXx7iu9m.exe, SuFNw4CT5JT6fjXvkrQ.cs	High entropy of concatenated method names: 'cDhlfr0Dg4', 'n8sihloJ0tNcWjktP3w', 'WrlVTjoOZJCuwNgYmqL', 'mfGS67ouGlmN2OlJX4d', 'kJ9NkLoRSxUTQk6aMU3', 'gBXOV3oIPrVPvn2anab', 'tk4SaLoz2hphwtRH3Wv'
Source: 5tqXx7iu9m.exe, bRnRQksslHkDSg3QBLR.cs	High entropy of concatenated method names: 'RUMsbwFKFj', 'WOysydvir3', 'MhFsjIwRvd', 'YfYsY4ryoL', 'Dfas1WqGIl', 'haCsGC9jum', 'MK32vUD6ua4Ppcwuy3P', 'PMcMRtDyPYLC7bnrgDU', 'th0xVZD8otGoTMVWRBa', 'qsCrbhDevjoIYIQMdJd'
Source: 5tqXx7iu9m.exe, d7LFjMC3M9C2Qljqkhg.cs	High entropy of concatenated method names: 'z05AIWATCV', 'bcOAkeODRM', 'YwIAWfg78o', 'K9miceo1uT3gLFanOkZ', 'vaTlpXopjrJ8cZEtQZq', 'wRcTUjoBZrGpv8hgAJB', 'NUgt3KowGatEmddRco4', 'PfQFJBooTD1iRIZW8R3'
Source: 5tqXx7iu9m.exe, JR2YAtvSBXphe5J9EQ.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'da5MZEUtpd7oxMM60rC', 'TrudoxUCvrymygnTwdu', 'jYjq8jUDFQDoyOf9AJY', 'UuZb6eUWA4k5mpEAImM', 'D6wwi1UrvLD1anmOviU', 'WoQnWuUmyBARiO82jDG'
Source: 5tqXx7iu9m.exe, Pkom7egW1LqON2uIWhi.cs	High entropy of concatenated method names: 'PDosVAAqA4', 'cI0shX0p3V', 'FG7kbYtCux3tD3GY814', 'h6vS0Rt52Ri7AM8BTxm', 'IT52W0ttkLJBujGT1a6', 'h6tdRrtDg12WPt9LyI7', 'MFaEHQtWuSdcyZkbu9b', 'XURhuutrblQMdYf0iyV', 'Y7UBpctmxcuRSXgocQq', 'v7ccgit800PvgEdWm3t'
Source: 5tqXx7iu9m.exe, Y1S5wBtBMaG6NkdWWg.cs	High entropy of concatenated method names: 'Xi0TBTcn0', 'TbcaNEDCC', 'apHugNmwd', 'yOa1EsAKbTyPd6KIgYu', 'IWdbXVAwX4DXl0R8xlb', 'ggKV1WAoDUIgvDEJyFZ', 'jkBG1BAYLoiVAFEFfIU', 'T3EFyTAQA744aCkQP7N', 'XZSIhXAdXh6OFnxcHbV', 'lR1NUBAV9ljCRoxRs7r'
Source: 5tqXx7iu9m.exe, sJ965BgdktdyPxy717O.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'A4Z4ZT0OfXOGocdh4p6', 'N2WDwy0uDFIOkooK5yp', 'ILfxco0JYqurRklc2hf', 'JHB53q0RmO89KBWE40d', 'Uwqu1K0IroLg9pE2Ruu', 'EOnFgG0z8FZfpuZ98pa'
Source: 5tqXx7iu9m.exe, pAuhF4zg9r7aJB5aa7.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'fPn3CS0qgxWvU6KC1B0', 'YJOmrP0satDALsmTJC1', 'piCief0hg656Rd6cfKU', 'OuJLkO00D4NquRRySGe', 'ynmZpI0GqqRnACgErYV', 'X98i0v0LRRvtx8E1CDU'
Source: 5tqXx7iu9m.exe, gqw0Mj5JJaQfIqZf1qP.cs	High entropy of concatenated method names: '_7zt', 'Roqie7Pajd', 'HhpiZ71NSi', 'N87iHNAOdU', 'oKAiQi6q3v', 'kP9iLD8Q62', 'fytixfWdr3', 'DCsUQ4fEmStQiX3bqER', 'H77JSHfiR1oVueYJm4L', 'YtDC1nfvtTVi6YK9WB0'
Source: 5tqXx7iu9m.exe, sGcHEaB3pLexACRFVNK.cs	High entropy of concatenated method names: 'BJAmKsnNQh', 'lXGmFffKUd', 'XJtmV6Kg1I', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'oeumhbfaiB'
Source: 5tqXx7iu9m.exe, EinULEsZMhwOC7RkCfc.cs	High entropy of concatenated method names: 'MfY5Muy5rN', 'edR50klDG6', 'uT871cmb33C4vvD7nmi', 'IeOjs2mXPnqGst0qwdy', 'oGfrrPmEUNyOVUHmQkI', 'VICwUfmimJC2kOk5QWP', 'KvEfCWmf8l9DLnmePgQ', 'XNojA7ma78gRAFwWe1p', 'KPuroomPWEhT67tGu7h', 'gGbLPkmM4lF6HUyALW7'
Source: 5tqXx7iu9m.exe, qiFryjdMa1ZYu0igrfk.cs	High entropy of concatenated method names: 'h7orSNnfQ40MufTfORr', 'GnsfZunaOfbttFvOquw', 'eZmHmtnbYbduy6hQSug', 'SKD7ipnX6Vc6KiLQhgI', 'SS2r0FZB5k', 'SG0PRnn212UQw6eZKrh', 'YBfaGInj0m2fFEIQ7Ea', 'rBPGv0nF6ZJjHIUFmG5', 'GE1rw4npELvCd2HfgQl', 'RHOhILnBAGfOsBJ9pwY'
Source: 5tqXx7iu9m.exe, AL1sMgaM635LYrH59G.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'zgJnyjURMNxsh81N6rw', 'XpGDEsUIo8p5SVWcOlL', 'OsxD5PUzCapLT1n1I6X', 'wmAIrsqHybDeYwIwgZe', 'eA2qKnqAX0P3STj15Gw', 'XYYQ2FqUH5y4ZA1ay3Z'
Source: 5tqXx7iu9m.exe, zADDFmg0XOoGKxXIcNj.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'spEbkpGYcEqnW4Uw2Uy', 'VI5CyvGQtCOCkadx7YF', 'iLUUGVGdWt0q5yfs3Yk', 'yKFToNGV82LQX693iak', 'mAlXM2G7lsxdSBsZ1Yr', 'hAkxdmGZYOvUS9g3CgA'
Source: 5tqXx7iu9m.exe, FUvE5lg3WJSsnAEEln0.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'TeG9Pu9wPUfiDh9PWw1', 'PyWHi39ocV92cpV9dnk', 'ioZ0y29KmGARAMraw5i', 'wRpQOF9Yt20f0ZdteQI', 'fSBoZx9Q40vFwJnFLoV', 'HyheXr9d0y8HHrZe5ZT'
Source: 5tqXx7iu9m.exe, mKN7TAXFhHiPpg0oYTB.cs	High entropy of concatenated method names: 'asXpSxFlII', 'e9fpTggwU5', 'r2Rpa5DngY', 'UtRX8LvrKRWUDRgd5Wy', 'woZgh7vD7Kk8uiNmoo4', 'TF5HG3vW3Im4oUgMk2j', 'oFKIPdvm5tVJERD8hwd', 'GrKp6s7Ito', 'gttpRYqUsp', 'tmYpwDP3o2'
Source: 5tqXx7iu9m.exe, IH7EeIGeUJe80wymET.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'Y4Mok8hP9EFssjuD1nu', 'eHmeq0hMthrFA9k4Hwp', 'rVBAcgh2LlQtxY6AwmY', 'srKd95hjNKwhJ3wNX85', 'nL0VPShFFcauc1DHxyM', 'wkH29dhpyDc5yDPN3o1'
Source: 5tqXx7iu9m.exe, wkT1Sy43fUSQSZowmT.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'XK30p2stOrXb8oDqEMX', 'wV3h7ZsC0C2qNA5McW3', 'JIVfM6sDpn7g4oGAo32', 'SJrBYXsWGYiSE1JiQrj', 'hp54PIsr8lXrfSW2iCS', 'w8KWwTsmtE9mVZ9o7Ym'
Source: 5tqXx7iu9m.exe, Fxv32BgTtAfKsNdHWIb.cs	High entropy of concatenated method names: 'J0wgGymET3', 'uBLjGd5bxjIf42ANaw3', 'g9GEU65Xtx2aXHJXKNo', 'ryb2Wj5EWrttQnZBJ8G', 'G492ef5iBOYwE3WgPUj', 'vFuHhm5frA56LaRlBbJ', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 5tqXx7iu9m.exe, X2T5PWBllQixD8wZqQR.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 5tqXx7iu9m.exe, c8j41JBs1b7yAD7Kgh5.cs	High entropy of concatenated method names: 'kA9tp28axd', 'aGVtKCQQ3c', '_8r1', 'bK3tFrULTI', 'VaAtVxBpRb', 'QgwthPJ4be', 'i4jtijWMLc', 'A5xXk1Q8QvPYmZAG8Tj', 'GEXUo0QeXSx6lIUBg1m', 'RwJaEUQ6q8pR4rnInJ2'
Source: 5tqXx7iu9m.exe, IWroCPs0na118mNBILK.cs	High entropy of concatenated method names: 'jOrXUHcBXu', 'pv9r0vrqpIKbaGBlIGr', 'kCkbUCrsruyoy8ODSw6', 'IneDHLrAdVSOjZn4bL4', 'mHN8WOrUfesoRKW19aV', 'R3m77Zrhmtl74R2pt9W', 'cDZB3Hr0O2FHQVxGT3t', 'O7rcpJrGNInY0DldN08', 'cnv7JwrLxvcImkPTD22', 'n8ytcPr9dEJttSyvlb9'
Source: 5tqXx7iu9m.exe, sLRuDlX4IFb5P9w0WAH.cs	High entropy of concatenated method names: 'sg9', 'L3xRHrCwgh', 'htQKc6jutu', 'wIaR2oViGU', 'MdTHvNEgXiW8gppk7x0', 'yy9nvVES1e4qtfVOteo', 'i37oQsEksHAftmrfef2', 'fFaObhEnL9eXwxwHGJ6', 'DZPfcbExqeeRECwq2ol', 'fR7JjfEcr17d71Bb1Ba'
Source: 5tqXx7iu9m.exe, ABkyXJsTq6HJgmdvLqT.cs	High entropy of concatenated method names: 'f3BCNkyXJq', 'RcQGNFeR0s21FYSosnD', 'jKfRR8eIxH67dxZ2VXL', 'FgiPfceuEsOs5V78ZPk', 'i1HYtheJVa9IAvJc1pQ', 'F3NCciezaEDpvvQHuY1', 'UaPlns6HOnv1kUAEgSQ', 'KKVPcM6ANt4kwgFtDwf', 'tmw3KU6UweKdXdW0P3J', 'FdVN0R6qldwVLPKKVAr'
Source: 5tqXx7iu9m.exe, YZkkOCBIa1m4ij3Pfj5.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'MHBNKxPb06', 'DKvNFM3Kaj', 'DKsNVFteMK', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 5tqXx7iu9m.exe, gO5vaVgXhOw8xc3c6dx.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'GvsPGW02arRryjoB20t', 'clisuQ0j3TGpILnOkxp', 'amvenY0FngLeRDfF91J', 'wmHwS20pLLGU5wSvCmQ', 'ddE0hn0BvVOmeHp6uti', 'SCD0JT01yLmXjo8P2fa'
Source: 5tqXx7iu9m.exe, c1EAXOX0kdTSdNqUkQM.cs	High entropy of concatenated method names: 'hvip2Pr5OM', 'jXepIPb0kt', 'wJnpkfTIGZ', 'ElupWA3oxL', 'Ppg49qvBf8olZ6dlPnZ', 'SdFhs1v1b5k4ELylQKY', 'RZdthwvwWPJbsmNxw7W', 'iYZbpFvFQ4A0gVDaW5A', 'F0LskgvpZcWr5gyCV3x', 'DXx2UdvoJQR9QqfPOWe'
Source: 5tqXx7iu9m.exe, pRseuQXRpvKc9y3484Q.cs	High entropy of concatenated method names: 'xDUpyTIQIf', 'XGDpjkHcPL', 'znTpYUfk4d', 'jFNXiXvnaVcIrODrwWh', 'HWB8dnvxVJgTiyb9MJ2', 'iPMhVJvgnNQdN8ITZXD', 'JPW4V2vSvttXQF32EsW', 'noZHwbvksYrSvKXfYWJ', 'u9xj6AvcNjat4CEpdSu', 'wSXj35vlM4prrUps3td'
Source: 5tqXx7iu9m.exe, mfg88mgRuPlD2QitfFt.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'fuQ6DmGlBL0oxWpFn1D', 'Q2b7IUG4v1eUUqyEjgc', 'x5vO47GOdo3ie2bPlhr', 'RsqWhSGuGPm5w9jOycd', 'jsG526GJtwxEpiJOhZX', 'AAbx9RGRT2abpyqfWeu'
Source: 5tqXx7iu9m.exe, Iy5rNCsfdRklDG6h3vm.cs	High entropy of concatenated method names: 'LCyslWvTdA', 's5Vst4pARl', 'I1Hsmoo77c', 'D9SN2iCpfgoYgfFuIs4', 'bPcoY5CBS32pitVTq1R', 'Uyh0mPC1HmjYgChWe1t', 'jk5KdaCw1JogRqYeosQ', 'KA1u1uCo1FaFb9J0hZm', 'LjW8VkCKODMckGbbV14', 'dEvvB8CjESZcMZ6kkFQ'
Source: 5tqXx7iu9m.exe, Ru3WDeXgYZAMfdWdBSm.cs	High entropy of concatenated method names: 'D3XdNJbHGb', 'XRNdqUVFq2', 'lBhdr9hqaQ', 'FK6dORV97b', 'tlNcunyzlGr8NecP75o', 'BJ2dU2yRulLO5K9aAbv', 'C46bvGyIFRSGPwf5jGL', 'V5KHNINHZp5kALNQn8u', 'Sr3CYRNAwb1pdeqyBEu', 'QnRUhcNUkWj8E287rqB'
Source: 5tqXx7iu9m.exe, C7pyZOgCHNX2wtwDZye.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'pqwkeE0nSXN5kRRD8QO', 'foosda0x4ic5AF6cyFR', 'ysC7Fn0gW1LGxwEaulY', 'BghFVB0SPRtW0GETtBv', 'fh8WAa0kB5dTQiJLipC', 'Y6IT8h0cCABbRiocPbX'
Source: 5tqXx7iu9m.exe, DsVJYbgqZB6vne3MlD0.cs	High entropy of concatenated method names: 'VEcgkonpMs', 'm16dgD5UbrTd0yH339c', 't9sL1H5qg5uFLEesdC2', 'fak41D5HQSAbTmdmY4m', 'iXDy3s5AF1ZHOVcuC8l', 'ph3n6J5soRgjGIMtrAW', 'vOv4Py5hmYFm8iNYlMF', 'hx4ZRO50S2s4QEVr69l', 'QCtgbq31dw', 'c59crB59Pvx1y4RlrLs'
Source: 5tqXx7iu9m.exe, LDLt45XWxtbGQ6G6Z70.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'H04RNdSdvb', 'vEWF5FEtVF', 'i6DRGDy0g4', 'aQVoMEiWr7F1TDM13xn', 'kfFt4tirvG1H3ZIjE8n', 'EJdXkPimaPuaR59ncCs', 'l0xCI6i8vdHvXOmEiVQ', 'QThl4Rieb4aLvfPARep'
Source: 5tqXx7iu9m.exe, ndh5xqXUY5kqAnGOKRp.cs	High entropy of concatenated method names: 'eSSR43boPO9KPii8i9C', 'AcAB3SbKlWxHRs3twjN', 'ixQTFSb1gPDIMRMmOg3', 'D51w9dbwOIsFGNtvbDg', 'IWF', 'j72', 'qxoFwdU1jC', 'an5F7ScCA6', 'j4z', 'PZ5FJ1I4G5'
Source: 5tqXx7iu9m.exe, c5L1jXC1rXhW7SqHWGb.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 5tqXx7iu9m.exe, iENxUCgiS7n6vULoCjn.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'y78cMHGaGUOI3v2VDva', 'ocoTKFGPyBpaiLelwFo', 'QaXVVBGM7GTeq8D0rV0', 'NhFm0NG2aGkvHh1DKQA', 'LGETBXGjrEA0WOaEq5x', 'RNisSUGFGiAscregfis'
Source: 5tqXx7iu9m.exe, bANQSXCEgIEELV6GJ9N.cs	High entropy of concatenated method names: 'a9sl5u0mTK', 'KgSlC6dYdr', 'q9mlBt27gv', 'Knxldw05rS', 'SphlpPWacy', 'iUVlKw2tfO', 'y76lFVvM8S', 'MarlVd5H9X', 'NmtlhVpP3w', 'iC9lieRWBQ'
Source: 5tqXx7iu9m.exe, Eij2hgrrFPBWwqac1s.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'yLs9Iul3F', 'kQMUmfUN7wIcnZCHfUA', 'tGTCxTU3CvFybWL1AWm', 'gfa9GvUvdeA4wYu34lK', 'HtRwMoUTbN1ZYgKVh7Z', 'UQbQQkUEV68dPBNDIEB'
Source: 5tqXx7iu9m.exe, SwC5QrUhxoecVllH05.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'AmJNRyhZo4NO9MBhLSd', 'cKe7bZhngYQ0146owmi', 'Ui17j2hxMGIu6LeGxwt', 'kBTgPWhgPik8GC54DM8', 'd5DAfahSRV9AMxS1l2Q', 'UqCYa4hkc2NF1lawmqp'
Source: 5tqXx7iu9m.exe, xnsDjlIKo7yE1746GF.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'M58fYZs6JkvEvNXAmEr', 'uXSIKmsyIbBMxTMpPG8', 'LrSfBZsNYpqL3BQRKx1', 'FNWYg5s3F3WQl1FpF2Y', 'o0HJI3svP1yTniCwv1Q', 'umUD49sTGZdBe2ViFDO'
Source: 5tqXx7iu9m.exe, I1Hoo7gV7cx7ys2qvE3.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'p5HJgnGNkYylb8L34l3', 'FJk3SuG36kMJDLH3KPm', 'IE0tesGvAovMJaLBIY0', 'uTOfsYGTQWLTQGjXm8n', 'yJGTlkGEVjCMrggNRaL', 'tEZSoCGiSE6PyGKdC1V'
Source: 5tqXx7iu9m.exe, q6kiQ9dlrjQEXbYRRqm.cs	High entropy of concatenated method names: 'n2SrAcKyHX', 'FYFrlxqTmZ', 'tb8rtdFmr7', 'qAirmvjELV', 'jq2rvROOnj', 'vObr3XfyFh', 'q1RrNBVPTq', 'wL8rqEO1iq', 'lqxrr20iCl', 'SpFrOsdKrR'
Source: 5tqXx7iu9m.exe, DBFRQGXiPhdIxDLmcqr.cs	High entropy of concatenated method names: '_223', 'QYvYZuv6iLFPgXvqa4G', 'c1a4ZGvyCxaf4NM6baI', 'yEi4KMvNEjYdIhJTbQu', 'nrtXMdv3DYJ9obLM4ZW', 'NdXWcpvvbpPObTcdGgt', 'ex6u6EvTiIVFrB99jE7', 'C6N7hHvErcDE2cgR8WA', 'bSUGwvviRlNxyOGRLKj', 'DHH80hvbtTEf1djAjEC'
Source: 5tqXx7iu9m.exe, Nk0jq0XQaayekLkU9ml.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'TKrTfrEWUJn1W5CWveL', 'rmCAgLErSaEdfGskBc0', 'hCe2pgEmBGAw64Rgd3Z', 'KkfD09E8sVYq6EXCvZp'
Source: 5tqXx7iu9m.exe, K2PQqk5UKPcXun4aDfm.cs	High entropy of concatenated method names: 'EwN6lrLkUw', 'nu26mKgb41', 'BkM6MSpOvx', 'r0F60R8LIm', 'tWR66QijLp', 'Ddo6REp6Co', 'SaN6wf4snk', 'BAo67jJG8Q', 'mVf6JBpgWW', 'sF66eXiSbp'
Source: 5tqXx7iu9m.exe, GUfk4d5VmUH6IhpehBX.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 5tqXx7iu9m.exe, XGEjRR5wwvVdav3FKVt.cs	High entropy of concatenated method names: 'RDLi5cWfFO', 'KxEiCCAmsT', 'pFTiBRgFOc', 'ILPhmwfenXJjY651Uxf', 'sgF5wQf6O5oNVMoD70c', 'Est0PWfmrU2tjYqNwwW', 'KDAZSbf8stXOGbn9AsN', 'VuoRXvfyiATyDeTF6sL', 'PbvtK5fNxXrkEWf6TiS', 'BTag1Nf3ZISW2Exml9B'
Source: 5tqXx7iu9m.exe, NrRDqaBuSiKgmdaLuU7.cs	High entropy of concatenated method names: 'K1g3nVHtri', 'BaxgPx72EkDkrljXNIe', 'O3ZyKg7j7e6OOvyJ7ql', 'tVKw8S7PRugeXMfe9JH', 'snowXh7Md5qJ1EWbhXo', '_1fi', 'xXAvYERJ7h', '_676', 'IG9', 'mdP'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File written: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe			Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File written: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe			Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Recovery\backgroundTaskHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Recovery\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files\Microsoft\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files\Microsoft\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Recovery\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\user\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Users\user\sqPKQawpTnLujfRgyPwI.exe

Jump to dropped file

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Users\user\sqPKQawpTnLujfRgyPwI.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /f

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

File created: C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\Default User\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File created: C:\Users\Default User\Start Menu\Programs\Accessories\95aaaff3431df3	Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Memory allocated: 1B1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Memory allocated: 1ABB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Memory allocated: 2250000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Memory allocated: 1A540000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Memory allocated: 1AB00000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Window / User API: threadDelayed 1673	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Window / User API: threadDelayed 359	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Window / User API: threadDelayed 364	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Window / User API: threadDelayed 363
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Window / User API: threadDelayed 364
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Window / User API: threadDelayed 370

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe TID: 7600	Thread sleep count: 1673 > 30	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe TID: 7600	Thread sleep count: 359 > 30	Jump to behavior
Source: C:\Users\user\Desktop\5tqXx7iu9m.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe TID: 8068	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe TID: 8056	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe TID: 8032	Thread sleep count: 364 > 30	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe TID: 7988	Thread sleep count: 363 > 30
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe TID: 648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft\fontdrvhost.exe TID: 8136	Thread sleep count: 364 > 30
Source: C:\Program Files\Microsoft\fontdrvhost.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft\fontdrvhost.exe TID: 8164	Thread sleep count: 370 > 30
Source: C:\Program Files\Microsoft\fontdrvhost.exe TID: 8052	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Process token adjusted: Debug
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe	Queries volume information: C:\Users\user\Desktop\5tqXx7iu9m.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Queries volume information: C:\Recovery\backgroundTaskHost.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\backgroundTaskHost.exe	Queries volume information: C:\Recovery\backgroundTaskHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe VolumeInformation	Jump to behavior
Source: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe VolumeInformation
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Queries volume information: C:\Program Files\Microsoft\fontdrvhost.exe VolumeInformation
Source: C:\Program Files\Microsoft\fontdrvhost.exe	Queries volume information: C:\Program Files\Microsoft\fontdrvhost.exe VolumeInformation

Source: C:\Users\user\Desktop\5tqXx7iu9m.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.1767136982.0000000002719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679281685.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1767202182.0000000002737000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1767202182.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1774528305.0000000002B48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1766950763.0000000002592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1767223313.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1767136982.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1767223313.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679281685.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1769916533.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1774528305.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1766950763.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5tqXx7iu9m.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: backgroundTaskHost.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: backgroundTaskHost.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 8156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7232, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.1767136982.0000000002719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679281685.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1767202182.0000000002737000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1767202182.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1774528305.0000000002B48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1766950763.0000000002592000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1767223313.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1767136982.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1767223313.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1679281685.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1769916533.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1774528305.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1766950763.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5tqXx7iu9m.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: backgroundTaskHost.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: backgroundTaskHost.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 8156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7232, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Scheduled Task/Job	11 Process Injection	333 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5tqXx7iu9m.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
5tqXx7iu9m.exe	67%	Virustotal		Browse
5tqXx7iu9m.exe	100%	Avira	HEUR/AGEN.1323984
5tqXx7iu9m.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Microsoft\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Microsoft\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\backgroundTaskHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\System.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Recovery\backgroundTaskHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Recovery\System.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe	67%	Virustotal		Browse
C:\Program Files\Microsoft\RuntimeBroker.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Microsoft\RuntimeBroker.exe	67%	Virustotal		Browse
C:\Program Files\Microsoft\fontdrvhost.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Microsoft\fontdrvhost.exe	67%	Virustotal		Browse
C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Recovery\System.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Recovery\System.exe	67%	Virustotal		Browse
C:\Recovery\backgroundTaskHost.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Recovery\backgroundTaskHost.exe	67%	Virustotal		Browse
C:\Recovery\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Recovery\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe	67%	Virustotal		Browse
C:\Users\user\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\user\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse
C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	84%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe	67%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	5tqXx7iu9m.exe, 00000000.00000002.1679281685.00000000037BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502380
Start date and time:	2024-09-01 03:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5tqXx7iu9m.exe renamed because original name is a hash value
Original Sample Name:	2CE997B7EEBEE4A876D0347A3489C945.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@41/55@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 79% Number of executed functions: 475 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a1023737.xsph.ru, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 5tqXx7iu9m.exe, PID 7552 because it is empty
Execution Graph export aborted for target backgroundTaskHost.exe, PID 8096 because it is empty
Execution Graph export aborted for target backgroundTaskHost.exe, PID 8128 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 8156 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 8184 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 7232 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 7240 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:11:57	Task Scheduler	Run new task: backgroundTaskHost path: "C:\Recovery\backgroundTaskHost.exe"
02:11:57	Task Scheduler	Run new task: backgroundTaskHostb path: "C:\Recovery\backgroundTaskHost.exe"
02:11:57	Task Scheduler	Run new task: dllhost path: "C:\Users\Default\Application Data\Microsoft\dllhost.exe"
02:11:57	Task Scheduler	Run new task: dllhostd path: "C:\Users\Default\Application Data\Microsoft\dllhost.exe"
02:11:57	Task Scheduler	Run new task: fontdrvhost path: "C:\Program Files\Microsoft\fontdrvhost.exe"
02:11:57	Task Scheduler	Run new task: fontdrvhostf path: "C:\Program Files\Microsoft\fontdrvhost.exe"
02:11:57	Task Scheduler	Run new task: sqPKQawpTnLujfRgyPwI path: "C:\Users\user\sqPKQawpTnLujfRgyPwI.exe"
02:11:57	Task Scheduler	Run new task: sqPKQawpTnLujfRgyPwIs path: "C:\Users\Default User\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe"
02:11:57	Task Scheduler	Run new task: System path: "C:\Recovery\System.exe"
02:11:57	Task Scheduler	Run new task: SystemS path: "C:\Recovery\System.exe"
02:11:59	Task Scheduler	Run new task: csrss path: "C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe"
02:11:59	Task Scheduler	Run new task: csrssc path: "C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe"
02:11:59	Task Scheduler	Run new task: RuntimeBroker path: "C:\Program Files\Microsoft\RuntimeBroker.exe"
02:11:59	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Program Files\Microsoft\RuntimeBroker.exe"

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (933), with no line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	5.8941355860553335
Encrypted:	false
SSDEEP:	24:pjjRxjGfZ6T6kn+BRCBEIyHOa5lxSRxUygcZ1T4TLVE760pVw0DHFff:FjRlGR3knkIeO+rQxMcZaLVE760HfDHR
MD5:	3F46431D8353C65432CEE730CF811C7A
SHA1:	16BFE047AE04BF408338AC1A99BA41605A35C53D
SHA-256:	DB060C9047A687F74D7612EB04A24742765227D10D11F5A6A7F16AA2438E6AC4
SHA-512:	B5D660FBE1368746557E6FCD2CB72F0827A9ABB6AC9F96941DA1BD71D4F01B91A4ACC22CCB6A0841A798A5C437FC3D60E6A43635B7B72973626CC2412C5033A7
Malicious:	false
Preview:	06vKBpWIURG5j4xEjXOrgIZ23CLvB8OtslQawMKD1IKj21DNaJJHvcZrg3R8elHWCXN8oWRXMLzX809B97U2yH8PLi335MiQBygenEjD1w4jmBtq3P8hQPh5Z7wFdXbAmjWJTeX4XRACMYnKzMApNB9wRlFqSdkeU46DpjXY1DJ8OftBUmPQXwwljk2sZrm3rgrRbjeQzmyJ1Bhv2EWpOTGiIVdEqo8KbPRsxbjuH9av7mtiCG0VV6pXZJJGGZjKnnsmty8aeliO3Ukfl5Bjynzfj3TnRdoraPIT4HyOIZ0tYbeEineKX9WAyNC0fVJB70ynMQldHxbZwFHIZOEn8dUa3IfrF8txPyvhn12SCBDkh6NsF4bQQfDdgXtEv4YIEoJ8UjehWwl6at264wlKhcgtuRBPHxgHm4g2xOYfZ34d4HDwewJ9TNllHZNCiPaiPdUgNAJpXFvniDznOOvVnhyZS4uYBW7KdVNawhjendlNc8DEkjxTdE5sp4NTPvoBIlKMzY0rpQrK5k7U0qxbinqYafv1TQP1zjF0x0PLsGoMWvwF72ci7Mde4vwTn8XZB0UWeGg9amtb8dBpsp4axq4mGl5BE5ittPLgaal1WcIVdCfbuHl7E6lV6sP3Ke5eE9rtSeORECEVhiJDFeR7Ukpxn0ksKrr1hoQeUwJP2T3C1QxXiMypN8KeT4Fb4gGWVNx3SotSVBEAqm5WDMJ83BnjdwKaqrUVNgrnc3E4dfUL3Kxr8tYrXHdTkOZgeSmorswJ5R3JHOfXrbqT8db7Sm8FDXDOdiaK3qeKXowrzPjIlGmIiGhB1oVEurGhNppjyVdA7f6UruIDD0d6v5qXBYSPUaaphOdJjATQmlKCKNTHgSB3NJwS9ShZDOqhEQxcQ8dCgNUJunMxFKtBZgbXcKKRc3MY5n84a10hz

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (363), with no line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	5.839730299924416
Encrypted:	false
SSDEEP:	6:C8zgbDRWjgXQ3ipDr0jk2k0WPfCmqUp+ynjjU/Ipmq+mlz:CigbNkgXQa/0wXCma/Um0p
MD5:	3EC14E6BC5142BBA270BA0F6430AD27C
SHA1:	8CB963629ADED4843A4D8CE75EACFE38CBE9D965
SHA-256:	EEC32B242E40839396B9544BB91E6ED4111BA379B0D81D7024F3A611874FCCAE
SHA-512:	84B30E4846D99F63D21448907A3CE33A029CDF5A953F9763F564503594F58C232C3B63F71958C2682CD3DAF8FF42A74B037367F100EA9F14BC0978D89AA825EC
Malicious:	false
Preview:	Z9XCR3H6r3UHYfbTIYV1eiKvUDvMysU8uVTGWmBkZEtEOr6r44v9FB11ylrOI5H8jVWDLU7gWubayFgmGDR47U3tdcRu4wce6vf2V3fj6PmUkbDtFFHEnNAPcnjtDMlkS7dCknQNis8sriIBZipzoX0tuQasTwgtnCCm7AJby3g5OSh3ehTehv55GuRTNi4vLOEpggEZYNBv05ectgOvdBL2GHfMszOQ9vtAO1X7d4FUuKELQzkqTISKCMiZA1qj9vvFLdN1JQRj51H6CU62Oh60cj7CT87mNgV8Y99wmthC1tOLElWq4xUby5mmgLhKTpVZgJiCUJQf939tUw7rlQrZM3KdXWQaLWtLXzo5DTV

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Windows Defender\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (501), with no line terminators
Category:	dropped
Size (bytes):	501
Entropy (8bit):	5.8654846113008094
Encrypted:	false
SSDEEP:	12:tBvwcQbrBjcO737Yf9zBE3l2EzhIjjAfSlQoMN9uHIEQnvcKLvW:tB5QbrBjb37yFQl2ENIjM+QbUavdL+
MD5:	FA2B047AECD97A930BD7E489A04DFB99
SHA1:	37B50D0DE4CA0F259129C529F80D53FF6F4AADD0
SHA-256:	BCDD2E054ADF6F9462FAE91BF4DFFCF82F1B5C155E0E399623B83EE3C08F210B
SHA-512:	514887FC0783D7ABAB30A431C54AA4DA053107CC9C37DF7EAFBD5B6D187A35238FF61B6D24559FA7DD15A34AB2CA393D494C66F78F4CD446BE2FB6343DEA694D
Malicious:	false
Preview:	UiCT17uZyFdBDeVSRNFzERC7cWTY8FZQrigMrfMwq5RjtNwWA0HEKvaDfF0foVasqNTf8IkwASIJ9cNOj6XI8UG5IcqmorHVej3g3RX1PUE1nRDD1l6r8RtVHXXfc8HTLxoairVSjg2nQOS0ZnuDvZWMziYg31ZRNupzmneKQoIbZFF2FgGyOEhwablASyYsGlafjcOvIkwHR5xtdgbXukDIM3ZLCe1bPZVypjTmSUqnSaffn1hwXB7fhRSqDDtotU11j9D3NyFZ4Z0wY4hK7EDOc0QXRmiOlC47jn5oxnji5hkIagSJgjqoQmYttpmkQ0y2f3Mu83WTeeS4PI7uUYsBVPq6OM4HB9SFtsmhTiLnMWKwTedls1Q1HwgQMPfv8OSfMNKhfabwNFz8F4mutTZJsb86LVUDCao8EojGT6FSaenC7iLSmuCpzIwuOOVJGXtxa04aUgawNHtOx69nKBaRX9J51y1Fk6MCv0lGnu7GUPcrYi7SO

C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\886983d96e3d3e

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (564), with no line terminators
Category:	dropped
Size (bytes):	564
Entropy (8bit):	5.879257929100322
Encrypted:	false
SSDEEP:	12:zpCjl7ISyyBpcQbwcb8MOIxpN7OJOOzUM7PGAv14qVYIEm4jV1wtaOQPZ:ul7ISy0hU2xpN7OJLUM7egq5m4j/19PZ
MD5:	C3F4A32E69885B0AC56F61A873ECB207
SHA1:	32E33661A4B53A574B12DE1DF8CB801CD1C780F5
SHA-256:	DFCFA4ECFA58960B6B84C1A429ED936EA9B68487D68C5967FDA6E20C21B2548A
SHA-512:	36DE5A4F4E12C5421E05B81A939E700CA0F58AC92142E55083363C402E864DF2EE16C530D3D3568F5D7CC66C42B1DC327D753EB0DC39519A7B01389F75D5E9EB
Malicious:	false
Preview:	asKv9QIUXe6o4QHs7hEm8IanxyV4Q1mrp9DxtZwePdlp7ohx2IGm3WkRRg8L5NEg1P94MT8iujWehvpIQiCIvAxSYwgMbljBZFxsonkiJi1U9Gtg0z5WL6u1bqfZxvHJAUEc87en7d8NJdSSC9WmqNzdU5Q8HKuXarTpBRh3VSYs7hs8XNXxZfdxekHCqffxtkwbJnQvccRYyHgxNRk4x685OgKaJfMzwl9XuRzu6mV6OF8WEUzY5l9wm1Mmd0l6QblNIIC6c08KlBrJhxWyqx3LlMv3EMQGAYqwdvO6S36EmzLkJDEpdwQcial5XI1Pj2JMV5pwjagx1yiwBLuAHlmOHNODKSiJBqfup8OOYSGDQdkt2y4MY0H8P5EHrmmQ1WvKTxHC6fmzei7nneLVXWvKigft4HhvqzM4sZZEr2Q3OSer8aeMaR3ellmwSXIy70JoVD5NEGnfG26QCxvdnVUY6rTGxnwTtb5XIzV5eRHUnXYspWuempLmfurntzZbUTwo7iHNbz8WNAvjTkbb3RqEPS1YHrLp1q9UltvGOhDxqzZf9IUJ

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft\5b884080fd4f94

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (790), with no line terminators
Category:	dropped
Size (bytes):	790
Entropy (8bit):	5.909052286238849
Encrypted:	false
SSDEEP:	24:dIkevtRXMVDasSvkuAl12Kl2RH6cl2EE1:ikevtNvkugAM2dt2
MD5:	DF60548AAC9677DA869C2CD180542245
SHA1:	6D2D783303623EC461945F858E3DB5DC2E83BEC3
SHA-256:	628321225A6F2547AED9B36AB39E042E55AA70F3E745AFBB2A5650D4D2180C78
SHA-512:	1164515F10019A47F342CFF44005DC8CF51F4D2656203D174AC4AD6207A6AB8A99FB049CA86180F7CEE4BAD576563800A91EC98DAEEDC25CA737E390908FCBFB
Malicious:	false
Preview:	UJ5Xoe9T0gPMurRGLrZAsnCzXf7v7H4mVWfUNdf8vRpCoi1zCY0VuMErGFAIhOWsmn0XL73sLaPb8ALyoIsiRi1ISyNHcWah56ZArdnFfHJT7msG4LeZfxbDvrFWuvPzArgCkKHKenDJZiLpGHNQ1BBHeWPAXQUt1UTPFqftET42tSoNgZQni978pZhO5HxOSURFO5kZldMiHJXLsBd89rK2WVjqIRx7gqjZAi9kz1BFwZ0gBWf3nyOkJZt3V3QUqOBbj7LJC2IIpFF6eDpwv3Trb8PlzGP5lrZiYZ6DKW1uqG5ETwYROdiw5T9ksjT6nNg8qhiFHllZCjBVDLRDr7qHJmmEZVVlC5Gcj7YwOTKm1IuWSohgSQOqgYyD4epvQAXGcivGxfzYwDQA2QvvyyTvqa6KIU1toYW0vn3t3aswb03cIyKns47brlaBmk8cnFuYrZPPXC1XGgTzhdCUJOBtb4JJM2HScQJWGfvtj4QqCjVLRkeJinSZEA7wQFDe4i5zW7tBsSvP7Uq1j71lY8uy7tSFi8cd1vvenfyU1cbP2DctTFMSObG6xH2mpndt0RXLjMNDIhu5hf53RjwcwJPapyqgmMoN8sZkqQKG2IKqrKZSM9VG1B6qC7gugrb62g7yGUNBYpkn9iseZXTn0iW6vtituZkKrNyKNkM1wTrLbTqdOCUJXxFUJADWweR9FZ5vuiQyKb1h0LfbCEerEaw4IeAMgzFSCsFBY4tpvg866id8emUr9j4onAnPhDRVVieIFeCHUy6ic08jBCr4fY

C:\Program Files\Microsoft\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (654), with no line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.883122741102218
Encrypted:	false
SSDEEP:	12:4hiBFr/A25JVGnyb1wIaw6zuAdqfvFhAmFZtRmAV4kTOlJiSAng:4hi/DJwyWIJ8bshAYZqKzTOlbAng
MD5:	0B4DB679D4ABE6C37DE24B352328DD60
SHA1:	77BA146151211D1A75647FE61E5A2146E1765634
SHA-256:	4CFF94D1B77876F5916FEC01CF751CAC2099123149D8436C9701AFBE78A0EE61
SHA-512:	2F6A5E7C5F64310E965484454ACDE178C0F9D7966D9CDF3AF25F7D5CDA51E262DC637E2211712F4137B29F2B01BA96FC77BD158EF4CBFCE2618A54210495D02F
Malicious:	false
Preview:	7rbN9WJO2fqzDGGFsBqaKGuY77VzZxs6L8LpAwwC1YzKcnna4WPLjxd06DPBBTzFxtnF5bF6OniwRk5UU45CihWYfUt7huBhjuWs9hedRT65OrjWH5rGYwhQWPklsIZdmBMhNMUwabvOkbKxvXzlD4JwNGVu73vJ3cSNeBI4k4q6BSp5EwzVSxar1aUH1kzgqlUII7StO4BJONu5aapKDa0GCkVErBDAFJQZ7hwHdGGXwQcoqZqa4odPvOGhlOBN1BDF6U73nhq7TdUvIrYSUmFbpAosaPgPE3gvNXrVbwxW7g5R4UZ40t2O5ma6qPdYBb2a6jiu9C1izseIEWyFzlYVASzk6upMTYVfofVVwo4y1TYMIR2TaXjaCgZot7yOXpObX8ejBcTKqkdq3mcp2Vv6z4cHFqmz0qaMF6zKwTR8EYtcCtuGeIWB3SmcfXdU0dTAKRl7xS2jDx2aLAEW6fUrUYSwUWoZz6HkEtSvHxSMQw7GaLRfSHYVIlqv8zmbnctHpRWcrTOINIbhbLWJFJHriwccChwSL1ixC0aIyyx92QI9KJTwccVeVCi3z3ZKg67VkoekvNUQVIyRocS3NAztfDcARgT5Zmc6TwZfotBOHFJMNRPWkf7gHOzgLdSO4Z0sp281DwPd8k

C:\Program Files\Microsoft\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Microsoft\fontdrvhost.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Microsoft\fontdrvhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Mozilla Firefox\fonts\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	5.156889086516211
Encrypted:	false
SSDEEP:	3:RllCowlq6TdUCdJpDH2xB:hwDTHDkB
MD5:	F3F1F1D654973BBB1CD8E079DF6BE11C
SHA1:	21B9A3B95EC2D6FFB8BA1BC2FBDFB2DE6EE3471A
SHA-256:	36A35E823571464355D9995AE7FB0534149B2FA0DB9B844B23F05649FC8D189B
SHA-512:	109C24C53D0EC4FF3A7DE9C12AFAE64BDBDEC4D2BD0D274928EBD7E5835A72E2B6FFFA7B90BDEDC22385EF2BE951481355F262606266ACE8D6FEF2BB235CB0D7
Malicious:	false
Preview:	oS572XbPheEgMUyqObmB68oX1qeyuIgxlLMQHACzLthL3Wn9yei41

C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\fonts\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Photo Viewer\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.806993150359705
Encrypted:	false
SSDEEP:	6:OCjRSuCXV0uG6ggovXCX0UrZGAoMisaCo+9lBL9BQziPpFIdTRed/Kdqn:OCjRSNXLoVS9r4IisZHlwzNv8/Eqn
MD5:	675E5A072D5529D6D7600632839A4166
SHA1:	C5831E3338193FF72006EA411D8AE4D5551C862D
SHA-256:	2EC9E11F11B1D4DAE4AB96CB11AA912A44D74137FE4A7504AB125338042F7058
SHA-512:	B23B59F9D19350C7D6235F8C568197B58F8C7B1605A434327A236E5F6E13846E0459A745C1E241C2EA667B0B7CFACCF931BADB73081BA50D142BA90E716D56D5
Malicious:	false
Preview:	zdi7q1kxen22j8MD77WZMTYrgrHtuHVJvco8oTfQNTPSLPVs7FUEyUFgE1b9t1CWStGGUNZncFM2DGgRVZvpxQUbWI3x2fgWQ2AcIPYtpqmsHNc8UKoUFXjBYptLUlv6i0mKFEJFBB9GomTJp5cs1LQ3T8EcgMZE5pJRlR2PBiTDXcWwWjfZJCEXks0HAqjym5L8cBiYCMrT2Mf1mRG6qA42lwr2avPU8ebcRXTUBHX6VveXM9fsknImASXpUp7Q7WUXvDkO8v4in8hzRUqbQhuVWzb8Ao9VKG99aHlIZQu

C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\27d1bcfc3c54e0

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (617), with no line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.8901450450848145
Encrypted:	false
SSDEEP:	12:SEDXhhy25uzEW5uJ2gvOkevFmhs+akCtMVNwFh4vzCN7J+7Phnf:S4Xh8+ZZJPOL9mhJCYwFh4L6JkPh
MD5:	3EFF2D26C1CCD71E86D31041BE8B530D
SHA1:	EB84C7846A5E96B299B271956EEC6DD17B347199
SHA-256:	8ECB167F1204EA518181C1BCD1F02D578C5025F15BF5A3F7C6B06781E1D3473D
SHA-512:	AAE205886F24E8A47CEF7A36AC85CDA4FB57F4E4DCE9E4D878EF10B66AF3FAE813F60E41E3D68D8161CAD53EE4E511B7BD20B32D8DAB09CC41923306828B5C4F
Malicious:	false
Preview:	8B6mlNTwjXg9hZKshB9w5nv0ZNcR9WoGjXcGpgxDaCJMcCNIMScdAmqVPGMYvCwMsaZK7ECAO6W3ejXW9UEq4LF6qG0jUYRYP6dCmDLIPbPDQw0qszZb8GShUdd0Ndqzo7niFVu5I5bc5Cp3QK0e90ZJn6sJjV4wvaYTJSkXFdSCo0lRyjkDmLzxhe5InkWxBprfnWu7jdZfiXewUaVAv0JjklvoXcueHeB8JGobymeIwTPK9IyNPWCKfH5ClGkHt4YEVfnOv3LIWAxQVkpOngPvb1dCLm0sBXZ15KydfkbVK3yfTpqAaWdMonmeClDIDcH8l6ULvLtDE4khD7sg60Ro3MMSiUa3hTSrwz3XUfOPmaHuCEbF2hMNLcFZtCmbuzfvl2vOEVLblCCdEbPd3VAAGEgTtenR2xew4WJKTNAhVvlJamURxJiZzfogVcejr4iyhPisSEJpUdoVdX2HKWesOF7Yrmy1tb0bMxlLDl8s92EW0TD8jWZVZzjcRJBqQS63mNIpwrEiXvtWAlhXi0SWCfBXNI33kScr5LtnLYL1S07oGNbqmnIZAk1HMvcnyK7ETCaz24MJoaELhWRAqMR6JCqVTlaa6iCH32UEw

C:\Recovery\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.779890996226884
Encrypted:	false
SSDEEP:	6:WluIzpfR4KfZ1IsidHeHvaGJLTOzNCa4os/OVXTfv9q5mFmNHrE1:2uG5x3UgHLTYNSosWVXTH9q5mkNHq
MD5:	294677E0E746414FC49A5CD3C6B58464
SHA1:	E32CF2F9E9EF0D0E370916202D59DD6451186670
SHA-256:	2FEDB9246F014262D13DABD8AA0149115A89FB802A1CC39135FA2B27F4AC005D
SHA-512:	7E320ED51E1FCB8C954A3BA77D0388E38C16DF3C322F115E93ACFC1ADB3F6813409BBF0FF81B2CEE4408657E85E24E311A543A9C71BD82C4F7B679E4AE80A66F
Malicious:	false
Preview:	nkXDU2AkNWKmVLwCDOeVXz7QCUoFoz1qPTzPkgqKrTSBIzcPlUOOnV1xmHBAN55XfeXCWhcgiUoDh5HM2ZeTlmC3cCmdfp6wY4fnbZ2E2rqTqxPr9zIyalv3bekU48B2Y2pnZducgZa46tMow5dphHVwJmM7ziK4px5xImRfFpSAK07sR5h8eVVQh3dxRwn7PgOIyYgKo8k1yUlSpep3BMZTcoQOIdNSCVvnmy32ZXTgudbNRLHxGt6

C:\Recovery\System.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\System.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\backgroundTaskHost.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\backgroundTaskHost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\eddb19405b7ce1

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (703), with no line terminators
Category:	dropped
Size (bytes):	703
Entropy (8bit):	5.891222083956307
Encrypted:	false
SSDEEP:	12:xLD9y9y4JEu3GapQjipxcKR2JoKhU60ttmFFNA3KtX7dhwh2zAjZiv0d5TMREaIq:lD9grGVuRWoKi60tkwY7dhy1XmaamFe
MD5:	DA5F97B598AAB2EC9AE17252BC77D170
SHA1:	A774C61D6DAFE418B01F507A7E75E28DD1028AEC
SHA-256:	F93F8DC23BF19779C5393DE40CBD39FE55E7899A2EE3E143F877AF3E953C6242
SHA-512:	27A6B242E9FD01644CC0CB55DB1D64A13B04F1DB949A71737FA7DEE2535B1F59E3B4A5F5DD77829C808850D554BE4191F05F123A335DDBB70703EC23B5338A13
Malicious:	false
Preview:	8jfoVMQ4rd6U29ZDU7IgbgS1i016HGTbJZpLcc9DLwrEB7WtjAmdQ4QcQoFeUTxkJfLcUOl18FVozO0leIXGd0KOJM5xXes19G5fw3YVZueLjlnCyeAL6qHTU7THSydeWeosSUyktBrsV9phj383eh4S9mLykRClRAyF74tepZc49Y7VSwhZzkAzjVsqJ9Ac8GbUKjkpJeOEFATlozgyunvqA9flMCVpZ9526nKsL2PUW5ujBHCTdMsVUuTLD8cGJioFEboAoym1XaUEO6jEABMNRkhLT9oMZILxRpekcBopj074aO6HZXGHWbxe3crpJZcOPhxjc8m9WhnbmnvFDhxBCDa01Ar9U9fKYtp2bWobvGuzxW2PrlmmmaLLG7scQmpXBdC283oq2WP5SlCeHcSsW3h7hdwdnMKIbXxUU9Qx75tQKQ2f5NUyT6BI5EVfHKCpLHe5xrKILeubJRxRkQiZ2VzeWoZPnvqx2DEDv7rNDLnyMj9nRE40lmx0R9jIS5fay7iFMtfniVWrsASwpv7j00LPQOvwYi5HqMAPB3aiiRRQQGHRrxdg85j7vSz87tPAZOAf9CuvUYAji59KGdFkFZJunDetEckzCR0BFlSoCrLj59Y0Tp1doo4AEQ16iBr2yLhRE7EeLaiXNkzoonZYkHLXW07ytWFBATvtbHwVkXSNGhxeaNR4lSSr9J4

C:\Recovery\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\5940a34987c991

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (344), with no line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.811630798195329
Encrypted:	false
SSDEEP:	6:lOkhWZFLI+EHyGcwSJEWbyVORHQEVoqWB3CIYiZLb1wD7kohtO1Gx1nwIG5dZLfH:lO9ZFLi12JpnVTpIYvKG/tG5dZLfH
MD5:	80D0D2300B27622D507EDE059C4080BF
SHA1:	47C7607C29635EB81C0C51B8F249771B8171093B
SHA-256:	6E689041B1831212A230662965072E23BA6E15E3E9183DC826321BDF47E675CD
SHA-512:	65FA06EDD12AE6A71DBC4C039A5ED8E35932829F123B4809F7F5CD48E5D7D6FA87885975D12C2269D284121B464D16FC9D87F06D51A7B9D672201FCC5C7A6FBE
Malicious:	false
Preview:	2eoIiyZAFyMjnA5OHpSXNULMaJbhznyLsiU3QfZFA0utnYtA4YZqxWHiTcrYX1Lc9A1EpB8mPMXWjcjBZbnaNIYWbwkxyBsJpStmhoU2axbk9u813p85NvO1men3bKxNeNrQs6euGvAZqxXqxt3ICw54E29DBabP9NFvCsI6LOycuyKzH6GsQpLrSxMz7btqTuadrlnFk77y7cJPsK5EUt8UCYdPgT9teIIAYrHfTAHTrWtzn6HxfoVkvFbTIXiR7NTyTI1BDavTlpmponmjLMO0xiPTPxW5b0VeD5feFFuF3B8Gcwpfv9Fv9dBv3ivPD01vTImtHHeFcJ6vjJ0dI1Jc

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (848), with no line terminators
Category:	dropped
Size (bytes):	848
Entropy (8bit):	5.885795665657274
Encrypted:	false
SSDEEP:	24:Jss1hyCEj3FlM0U+ndNGVdmmAyiDfe2NXyFfwOkcbB:qs//Ej3w8dwdmmWDfiFNdB
MD5:	F2316C3516041385F266FC5A46618485
SHA1:	00F164162EEBD8BE31B96A88B40774839F2BE8A5
SHA-256:	5486AD36DBDB21B7141AFF9003A9636E8ED176D862D52389B63F864284128BA6
SHA-512:	F922A9C4FB72C5E005F90F61BA2B4481A32533AA00EBCAB1044764196E0AEF1AA7092B254EA3DC24FD38A207913F3BC46FF85145DBA608831E4DFA7F446812CF
Malicious:	false
Preview:	BggSMBRGOfOKpTbi7VbsjyrgJEUC0jp2jfATzoLNqtiJNrUlLVegGmQNyAIHqPPpzWlKTHtTJOC0PiSbtt0fFIw6OwezfDgbe2T1FKREmKW1kZ7QrqY7Yujqjp6hn4xGskWXObWjbw34w4VyzNHzpjCtSnRaNuarXQJADkCPUzfm1p4pTHrZw8bJhmElK5VrVLhfuVuOK2e0DZ2nslGGCA4YzAcbgbEZdyRpHZ47WdO4elFIta2iyPoUQJqu3TstxFWOINgTrJtjwA4O4UrFigkOK6Y8sJECufHYO09g4j1pgEiQOczjmmKReIEMyhkhEqyQ2f9EUKL8o5sFYHtQUeaIU04GwwrW9UkzQRYtcvObaMmjZ9yrxTNjPq6Ck2Ridy9UU2zGtAxiQ8rINVqw8AjqGAjjVWIkdq8mMROhJr8wfoTR9yyPLfjcPTNUSPvX2NEjAF56GJnRCwKcrSkhh2Y8HfW3D4O36l4SktR322IC2SadJvmApOz9yFcesB2M4tUb2117BqoptVGzE3uSROOrv4deQwK096II79lR3p88jKPd9nazRk4pemp7XXqPfxpxN72EScYmQPIlpAenWVjZBdoUUn3g8tcwecQBvVgyMSZPeESX2D2KOPwtThuoi1ogwVGNuc2ByuNtEZzPVgn40SiOpgsNk2PUn2cJ7FnZL1VdCCp4seTCOtpex1hNuoa6f2FL6qSQ3Nt96EMm0yfGiNG4M8VFhZpgbY8J7e7BMCJA9qhtp4X6JUXSwK98UMsdhMiiGCpW0d3gEF5famZnCtXGAqXwe9r9UpcwI9mnOAFpa1NqPdhsxEbyzbhZo211w4LYmIWb9vYB

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (964), with no line terminators
Category:	dropped
Size (bytes):	964
Entropy (8bit):	5.90723498471569
Encrypted:	false
SSDEEP:	24:NqTRoXWC6Dz5pFD7X/POF74iV9maO3RwVIKkowraVyvhkr:uRWWCU57D7vWFSaOAkFQGKr
MD5:	2BCED5C288B15EAA7DC1EF2CE662D4A4
SHA1:	84068633DBE40F6A57B25A7C3629335AA451B325
SHA-256:	A0EA11587EDFAAA906A48639B216DF3BB69B3A89FC787F14657E35128CAF89E8
SHA-512:	1BF6C8198EFBF2A26AC7D5D0B287CABA60766B5D894C8C11E48A10352AD9D4DC452A1F8268C16500237212F0F4F526BB616AF34B3F50914B1CF4DAB331E16AE1
Malicious:	false
Preview:	XvvkzwLdxilNCbf18TJyeIwOoggGQhdeajZ1dATZtjsM4m24lhQX55dO8g5TQEMQFGwcBnY79uE4ajUCnlftQFjfGL36EAJpWbHx0a28ITYL0jxYM3pojdA9hQW0tc39kZh8chLNthk7rXpgXetKUeF3bHPjDCOqZYkbBy6prc5C3CSKlzcOssoFTohURmJqS4hSxNejiEc2jD9YzF7Nk97queIXRmXFSOt9e9WYU3qnPwgPoIeMo5GS61iTFHR6qXjVTA40sj3qTTb872sIHLbWHbDnbDSNlu62MK6oOodECa9mZkVNYJyf6MO27QZpQpFjWivx5E4drWUrbaN0rFyc5b596Er8PxxWUaP1ziRUOVxk2hagCi7L0nn5nv01W6O4i7WBLWBJyeNjnVHZnL5qzmfqwTNDrZ8SH3B5KZVphxWWaESRobOLAhE5bpO1J8cZg5ctTMON0PJCQJQsB5ZQKxRjzFdeLdgjV60fmi7bMAUuYCpSYf0NiMOsn24OstCWtkqTSvGc87DJcgLxaLGpnTAJsH1tottc88ByVV9mZXOlIEQGqHyhnXtZjhlK4WyOOlLeeXbELdQPEZAn1uCh5LylOmOyuysCjAXh3wmTptVKGdUKg7TJTQTCwjP2JnTWuNqEBduFIt1L0oevRDRxfjsSrUvTgtKCa9a3xQIDMOAkYHMIFelFVf1KfXXrraiZjzv0Nl8A4NkRjI4jInOCIFr4HPYZ3bWvplBjWV4dgkKH4jlWdxiEMgQeH0t8NiHd1ym7HUMxtugh4j9hnB6F3RjIUhbgm5Q7drQG7nPIluVcAsji0LULmBjjPdnk2qLxdiENT3kAwxeI6GHl73palEVcHq0dAoQ4ji9coWP6kUZyganJVCm9AuLYNmGnDGAHhjjXHp6lnt0Rpg5qCqI7CQ4yWkOCPm3eURR71PCpFBVR44sqqZkW8CFQpvBgb4VB

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5tqXx7iu9m.exe.log

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Download File

Process:	C:\Recovery\backgroundTaskHost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Download File

Process:	C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Download File

Process:	C:\Program Files\Microsoft\fontdrvhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Performance\WinSAT\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (910), with no line terminators
Category:	dropped
Size (bytes):	910
Entropy (8bit):	5.89399876545635
Encrypted:	false
SSDEEP:	24:+lPhO3WrSOjBj47C7H/2aCfha6wj4l7J61otyzvRCvN:+lPbjBj7/2aEnYdRCV
MD5:	761555FBE806842766FEFC5652D4D579
SHA1:	6AD7D274684B3CF4BBB2DEF6F775F9201D7DD171
SHA-256:	B6C1B8A55B0DD72C96EB1790557DE2DCF4FA13330A17E9301B4414DC62E7A288
SHA-512:	9CB8E5804A1437758B78C802F69199F4A127BA1E7C27ADCAD06A3A7668239212C48DC3F047A1D9373E9EBD91AACFD2BB35105DAAB9ADF050282D5B7FDD9279A0
Malicious:	false
Preview:	zFMh1DyNy8RzDcXgELZrADuRMiVUld2jJ2oVBuCheF2B2FKh1OuJHp3vV4UTsdlVFsqKyCfTI1N5LtZGXycXssbd83AGZtzAdg5JZ9tztaBPc8jmeN54AOnXRML5BY4ZCNbpxPrYFnnRrLBATYlLx59P3i2NxyxUgmNPg4yPghyXkVqFKLlnxslHNLvPXekRzTvE7weYjWpPGlpi2wCmMJhyAGBUJj1B7hhRjlHXqNDaCWAlgNXkb7Epv7E1vJPAenSiEY8Qoo59GGvoFZy5LRj9c2fmhQmh7C5YEbhHPG5xCFjoLZvVUTzNDSGL3VtYCYBDLWjn2rqFVw7XS0aHeRMoNsUvVVO4XhvoEgdy0Hdnnu1RVt3C4m3uLXzcCySgdvryBTSwWmRWyjAd1DamcL9vnAdrqBwBz6K1CDPBaGpSUg6lWVl8XpERw6KB0lGVzPh2ZIbxyYMVfraHE1UUayoK12FF2OLzATcF9EMN4xK8dtvFgC78Qv5BlXAgDV5kNXUMOUI9pHZmnpqIGAjzQNiPYbelDpKj2kvGYj0L47TJVSX5q1ZCvFTAyExx0g6A60uD3kthJY5T3Z3FDi5LPHxwQvSUwCUYBTMehTBGI22XJAGYLruSluuzD7xISZvHDhSkNYhtgyDXOZnQp3IESCwRiXbkg3ytHvUmrfLwJAvwqXknUgdYQqyAuBCz77MmAUPcEAiJsW4RQAkLxxP9aZca6U2qdVzLxJvWHHjU8Tp4whtua1CJsNMk1zfuH1pXhsdHONDpO4BGuioZkIPmTpdk6KeSlyMGnSXDDlfNxW5xLG0TLGJ9lDE1P2LDsvDZs5cbLkW9mCy6uqZzULGfpNekOfyKaceBTfFQoYIktKXjOHGjdVthoiuea1NpwLjJhwmOkJL5Dgvf04

C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\TAPI\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (921), with no line terminators
Category:	dropped
Size (bytes):	921
Entropy (8bit):	5.901090493660712
Encrypted:	false
SSDEEP:	12:xLR6j/z7rZ4HsysPAvBKs4LF4LXpQW17NhdGiazFmRc1yKpzOCjJ7CcCc9GCesLs:xLRM54EA5ZYFRQNhVRhoCcZ1t8S6Xfp
MD5:	2A7100F2480B544A256C17F370D04D69
SHA1:	62DD60AE8BBB75BC6BEAA261BF0321D538B58182
SHA-256:	ADF292790002144D5FD1CD7B8F13C88873ED2632462CFC9BDC9BDF492C4B9DEE
SHA-512:	980FCBBC5FD775FD33C38B22E78A0CA92162FFE71968809E0C1A925C8F253F0CCFD89585B2173581489C97126EEEF1C6875CC338946010C045CB91BF5A159AF9
Malicious:	false
Preview:	QVFfQevNGY7SoCMNEYjfLRHzoBl6elaN27DsqHhNpvoLiX5xRO2OTft9OQ1P2zte8uZq8eg70Wzam6RQFxpPtM3WNEeaPSU0BKMx7Ozwr5X7qTXS8kKFKdvw0Dd49GriC9YctdS082ixy6q4qMboHPphYa74v4wkNz5q45jfSTGS5774WiNxpCaxT1DSgYEDF7k9BA9vn5WyIXladDiMr95LYIWD1Q94ODN8X82WjcKtpmo6Pmzcz2WFCYk3n53W6cjEKnDeKLmPyLfvdZyObgEWrH68X9soiyxNDkwljURoPGR03yZNHo4ZYMXCrEGKd8rAYSs3nMpGOaHkzFFijeh33Yz0Mt4eNGLQZRclFgk49xK7EwNm8hl8byGAc2q3RK3IP0LimecC4m3GN1vagSfqfMzlKcIN0rmy4CsNko9eEiDy4AwkGPW9pNmCBkYKVPMN9FLLIhz2SBl7JAqKphGkUmJraqMAQzIzV0zyylcjaernlo2B3NeyIl2W6evcVymd2vlSL1VEFhK05fFvxLGCUUru8c2U09Nl2Nu0Ck0B1ZskaCaaY9oKsjIiE1Us9BOFTj8ruPsNVFL5lGT6Cc50UD3TFMvLPHCzKmQ1EspJRbymXM68iYqgGYvPpomidh7NCVu8zb2Twvi3PQ52Pxn1bftw1AMZGHpudlkCc8IGgWtUz1AZttSq3Gvgm8GyPdMpGyZnp2aRogVEwZ6AAwpXy90X0Ead1T1DKEOAcXt0TBBWvquNBGycxz0H8Bwlc6aUpR4rK5hmDyDx7dmKTNcufYPVNGCalHYWlrqdwCCFiMZ9vDJeZmSPepzRCjdE3HB5arMQwJYQLWLS8QjK6iB8zI251ZbMi8MbLejE13rQOBEIegTw9THVGCFRzQYXrLrMKtHeqfSD0uuyEubUGpNP0

C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\95aaaff3431df3

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with very long lines (943), with no line terminators
Category:	dropped
Size (bytes):	943
Entropy (8bit):	5.8934482855677235
Encrypted:	false
SSDEEP:	24:AKFizK4ZUuzHsEUlresyhXsRNtIp7Oh50kRWElPK5kyhDGOHP1:AK0zK4ZUu4Nn1RNlj5RWElP8Fv1
MD5:	2C68D80E78E84A3ABE3B97219E859578
SHA1:	36494F175FE0FAA87B341AA25953FED010D97120
SHA-256:	A21D54BF4C81059F9664B815BB93D71E83828E2DCD7C89635CA1B56036227F88
SHA-512:	B836FDB73C958FE025836F7C9247CEC1BFF8B7935F412A30B6DC24192627CCB44DD9447E8B47C268AEAC67B899ABB209445C7B0F4F7821591034944E14FE6632
Malicious:	false
Preview:	yF62ULaxUsOahUTYTyQdhgmZl6qS67E6DtD24KcDDLQ3Mescr3ognLYRchRXeI0XnRWyQadIVMaWQtMHOOlDThS1UwaX3Ej5V2P4I4LQafLbvCBtUJJPgwEF8edeAGPQmfAXeS9TDUnxW1FRuqCt4UYiyJ5naqQTP4yQCnPCK0MMJQtHYMtTDgWSHcjUXV3XDThcDzPHbAiEILZiayOO66QthfJjD4oy6yIzsQDj7m2D7RK5CB4jHpaHDy4hqpDhVtHTDkzJuoQUEMvQVNgC9FqRXBv4Vf3RiUsOJ12cLvydYGC1CoMcIAhQC05By4xOv8vtehGdVE1OQN3R942rTbJhxcLT50oQ7krZVSXehsGEJT9y6oC4CG5UzN6BWwieakQqgd5qhXJkUFYdcWWRyuN1oXjHWVIvKmnjCTSdsWXo6VAuzcj9aQqqWZBI3xULPYZrbzbJD3ibWj4TXzS3wIV357MmRKj4BLZi5SSABZ6gsOTxfruEfbZHDfwdmy13UnaLJVYFgS2WMyLroYHkZfZkvRfZfzXMiCLEyInJTphMiD5OUFzNqRdzNzZ208jr5pxJmG2gv8Qu7MCsWRFaAJgRiW19svTVFzR3PvlOMScsAt1Bxqfi3IrvJglQP3xAp5oH4Idkq1OrqxQyezMBPuc7IgtsKU8TecDFFtGoN42B49EVQwvZqvu4dr9YYuaV24MOuLtuthyU1aCJbXcYjjmtrIlYurPdehJ9x0lEDApJ7aCCoz7ARCwTSdhljU9CSUzURCWlwYVi3dvQFit5uOMcvzrTS9esBn1mksvmdVO3qNayrQgAlERDIXibUCSw3mhPlIqWwGbYASvhZ2lCddG6VxeNJURbDb9DqKNjkJNen3DzlBBbaQTZgl4yocMcy9ViTr0PpCcUPmScuolIT0AwIkhFQZ4H6vpoieg3KvvYy9J

C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.082883867738262
Encrypted:	false
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
MD5:	2CE997B7EEBEE4A876D0347A3489C945
SHA1:	3F2BF00A16DE610C0549385D214E6C75293D1141
SHA-256:	DE04994B9650E7F00F8F264ADE023D530D292AB03AD672E0101D8E32B886D575
SHA-512:	AD63E022F036959E20DB3310DFE3C7223BE9E5E4AAD2B1D050EA80829A6D7E7EA1E0A4D76AC4A8AFD5D24FE47E52F186EC5531714AACAB294CF6446C09EA694F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5tqXx7iu9m.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.082883867738262
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	5tqXx7iu9m.exe
File size:	847'360 bytes
MD5:	2ce997b7eebee4a876d0347a3489c945
SHA1:	3f2bf00a16de610c0549385d214e6c75293d1141
SHA256:	de04994b9650e7f00f8f264ade023d530d292ab03ad672e0101d8e32b886d575
SHA512:	ad63e022f036959e20db3310dfe3c7223be9e5e4aad2b1d050ea80829a6d7e7ea1e0a4d76ac4a8afd5d24fe47e52f186ec5531714aacab294cf6446c09ea694f
SSDEEP:	12288:ooKDeFJc+yhgxnCXsxFrfQfA7EcA6h9HDQe69:jFJc+pxnCX3f+EB8HEx
TLSH:	4505F7027E44CE12F0191633E2EF454887B0AD5166A6E72B7DBA377E15123A73C0D9EB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6........... ........@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4cd3ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd3a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb3f4	0xcb400	d1fd8c39c5e20d13f5110f1599dc2523	False	0.5062065171432965	data	6.122858785884199	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xce000	0x2fdf	0x3000	4455cbf81f4ba61ab24bdd9087934a35	False	0.3102213541666667	data	3.241439103415943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd2000	0x218	0x400	a0eb98cfbb72fea7cf0984384d7b3371	False	0.263671875	data	1.8371269699553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	d31dde73351932bf3cd142e7e88848c4	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd2058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 03:12:39.084621906 CEST	53	51748	162.159.36.2	192.168.2.4
Sep 1, 2024 03:12:39.573663950 CEST	53	53535	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	21:11:54
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\5tqXx7iu9m.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5tqXx7iu9m.exe"
Imagebase:	0xbf0000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1679281685.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1679281685.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:11:54
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:11:54
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:11:54
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\Microsoft\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 5 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Recovery\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\System.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:11:55
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\backgroundTaskHost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\backgroundTaskHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Recovery\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\backgroundTaskHost.exe
Imagebase:	0x3f0000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1767136982.0000000002719000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1767136982.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 67%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Recovery\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\backgroundTaskHost.exe
Imagebase:	0xa70000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.1769916533.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 13 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default\Application Data\Microsoft\dllhost.exe"
Imagebase:	0x8c0000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1767223313.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1767223313.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 67%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwI" /sc ONLOGON /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Users\Default\AppData\Roaming\Microsoft\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default\Application Data\Microsoft\dllhost.exe"
Imagebase:	0x1a0000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.1766950763.0000000002592000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.1766950763.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sqPKQawpTnLujfRgyPwIs" /sc MINUTE /mo 8 /tr "'C:\Users\user\sqPKQawpTnLujfRgyPwI.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Program Files\Microsoft\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\fontdrvhost.exe"
Imagebase:	0x3e0000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1767202182.0000000002737000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1767202182.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 67%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	21:11:57
Start date:	31/08/2024
Path:	C:\Program Files\Microsoft\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\fontdrvhost.exe"
Imagebase:	0x800000
File size:	847'360 bytes
MD5 hash:	2CE997B7EEBEE4A876D0347A3489C945
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.1774528305.0000000002B48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.1774528305.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FFD9B7F35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd35d2c08f9238612794783b68fd1dd42338b4c890480f141e3e7301a28eb4d
Instruction ID: 87a4e28451ed3359ee4f87ad1d219fe499da3a7cb485164d602751adcb851cec
Opcode Fuzzy Hash: 1dd35d2c08f9238612794783b68fd1dd42338b4c890480f141e3e7301a28eb4d
Instruction Fuzzy Hash: 02A1C271B19A4D8FEB98DBA8C865BED7BE1FF95300F4101BAD00DD32E6DB6568018790

Function 00007FFD9B801380 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFD9B8013B7
", xrefs: 00007FFD9B801525
!, xrefs: 00007FFD9B801463
[, xrefs: 00007FFD9B801555
(, xrefs: 00007FFD9B801C8E

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: !$"$($[$}
API String ID: 0-2884956333
Opcode ID: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction ID: 4c0c73e227139e0ce3353f9977604ee8346751100cd6bab220caddcda1085f41
Opcode Fuzzy Hash: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction Fuzzy Hash: 8871E970E0572D8EEBA4DF94C8A47EDB6F1AF09350F1145BAE04DA72A1CB385A84DF40

Function 00007FFD9B7FECA8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B80021F
K, xrefs: 00007FFD9B800356
X, xrefs: 00007FFD9B80032B
C, xrefs: 00007FFD9B8002D7

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: C$K$X${
API String ID: 0-542216337
Opcode ID: ca19e24da7850059a005ec1ccfa3eecf69c7305d8f7f65f9a348a3deccddc761
Instruction ID: acf2b5b89924bc15bcf7a5232083f32bad86ea8ecba3c7336a8b1309400175be
Opcode Fuzzy Hash: ca19e24da7850059a005ec1ccfa3eecf69c7305d8f7f65f9a348a3deccddc761
Instruction Fuzzy Hash: BD41D970E1A62D8FDB78CF54D8A47E9BBB1BF54301F0146A9D40DA62A0CB785B80CF85

Function 00007FFD9B80156E Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B801463
{, xrefs: 00007FFD9B8019B3
", xrefs: 00007FFD9B8019C0

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: !$"${
API String ID: 0-405082716
Opcode ID: 394334e6ee32da4d8243a904194a898656e9d2e75c0af711a4dc00f745085652
Instruction ID: 7fd954eb79777aabd65b4a64de36e33ac1e446986fcfea7104711e5e3a6fb77b
Opcode Fuzzy Hash: 394334e6ee32da4d8243a904194a898656e9d2e75c0af711a4dc00f745085652
Instruction Fuzzy Hash: 9E51DB70E0562E8FEB68DF94C8947EDB7F1AF09350F1145A9D44DA72A1CB785A84CF00

Function 00007FFD9B7FFA23 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

h, xrefs: 00007FFD9B7FFA44
[, xrefs: 00007FFD9B7FFA37
I, xrefs: 00007FFD9B7FFAB8

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: I$[$h
API String ID: 0-1861827793
Opcode ID: a1e1ad7086ef14f8f7041203372a5148ee663a6ae93db735667c05aecd4a046a
Instruction ID: 9af82c3d7ecb4bc933b1d5db99a07bb331e114831e6ed67ef415fc5eb4d4eaa9
Opcode Fuzzy Hash: a1e1ad7086ef14f8f7041203372a5148ee663a6ae93db735667c05aecd4a046a
Instruction Fuzzy Hash: 5F21EA70E09A2D8FDB64DF14C8507A9B7B2FB58301F0086E9D00DE62A5DB346A85CF45

Function 00007FFD9B7FF9A3 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B8004B2

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 97ae2a6634a3973e48f1c51944e90aeee600e95c41a7bab83aba251f15e87176
Instruction ID: c73684e8dbfe612c21ba75bf025784d32796200c9ab5ae37f6d4ae7b30b3b4be
Opcode Fuzzy Hash: 97ae2a6634a3973e48f1c51944e90aeee600e95c41a7bab83aba251f15e87176
Instruction Fuzzy Hash: 93412A70E19A5D8FDBA8DF188CA57A9B7B1FF58301F1101EAD04DE22A1DF346A818F41

Function 00007FFD9B7FDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8395cccf46552f1b8db671e9a2ed59dbc10d5c3a3e449b836f39a20711871d
Instruction ID: 1b51e023e7a6c0ed5d09da16f61a576d5fa3b7b5ed625f9c5176b326130ebafe
Opcode Fuzzy Hash: 8f8395cccf46552f1b8db671e9a2ed59dbc10d5c3a3e449b836f39a20711871d
Instruction Fuzzy Hash: B8E13D71E19A5D8FDBA8DF58C4A4BACBBA2FF58300F4441BAD01DD72E6CA346940CB45

Function 00007FFD9B7F1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4c7c4eecc19bdd330c3be357ab446fe5dae91f161adb60e883fd31edf06353
Instruction ID: f9042972349fb2368a3a3e8c18af56657cb019b38aee107c3f664ba9be7807e4
Opcode Fuzzy Hash: ec4c7c4eecc19bdd330c3be357ab446fe5dae91f161adb60e883fd31edf06353
Instruction Fuzzy Hash: E381CF31B0DB494FDB58DE5C88615A97BE2EF98310F1502BEE45EC32A6DE31AD028785

Function 00007FFD9B7F06C0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cee76623a19ef193778adf56d6d7b221916be3cc006fbac526d7cc63e74566
Instruction ID: d6e76d8a966f9a6c04c15a85a536a01b32ac30f8ebac1364dd180a23ee8bd2ca
Opcode Fuzzy Hash: f9cee76623a19ef193778adf56d6d7b221916be3cc006fbac526d7cc63e74566
Instruction Fuzzy Hash: B9614953B0F7C90EEB215ABC68290B93F90EF9165070943F7D098861F7EC15A51583E9

Function 00007FFD9B802E3A Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70251947d43d7b01ef0de826bd8d464f1ca344ccf34e4aaa9ff0653b0195c710
Instruction ID: f0394c23368d24d7f6e76bd591f8790aa8abf2304840352a2244f1f427dbea99
Opcode Fuzzy Hash: 70251947d43d7b01ef0de826bd8d464f1ca344ccf34e4aaa9ff0653b0195c710
Instruction Fuzzy Hash: 4181C870E1561D8EDBA4EFA8C865BECB7B1FF58300F5141B9D00DE32A6DE346A858B40

Function 00007FFD9B7F1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7aa230f0de1849406b7a4405e99fed8e1a72aeb35517ddec3e0764753ed0f0
Instruction ID: 2d7196cd7822c881a21b9813db5f521421d628b36a5cbd6ed189f90938be294b
Opcode Fuzzy Hash: bb7aa230f0de1849406b7a4405e99fed8e1a72aeb35517ddec3e0764753ed0f0
Instruction Fuzzy Hash: 0951CF31B09B494FDB5CDE1C88645BA77E2FB98311F14467EE45EC72A6CE35E8028781

Function 00007FFD9B7FB058 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff35e32032f1b63531447015f338e06e55ad61b8cd460a4375ccadbd500eb56
Instruction ID: fe10b43cb47b5513803bec23cf680d62594144a2aa75a64535996471f6cf71f6
Opcode Fuzzy Hash: 2ff35e32032f1b63531447015f338e06e55ad61b8cd460a4375ccadbd500eb56
Instruction Fuzzy Hash: 0451FB70F0961D8EEB64EBA8C4656FD7BF1EF58300F51023AD019E72A1DE3469418B89

Function 00007FFD9B7F31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e69ab4b9e483d448911717a6e7588a5671ab84313bdfdf5245ea9c0eba9f4d
Instruction ID: dabe911a5c629c5e9fb09ad6a17646abeaa762e4ee56e3cfe1118701e78db44a
Opcode Fuzzy Hash: c2e69ab4b9e483d448911717a6e7588a5671ab84313bdfdf5245ea9c0eba9f4d
Instruction Fuzzy Hash: 42511F70F0960E8FEB64EB94C4646EDBBF1EF58310F524179D409E72A1DE386A44CB94

Function 00007FFD9B7F21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0820445c6ee162f23fa6e9c58ffc4dda1899f3c323fb08fde4fc7afbe4e5f852
Instruction ID: 7290ee1c54436c57756c7f0862077fb20f4f65657b7463b5ea164e63cb97b800
Opcode Fuzzy Hash: 0820445c6ee162f23fa6e9c58ffc4dda1899f3c323fb08fde4fc7afbe4e5f852
Instruction Fuzzy Hash: 41413931B0E64D4FE765DBB888651B97FE0EF46310F4602FBE449C71B6DE28AA018385

Function 00007FFD9B7FB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dc430c3ccb2b85b740cc0cfc6cd28bc9c3bec966b61e84f46b3e418ba6c191
Instruction ID: a8c8f075d055820cdccd234548274128e1b3d065edd2e67c07f40fdec2fc73ac
Opcode Fuzzy Hash: b5dc430c3ccb2b85b740cc0cfc6cd28bc9c3bec966b61e84f46b3e418ba6c191
Instruction Fuzzy Hash: 6441EA61F0E69A4FE721DBB888A91AC7FA0FF51350F0546B6C069871F3EE24A509C7C5

Function 00007FFD9B802BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb376994c712370a2418682dec73a8fb4b5ae76a0464b3107bd7af99ed622b2
Instruction ID: abc670a4bba253de918cb1ca3c7e2e6812ee343d95f1238e7f995e7471221c2b
Opcode Fuzzy Hash: 9cb376994c712370a2418682dec73a8fb4b5ae76a0464b3107bd7af99ed622b2
Instruction Fuzzy Hash: 51414A30E1965E8FDB54EFD8C865AEDB7B1FF48300F510179E419E32A6CE7469408B81

Function 00007FFD9B7FC989 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b30592b7a4f602e911c8fa6789072c179efa698989f72a64ec6614c09c3e850
Instruction ID: d576125e4efc2feb03782cb01b1dcb6c81ea355e9d067132809647df9266dc64
Opcode Fuzzy Hash: 8b30592b7a4f602e911c8fa6789072c179efa698989f72a64ec6614c09c3e850
Instruction Fuzzy Hash: FE414131E1991D8FDBA8EB68C8657FDB7A1FF58300F4141BAD04DD32A1DE346A458B41

Function 00007FFD9B803001 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9715692ef78ec0b7a9b53715a5fb63f86eab68bdee851d43e410454080636fa
Instruction ID: e123efc1aabd6a52c3e2dec42e1982e50898f8166951deffd24b13a59c45c1e3
Opcode Fuzzy Hash: f9715692ef78ec0b7a9b53715a5fb63f86eab68bdee851d43e410454080636fa
Instruction Fuzzy Hash: E241D771E19A1D8FDBA4EF68C854BECBBB1FF59300F5141AAC00DE32A1DE3459848B40

Function 00007FFD9B7FC408 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aed9050f86277bd0d6fede1f722dae13de77cb54818845bd6121e5f9becaa9
Instruction ID: 113164b073bf1ecd6f048327d535739f8bb393083d33d9122a74ded0e0a03339
Opcode Fuzzy Hash: 76aed9050f86277bd0d6fede1f722dae13de77cb54818845bd6121e5f9becaa9
Instruction Fuzzy Hash: 7231E075F1DA1D8FEBA4EBA8D4A5ABCBBB1FF58300F510239D01DD32A1DE2469418B44

Function 00007FFD9B7FCB0D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd6401212ee870c51a1002c1b75e3812e84ad0dbf98f8545dc949bf6912d671
Instruction ID: 9f9b0425436d2464def88615cf2bb259b248f34a97a86786457f61d07a43b4f4
Opcode Fuzzy Hash: bbd6401212ee870c51a1002c1b75e3812e84ad0dbf98f8545dc949bf6912d671
Instruction Fuzzy Hash: 5031C63AF4D25B4AE715BBB8A4254FC3B709F41369F0642B7D01DC90F3CE2825858299

Function 00007FFD9B7FC480 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59bb3a7546061b1c3cffeda0fd518840b5d36b80dc729ee6d86e759f8b33271
Instruction ID: a23a69b4fa3847243ad6c65178c887da208cd6f9b2bec68b047be97cb32e1861
Opcode Fuzzy Hash: c59bb3a7546061b1c3cffeda0fd518840b5d36b80dc729ee6d86e759f8b33271
Instruction Fuzzy Hash: 73312170F0DA1D8FEBA4EBA894A56BCBFB1FF59300F510229D01DD32A2DE2469018744

Function 00007FFD9B7FCAD3 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d21b40b98aae82ae7d9f0c828f2d2db8835f48212bf0d33e5dd6f598e2fc57
Instruction ID: cefcafd28931bb945da57f3c3554787cde67c446f73c3c4aa9c5b07e76f28f7d
Opcode Fuzzy Hash: 83d21b40b98aae82ae7d9f0c828f2d2db8835f48212bf0d33e5dd6f598e2fc57
Instruction Fuzzy Hash: DC21F52AF0D39A4AE711B7BCB8254FC3B70EF41369F0642B7D41CC50E7CD2925858298

Function 00007FFD9B7F0805 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e395e73596590499e915b5384d384af4f498c30ec53cc8bdcbfc1978fb0b2a
Instruction ID: c7f36af78dfcf1bff23d912bf1e6b60cf1bed214ffa4820826d3654a87cb1cbf
Opcode Fuzzy Hash: 72e395e73596590499e915b5384d384af4f498c30ec53cc8bdcbfc1978fb0b2a
Instruction Fuzzy Hash: 0E21BE12F0E2CB97E7106BBC987A4ED3B90EF41218B0982B7D0ADDA0E3DD04A119C2C5

Function 00007FFD9B7F33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9dc83610676cfcac091ae4cb72baacc2eedbfc508fc8105ba85af061c86efd
Instruction ID: 161397f5a9612ccaf6bc70a2e7db12ad417363e0e3918fe4d485a04e19a42c79
Opcode Fuzzy Hash: 9a9dc83610676cfcac091ae4cb72baacc2eedbfc508fc8105ba85af061c86efd
Instruction Fuzzy Hash: F1218E3094E78A9FD742EBB488586A97FF4FF06310F0605F6D058CB0B2DA289585C761

Function 00007FFD9B7FA801 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1ecf51e7c787672d313818fa88a4b4e4a26954e8f218fbbb9afc5d7a77f7b1
Instruction ID: e3bb38455c3e673fe5a8498582b866c3353c8e31c1dd6fe92545e7b26eca9181
Opcode Fuzzy Hash: 6d1ecf51e7c787672d313818fa88a4b4e4a26954e8f218fbbb9afc5d7a77f7b1
Instruction Fuzzy Hash: BE215E70A1964D8FDF99EF58C499AA93BF0FF58304F01026AE819D7265DB74A541CB80

Function 00007FFD9B803545 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6cb122d7a2fcd6df8adef771fb319388f3463c8c31d5c39b899e48c71b13d2
Instruction ID: 8a2e02be6facf1d7e1c3ff036fb1e5bad885851f4e532b382e3f14da7f2c2e07
Opcode Fuzzy Hash: 5a6cb122d7a2fcd6df8adef771fb319388f3463c8c31d5c39b899e48c71b13d2
Instruction Fuzzy Hash: 87118E71E09A4E8FEB61EBA8C8656ED77F1FF5D300F010576D009E31A6DE28A5408751

Function 00007FFD9B7F0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798663717bdd482b83cbeac10855f1aaea4ea9bdfa333641db1c6e354f6301fc
Instruction ID: a5c68ae81abea340d37cf5fe5220294b4a2a11ab03450ea876b10e5d12bbc488
Opcode Fuzzy Hash: 798663717bdd482b83cbeac10855f1aaea4ea9bdfa333641db1c6e354f6301fc
Instruction Fuzzy Hash: 7711BF31F1960E8FEB50EFA888685BD7BE0FF58700F8106B6D418C72B6EE34A6448740

Function 00007FFD9B8028B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73dcbc5c6d336ea057a45330ff8e417eb0d1be70d6d4bb55e53406dcb138496
Instruction ID: 2ca71512d0cbc9a5c852087b241397260cf81419334f9a09fb42d49afe3ed2fd
Opcode Fuzzy Hash: a73dcbc5c6d336ea057a45330ff8e417eb0d1be70d6d4bb55e53406dcb138496
Instruction Fuzzy Hash: 5C117970A1964E8FDB58DF58C4A55F93BA1FF58304F1202BEE84A932A5CB34A650CB81

Function 00007FFD9B7FDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 2f0c9a19b1645f7d3639ba00abc0afcc82502d151037de54b811c8b3b6866521
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 2121A570E0561D8FDB50DFE8C4946EDBBF1FB18311F11123AD419E72A1DB786A448B94

Function 00007FFD9B7FCB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfc63cc942b710f434ef418f0c95074637eb3a729cd9ab450e7929f9b7e7383
Instruction ID: f8057e47e8f187b09dda32b8e6a98c04705939add9e6dd5d15f4a2bf8aab4d25
Opcode Fuzzy Hash: 9dfc63cc942b710f434ef418f0c95074637eb3a729cd9ab450e7929f9b7e7383
Instruction Fuzzy Hash: 27118C30E0A64E8EDB56EBA484285B93BB0FF09304F0105BBD42AD61B6DE356A94C750

Function 00007FFD9B7F11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bdfc5e95513a00e702c6d1380f286e34ad1a5bd5702b4ab3d08327344a19a8
Instruction ID: e4790313ef0332fc2130345055e7e0ab8bc5312cd74ce2550066a3a4c365074c
Opcode Fuzzy Hash: b9bdfc5e95513a00e702c6d1380f286e34ad1a5bd5702b4ab3d08327344a19a8
Instruction Fuzzy Hash: 3911D070F0A64E4EEBA99BA488786B97FE0EF19300F0101BEC41AC65F2DA246640C740

Function 00007FFD9B7FBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c703197d077bc7e7aeb3d9900b0bbdf7fb88b2ab3d64e6ed0fa681beebc0a97c
Instruction ID: 41f44f15195e0b7353798175a178ca3a853ca348537c669c0c63d6da15725d2a
Opcode Fuzzy Hash: c703197d077bc7e7aeb3d9900b0bbdf7fb88b2ab3d64e6ed0fa681beebc0a97c
Instruction Fuzzy Hash: 5F118E71E0A64E8FEB55EFA4C8696BD7FA1FF18300F1205BAD419C62B1DB35A640C780

Function 00007FFD9B7FC040 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981480c0e1202cc48577e46dc4305755db11e8f905983fdb50387d5c92c75fb
Instruction ID: 5702064442c57f82a5b45f58c45d5aef3b221854c074e98d78c8accf4d8c8d80
Opcode Fuzzy Hash: 9981480c0e1202cc48577e46dc4305755db11e8f905983fdb50387d5c92c75fb
Instruction Fuzzy Hash: 5D11B470E0960D8FDB64DF98D8A4AEDBBB5FF58310F01422AD419E72A1DB346A41CB84

Function 00007FFD9B802D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb5cd1c4e06661ac5e2d77e169a811bff98131c207ef19dc2adf34f309a5a04
Instruction ID: ef7fde772bbbda6aa90a03ac9af75264ed024ac8b3701a24bd8e6547cb51f6a8
Opcode Fuzzy Hash: 8bb5cd1c4e06661ac5e2d77e169a811bff98131c207ef19dc2adf34f309a5a04
Instruction Fuzzy Hash: A501C430E1954E8EEB51EBB8845D5F97BE0EF09300F0105B6D858C6075DA78A6448740

Function 00007FFD9B801202 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction ID: 971c9ca3f4c8fa5d8394fa58672dbdcdcb62b6ea6e916c80a27c87e8425fdee0
Opcode Fuzzy Hash: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction Fuzzy Hash: 6121DA70E0961D8BEB68DF44C8A47EC77F2BF58350F1141A9E04DA72A1CB785A84DF01

Function 00007FFD9B7FCA61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e14ab97009e8d618667913c14ede237bbe183a8980c3236c1df25bcc1e746
Instruction ID: aa47a54bc9f8e2796f65ca724a32b877389525244c53762faca5ca0be095caa8
Opcode Fuzzy Hash: 205e14ab97009e8d618667913c14ede237bbe183a8980c3236c1df25bcc1e746
Instruction Fuzzy Hash: 7E112E70E0650ECEDBA4EF64C4556BE77A0FF18305F50097AD459D21A4DB35A594C740

Function 00007FFD9B803AC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2279314c8cef4e9d8781034ee330e79e32f03944be8b738a16097f93607365
Instruction ID: 7f169bb30d28845d21f12b1fe1daa968273c9dff5e5ea37b42adad08fcc3074d
Opcode Fuzzy Hash: bb2279314c8cef4e9d8781034ee330e79e32f03944be8b738a16097f93607365
Instruction Fuzzy Hash: 3011A531F0E54E8EEBA0EBA484696F976E0FF1C344F410476D45CD71A6EE34B6448741

Function 00007FFD9B7F3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c20034de5d320ed342d1308bb63480c154969a8ec5b557505b28205ab061402
Instruction ID: e87cd104539ff8848f32d7fb17eaf791da1d2f42a30b8f13343f4a391ee88304
Opcode Fuzzy Hash: 4c20034de5d320ed342d1308bb63480c154969a8ec5b557505b28205ab061402
Instruction Fuzzy Hash: 79113C70E1A68E8FDB55EF64C4695BD7BA0FF58304F4205BED419C71A1DB35A640C740

Function 00007FFD9B7FB098 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e55d0622860e148809d258741129dfce431819c9c89bea3ff3a63f93a6d1d6
Instruction ID: d4f1d901e9d91396c42144c95c22905b7a73766c1fd2202dd34968e53c8944af
Opcode Fuzzy Hash: 54e55d0622860e148809d258741129dfce431819c9c89bea3ff3a63f93a6d1d6
Instruction Fuzzy Hash: E9115B30A09A0E8FDB98EF64C4996FE77E1FF18345F50057AD41ED22A4DA30A650CB80

Function 00007FFD9B802B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf2d292785cc3de1e75cb0b974ae237e7488387572c8f3a0ba1d7bf251d660
Instruction ID: 2004f49ee8712c92e5810125b66f3e42ad9f6a12d53075d05d451e8c0e579d60
Opcode Fuzzy Hash: bfaf2d292785cc3de1e75cb0b974ae237e7488387572c8f3a0ba1d7bf251d660
Instruction Fuzzy Hash: 98015E31A0A64E8FDB68EFA4C4A95F97BA0FF18304F8204BED40EC65A2DE75A550C700

Function 00007FFD9B7F2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11e41adbde9cacc79e96aa626298104fc6565d5bc29d241b1a9df9dfea4ce4b
Instruction ID: d73f21aeb15fd11bf5e48d847550d26e3f996597821fa10fbb57f4cac091cf5f
Opcode Fuzzy Hash: c11e41adbde9cacc79e96aa626298104fc6565d5bc29d241b1a9df9dfea4ce4b
Instruction Fuzzy Hash: F0018471F1E74E8FE761EBA488595A97FE0EF19300F8606B6E418C70B6EA34E5448740

Function 00007FFD9B7F05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66802bfca7f9eb31ace6b0e9de87188e1d5481f7a5beb4f3f913e6a2515ea2ca
Instruction ID: 223f41633fec169d7dd214fcf905beda2f0a53d0e1c0644820161d5326f96da1
Opcode Fuzzy Hash: 66802bfca7f9eb31ace6b0e9de87188e1d5481f7a5beb4f3f913e6a2515ea2ca
Instruction Fuzzy Hash: 1D018C30B09A0E8FDB68EF64C4656BA7BA1EF58304F5105BAD41EC65A4CA32A650CB80

Function 00007FFD9B7FD98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 10c24011dbcd311cf3fe49842beb5373b9ca6626ed0308375c7f11663548b621
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 6A11F770E0961D8FDB50EFE8C8946EDBBF1FB18311F11023AD419E72A1DB34A9848B54

Function 00007FFD9B801080 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa39002257802b998e7ba987aea1095abf2fbf29cceea09e26d391935ec307c
Instruction ID: 6fa9e20fc7ec474cdb0c7a9f9ce9b9ebd77ae6cb882e3fcf6db5b27f75320206
Opcode Fuzzy Hash: 9aa39002257802b998e7ba987aea1095abf2fbf29cceea09e26d391935ec307c
Instruction Fuzzy Hash: FA015A30E1594E8EEB94EBA4C4696FE76E0FF18304F51087AE41AD21A4DE31A650CB00

Function 00007FFD9B7F28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e161b52f0e4feeea63d0574b762d2814c8fef8654d018d07d198bba527015a7
Instruction ID: bc1b2111272e3705424354ad1287408675529c43d98c1f44c303a675714a5f18
Opcode Fuzzy Hash: 5e161b52f0e4feeea63d0574b762d2814c8fef8654d018d07d198bba527015a7
Instruction Fuzzy Hash: 0401D430F1A64E8FE751EBA484585B93BE0EF19300F8205B6E418C70B6DA34E240C741

Function 00007FFD9B7FAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c829ef638ba7a14ef43a706d70e38feb20521dc6529dd66cc767c7778f456eb
Instruction ID: 6f4e9e8b5bed2b8d69bb1041af757f377ec175162d63e6c8d0d6c235e0fff0fd
Opcode Fuzzy Hash: 7c829ef638ba7a14ef43a706d70e38feb20521dc6529dd66cc767c7778f456eb
Instruction Fuzzy Hash: D101A730B5A74E8FD761ABB484696A93BF0EF09301F4205B3D009C70B6DA38E544C740

Function 00007FFD9B7F2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a5a177d92781b7b615817b847fbadb459e3fe1cb70fceeca6071a4b805f94f
Instruction ID: c9c39fe645378eb358305de2c9577d570df8bd4c875cdde7b75724c21d1b7366
Opcode Fuzzy Hash: 58a5a177d92781b7b615817b847fbadb459e3fe1cb70fceeca6071a4b805f94f
Instruction Fuzzy Hash: E301D870F1E74E8FE762A7B488695A97FE0EF15300F8605F2E409C70B6EE34A5448740

Function 00007FFD9B801061 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7292f0f65692f237dd409677d7e30c60f9ad90d0e564c6403536b0660112af64
Instruction ID: 1b99c8b6b4fa8835efd026e61e28b0f3e8dd2211cdb9a1f2036040e2306a4cf2
Opcode Fuzzy Hash: 7292f0f65692f237dd409677d7e30c60f9ad90d0e564c6403536b0660112af64
Instruction Fuzzy Hash: EBF0A430E0A68E8FEB65EF6488692FD3FB0FF19210F4505BAE858C21A2DB385654C740

Function 00007FFD9B80B5E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cab0cbc77c5c6324ba2a5491ef13802ca22af078b262abf2fccd7c3260418a8
Instruction ID: 7d674437ece6f9e82d862190be3d8b729b8f8929b80c760fc94c98f74ab5b64a
Opcode Fuzzy Hash: 3cab0cbc77c5c6324ba2a5491ef13802ca22af078b262abf2fccd7c3260418a8
Instruction Fuzzy Hash: DE011D30E1991E8EEB50FBA8C4585FE76E4FF18304F414976D429D71A5EE34A2448A40

Function 00007FFD9B7F0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9276fb780fef10bff337c133fdf5f212e243f549b69bc3f5634b33029d563193
Instruction ID: 60e3eb2717d0fabc8b16feba7e14e0382d11bba6d427f612981470af7a6cb367
Opcode Fuzzy Hash: 9276fb780fef10bff337c133fdf5f212e243f549b69bc3f5634b33029d563193
Instruction Fuzzy Hash: BC016230B1960E8BDB59EBA4C4686B976A0FF18305F51097EE41ED21F5DF35A550C640

Function 00007FFD9B7F0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa797c88ae68e3d85e854965fdb14a525f73173f9609b7429391919c788aab02
Instruction ID: ff7a9f0aea2557f8317bf4f3c295ef1132f1e7a2f7c2f0aefeec749ad9a961ce
Opcode Fuzzy Hash: fa797c88ae68e3d85e854965fdb14a525f73173f9609b7429391919c788aab02
Instruction Fuzzy Hash: 8801A230B0560E9BDB68EBA4C0285BD76A0FF18304F91057EE41ED61F4DE35E640C640

Function 00007FFD9B7F11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d808682de1298dbe61eb18c08b5b5481ef2732e11609a1ac2e9f1e05aed6be3c
Instruction ID: 906044ebdfc6a48452622511458d064582316aeb11a792cebb380eeaa4e9f341
Opcode Fuzzy Hash: d808682de1298dbe61eb18c08b5b5481ef2732e11609a1ac2e9f1e05aed6be3c
Instruction Fuzzy Hash: A1F0A430F1A64E8AEFA49BE488782FE7BE4BF55305F01053ED41DD25F1DE246650C684

Function 00007FFD9B7FAE18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ae4ff833a9c1e5942a610774f96fbeb25caf8e7b51d2e02d3a3d4d66658d0f
Instruction ID: a09b4aa8908239303796a67b560105f80be97abc7ccca09bcc35d34a0372fa36
Opcode Fuzzy Hash: 72ae4ff833a9c1e5942a610774f96fbeb25caf8e7b51d2e02d3a3d4d66658d0f
Instruction Fuzzy Hash: 2CF08130A5950E8ADB68EFA4C4656F973A0EF08344F51047AE41EC21E5DE757650CA40

Function 00007FFD9B7F1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fffdd67e8baa994790892c7f8a46528276000941595a4c1a407fbc05c5c4df0
Instruction ID: 683c5deb92c54767705d5837dd103996b546ccc20f7d5017e4147786f972a352
Opcode Fuzzy Hash: 2fffdd67e8baa994790892c7f8a46528276000941595a4c1a407fbc05c5c4df0
Instruction Fuzzy Hash: 0D01A430A0E78E8FDB58DF6484656FA7BA0EF55304F4105BAD80DC75A2CB35A650C790

Function 00007FFD9B7F05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ce40d841047e6b35627b6fbff9bbd71b4dc6f6a372cacee15041249806486c
Instruction ID: c57d5143912191db10299df8e2fbafaca4fdbedc540b328acbbc5f3afad030f6
Opcode Fuzzy Hash: 44ce40d841047e6b35627b6fbff9bbd71b4dc6f6a372cacee15041249806486c
Instruction Fuzzy Hash: FAF0C230B0E64ECFEB68EF6484656FE7BA0EF05308F51057AE40DC25A1CE35A650C784

Function 00007FFD9B8026D1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46381bf587185315f7e2385f3b2d9142ade3adc8691f2742331675c61193889f
Instruction ID: 4e3869d7f94b7ae1f97b77a76a4b47ef037c9d72c74c8e352138f010e952e32e
Opcode Fuzzy Hash: 46381bf587185315f7e2385f3b2d9142ade3adc8691f2742331675c61193889f
Instruction Fuzzy Hash: 06F08231E5A24E8FDB649FA4C8656FA3760AF09304F8105BAE81DC60A2DB78A5508A51

Function 00007FFD9B7FB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640c001d7a9b1e66bf132474510c7db6a04120201c6c93d7af7387b21ab6ac50
Instruction ID: d5fb5f6497ccab9128b98e1f26714998b553becc80ce45e6b01eb1aece55509b
Opcode Fuzzy Hash: 640c001d7a9b1e66bf132474510c7db6a04120201c6c93d7af7387b21ab6ac50
Instruction Fuzzy Hash: 79011E70F0961E8ADB24DF90C450AFEBBB1AF54300F554676D009A32A5DA38A645CB94

Function 00007FFD9B7F27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4d9787893b6f634abc076c91e343cba9acfd231a052b1e52afadc007004ce4
Instruction ID: 7e310745e6a86fd5f16e37c219be040e801d3cb5ba2639180759d71fdb7de088
Opcode Fuzzy Hash: 3e4d9787893b6f634abc076c91e343cba9acfd231a052b1e52afadc007004ce4
Instruction Fuzzy Hash: F8F0F630A0E38E8FDB1A9F6088241E93FA0AF46204F8509FAE409C61F2DB389958C751

Function 00007FFD9B7F284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987f40d96b59b908399c4a4f105d8f0eca1581a917ea77c40e05a0de32507a67
Instruction ID: 20f6c62ff9a1be6b4d733ceeef86c50753dfc3679b23c2569bec6475171f9804
Opcode Fuzzy Hash: 987f40d96b59b908399c4a4f105d8f0eca1581a917ea77c40e05a0de32507a67
Instruction Fuzzy Hash: 03F02430B1E38E8FDB599BB088241F93BA0BF56200F8205BAE818C61F2DF38E554C701

Function 00007FFD9B7FBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: a4e36290925850ea6d9f1bd9362feaded40e289a2b011495f5237ffedb9bb6b7
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: DDD04274A0D64E8BDB58DF9889646BD7AA9FB58300F111129D40EE72A1DA346A019B84

Function 00007FFD9B7F0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6ec3b50ddfafc1c51c89ce9864892fa55edb62ce8e91066519eebe52ae7d94
Instruction ID: cb73f25b1b7225d5c5e895f7c956205366a4801c172cb4d00fd5b588cd6d7a72
Opcode Fuzzy Hash: bd6ec3b50ddfafc1c51c89ce9864892fa55edb62ce8e91066519eebe52ae7d94
Instruction Fuzzy Hash: CDE0EC30E1991D8BEB94EB54CC60FEDBA71BF44304F1142B5D00DA32A5DE7869858B84

Non-executed Functions

Function 00007FFD9B7FE9FC Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7FFA14
O, xrefs: 00007FFD9B7FEA44
u, xrefs: 00007FFD9B7FFC65
d, xrefs: 00007FFD9B7FFC72

Memory Dump Source

Source File: 00000000.00000002.1692831279.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_5tqXx7iu9m.jbxd

Similarity

API ID:
String ID: /$O$d$u
API String ID: 0-1393434931
Opcode ID: 7374ba1121dffed9b97e869ca458ac7ce73e4178c957f4582dd3eb805471d8f9
Instruction ID: 3be8df9422ec9c633ecca0f763772aa10ebba438175950265d0e4e7acbe43008
Opcode Fuzzy Hash: 7374ba1121dffed9b97e869ca458ac7ce73e4178c957f4582dd3eb805471d8f9
Instruction Fuzzy Hash: 9D51A770E0A66D8FDB64DF54C8547E9BBB1BF58311F0146BAD40DA72A1DB349A808F44

Analysis Process: backgroundTaskHost.exePID: 8096, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7F35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abead6715263e7bfa1d266788b98fa4784be6c9a304e0435072fccdcb924330d
Instruction ID: a77284be08667b964c17550b07e75e353565b549d98b9784a40fc319119f9a07
Opcode Fuzzy Hash: abead6715263e7bfa1d266788b98fa4784be6c9a304e0435072fccdcb924330d
Instruction Fuzzy Hash: F7A1B271B19A4D8FEB58DF68C865BED7BE1FF95300F4501BAD009D72E6CB6428018B51

Function 00007FFD9B801380 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B801463
", xrefs: 00007FFD9B801525
/, xrefs: 00007FFD9B8014CC
[, xrefs: 00007FFD9B801555
(, xrefs: 00007FFD9B801C8E
}, xrefs: 00007FFD9B8013B7

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: !$"$($/$[$}
API String ID: 0-134420937
Opcode ID: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction ID: 4c0c73e227139e0ce3353f9977604ee8346751100cd6bab220caddcda1085f41
Opcode Fuzzy Hash: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction Fuzzy Hash: 8871E970E0572D8EEBA4DF94C8A47EDB6F1AF09350F1145BAE04DA72A1CB385A84DF40

Function 00007FFD9B80156E Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B8019B3
!, xrefs: 00007FFD9B801463
/, xrefs: 00007FFD9B8014CC
", xrefs: 00007FFD9B8019C0

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: !$"$/${
API String ID: 0-4192511668
Opcode ID: 05938c4bf685881d25e402c87c901f4ab218f1eab3992b716194552b383a9b38
Instruction ID: 7fd954eb79777aabd65b4a64de36e33ac1e446986fcfea7104711e5e3a6fb77b
Opcode Fuzzy Hash: 05938c4bf685881d25e402c87c901f4ab218f1eab3992b716194552b383a9b38
Instruction Fuzzy Hash: 9E51DB70E0562E8FEB68DF94C8947EDB7F1AF09350F1145A9D44DA72A1CB785A84CF00

Function 00007FFD9B7FFA23 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B7FFAB8
[, xrefs: 00007FFD9B7FFA37
k, xrefs: 00007FFD9B7FF81B
h, xrefs: 00007FFD9B7FFA44

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7ff000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: I$[$h$k
API String ID: 0-3709709737
Opcode ID: ee3e7e4e3731a2d52ef818e3858991abbd48db318dedc17ed0fd4fb406155f5a
Instruction ID: 9af82c3d7ecb4bc933b1d5db99a07bb331e114831e6ed67ef415fc5eb4d4eaa9
Opcode Fuzzy Hash: ee3e7e4e3731a2d52ef818e3858991abbd48db318dedc17ed0fd4fb406155f5a
Instruction Fuzzy Hash: 5F21EA70E09A2D8FDB64DF14C8507A9B7B2FB58301F0086E9D00DE62A5DB346A85CF45

Function 00007FFD9B8042B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFD9B8043BC
, xrefs: 00007FFD9B804397

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: b89a793567507f38a2edbe5033c23c2dc936c5bb16d4cca25004acfe61382683
Instruction ID: 1ab61a6f73a3fc389a32b413ff25f31b1a5f7acd4b5cdb939da1b91b8fce1d94
Opcode Fuzzy Hash: b89a793567507f38a2edbe5033c23c2dc936c5bb16d4cca25004acfe61382683
Instruction Fuzzy Hash: 0E419170E5A92E8EDBB4EB58C8657FCB6B1EF5C341F5101A9D04DE32A1DA746A808F40

Function 00007FFD9B7FC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7FCA6E

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 131389af5364c4ad24986aa1a44153adb30d2084d1134b205226546c1a73c651
Instruction ID: 8d8629d3d35f13666d05f35d92f4aebb082745d5b61e1427fee381bf88b16e9b
Opcode Fuzzy Hash: 131389af5364c4ad24986aa1a44153adb30d2084d1134b205226546c1a73c651
Instruction Fuzzy Hash: 6441282BF0D25A8AE711B7BCB8254FD3B60EF80379B1642B3D15DC90A3DD28748686D4

Function 00007FFD9B7FCAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yL_^, xrefs: 00007FFD9B7FCB01

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: yL_^
API String ID: 0-4278417862
Opcode ID: e058b72785b2f2b131afffe9f8257061b318a4aa5b8c57024af8e370bdf75ec5
Instruction ID: e9ecff8e6178177fc6f221fcaa3552d14207716df7e8f7868fa487b13c66e96f
Opcode Fuzzy Hash: e058b72785b2f2b131afffe9f8257061b318a4aa5b8c57024af8e370bdf75ec5
Instruction Fuzzy Hash: AD31D32AF0D35B4AE716BBB8B4254FC3B709F41369F1542B7D01DC90F3CE2825818299

Function 00007FFD9B801202 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B8014CC

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction ID: 971c9ca3f4c8fa5d8394fa58672dbdcdcb62b6ea6e916c80a27c87e8425fdee0
Opcode Fuzzy Hash: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction Fuzzy Hash: 6121DA70E0961D8BEB68DF44C8A47EC77F2BF58350F1141A9E04DA72A1CB785A84DF01

Function 00007FFD9B8036C5 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1769612e3f034c3cdf74a3f757d2bd6dae52d2bea9c7895f3576229b13f4ae86
Instruction ID: 8999eccb2f4801f448b62c168209ae7a47e3fa2deeb750c369ceca074ec3986a
Opcode Fuzzy Hash: 1769612e3f034c3cdf74a3f757d2bd6dae52d2bea9c7895f3576229b13f4ae86
Instruction Fuzzy Hash: DB51A452E0F7C64FE722A7B858791E87FB0EF5A254B0944FBD0D8CB0E7D91869448342

Function 00007FFD9B803788 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148a3e1d5d5daf47dbc1a1172bdc0ee8e2379d5aa0f8ee2bddf5e9904361efba
Instruction ID: c592cf003c18b90b42a8feccd94550134db8b3242a714e27b1926b6cec75bfb5
Opcode Fuzzy Hash: 148a3e1d5d5daf47dbc1a1172bdc0ee8e2379d5aa0f8ee2bddf5e9904361efba
Instruction Fuzzy Hash: 97115161A0F7CA4EE763977448391A97FB0AF5A244F0A04FBD4D8DB0E7E9186918C352

Function 00007FFD9B7FDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6b2eca5ad8039a1eae8ba0a8ef3953b1f7dd6a3fd8f3ee386543e16b3ea0e7
Instruction ID: 1b51e023e7a6c0ed5d09da16f61a576d5fa3b7b5ed625f9c5176b326130ebafe
Opcode Fuzzy Hash: fc6b2eca5ad8039a1eae8ba0a8ef3953b1f7dd6a3fd8f3ee386543e16b3ea0e7
Instruction Fuzzy Hash: B8E13D71E19A5D8FDBA8DF58C4A4BACBBA2FF58300F4441BAD01DD72E6CA346940CB45

Function 00007FFD9B7F1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ee688634fb1fdffd430854b2192eee7d4bad3efbeb0bf4c4eedf11ecc5adef
Instruction ID: f9042972349fb2368a3a3e8c18af56657cb019b38aee107c3f664ba9be7807e4
Opcode Fuzzy Hash: 05ee688634fb1fdffd430854b2192eee7d4bad3efbeb0bf4c4eedf11ecc5adef
Instruction Fuzzy Hash: E381CF31B0DB494FDB58DE5C88615A97BE2EF98310F1502BEE45EC32A6DE31AD028785

Function 00007FFD9B7F06C0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30d390965760d18c3980c0ece42eab0c13ba3f1dd636bd5389d62ef52067285
Instruction ID: d6e76d8a966f9a6c04c15a85a536a01b32ac30f8ebac1364dd180a23ee8bd2ca
Opcode Fuzzy Hash: a30d390965760d18c3980c0ece42eab0c13ba3f1dd636bd5389d62ef52067285
Instruction Fuzzy Hash: B9614953B0F7C90EEB215ABC68290B93F90EF9165070943F7D098861F7EC15A51583E9

Function 00007FFD9B802E3A Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f49ce4a87d56ef1856c4f8c9c1af584320db3ed5ff8de4153ba57d02bb77aaa
Instruction ID: 4f5bfe07c20bc7fe6e265e5e3ef9bed6d14c65e1c9153e74f5684b58c977daf0
Opcode Fuzzy Hash: 9f49ce4a87d56ef1856c4f8c9c1af584320db3ed5ff8de4153ba57d02bb77aaa
Instruction Fuzzy Hash: DF81C871E1561D8EDBA4EFA8C865BECB7B1FF58300F5141B9D00DE32A6DE346A858B40

Function 00007FFD9B7F1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883b26430bd5533c3ee6f7c9c3d7e5b85cdbe4375fd738d0ebb6411d63287476
Instruction ID: 2d7196cd7822c881a21b9813db5f521421d628b36a5cbd6ed189f90938be294b
Opcode Fuzzy Hash: 883b26430bd5533c3ee6f7c9c3d7e5b85cdbe4375fd738d0ebb6411d63287476
Instruction Fuzzy Hash: 0951CF31B09B494FDB5CDE1C88645BA77E2FB98311F14467EE45EC72A6CE35E8028781

Function 00007FFD9B7F22D5 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802080f8e8235f68fc1d7c2b21f8e55db31a8b88f057765668c7c34c46f64229
Instruction ID: c660a124935aef9d7c4b790d2a2510c1c8cc9ef13f482a145fff7516105c1ded
Opcode Fuzzy Hash: 802080f8e8235f68fc1d7c2b21f8e55db31a8b88f057765668c7c34c46f64229
Instruction Fuzzy Hash: 80515130F0A61E8EEB74DB90C8617F97AA1FF45300F5102B9E04E971F2DE796A458B85

Function 00007FFD9B7FC359 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eac4392a0cda7b6c601264900706b3f1a6cd755e92cb6a038b3c35d567b6757
Instruction ID: e0cb1820e9a9b6bdafa97b997ddf0d3ebd06f80de145fe09f3e6be950ec721d3
Opcode Fuzzy Hash: 2eac4392a0cda7b6c601264900706b3f1a6cd755e92cb6a038b3c35d567b6757
Instruction Fuzzy Hash: 80513A70F0961D8FEB64EBA8C4656FD7BB1FF58300F51027AD019E72A2DE3869408B85

Function 00007FFD9B7F31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33f50a7882578bfb43e4794699b09bf41e3197c066bd6926e0ce7e04b71d831
Instruction ID: 15ab2e7d23d6677b5497532128935f0b7e288cc9ac7c5a9b418cf774f657849a
Opcode Fuzzy Hash: d33f50a7882578bfb43e4794699b09bf41e3197c066bd6926e0ce7e04b71d831
Instruction Fuzzy Hash: 18514E70F0960E8FEB64EB98C4646EDBBF1EF48300F524179D009E72A1DE386A44CB94

Function 00007FFD9B7F21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2efcbb2ad2f47fe8ab692e598ec9f36942b484832fb4bd4093d043ca2cc769
Instruction ID: 2c5d52eaa3493312e17b19108c42d7341d1cc58405fad69640a1d125066ec8b0
Opcode Fuzzy Hash: 3a2efcbb2ad2f47fe8ab692e598ec9f36942b484832fb4bd4093d043ca2cc769
Instruction Fuzzy Hash: 3C415931B0E64D4FE765DBB888651B87FE0EF46310F4602FBE449C31B2DE28AA018385

Function 00007FFD9B7FB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb6aa3366f5fbf0e3ccc936cdf6ab5c64b93f00f2e620133fc354c955e08516
Instruction ID: 3d291c046c99a608e6a79a22687517c4667fc9af0a0c42f389d14bba8212540f
Opcode Fuzzy Hash: 5cb6aa3366f5fbf0e3ccc936cdf6ab5c64b93f00f2e620133fc354c955e08516
Instruction Fuzzy Hash: 6A41EA61F0E69A4FE721DB6888A91A87FA0FF51350F0546B6C065871F3EE24A509C7C5

Function 00007FFD9B802BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667617ee950a7d5105fbcfd641910fdf8e0ce6f4c055a6fb87002f06d8b192bf
Instruction ID: fa4599edb81d7300ef80e4f92615ae952a751b977da8f9a55f2b173b5eb9b028
Opcode Fuzzy Hash: 667617ee950a7d5105fbcfd641910fdf8e0ce6f4c055a6fb87002f06d8b192bf
Instruction Fuzzy Hash: 51414A30E1965E8FDB54EFD8D865AEDBBB1FF48300F510179E419E32A6CE7469408B81

Function 00007FFD9B7FC408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b854970283925bc9b85ab2e1387d42cdc9c816cc45127e258928cff6c0632c6
Instruction ID: 8a90190d90f7c185fbbc7b7698682b4f9232e26609262b2103334e362a79a59c
Opcode Fuzzy Hash: 2b854970283925bc9b85ab2e1387d42cdc9c816cc45127e258928cff6c0632c6
Instruction Fuzzy Hash: 9631E075F1DA1D8FEBA4EBA8D4A5ABCBBB1FF58300F510239D01DD32A1DE2469418B44

Function 00007FFD9B803001 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9715692ef78ec0b7a9b53715a5fb63f86eab68bdee851d43e410454080636fa
Instruction ID: e123efc1aabd6a52c3e2dec42e1982e50898f8166951deffd24b13a59c45c1e3
Opcode Fuzzy Hash: f9715692ef78ec0b7a9b53715a5fb63f86eab68bdee851d43e410454080636fa
Instruction Fuzzy Hash: E241D771E19A1D8FDBA4EF68C854BECBBB1FF59300F5141AAC00DE32A1DE3459848B40

Function 00007FFD9B807379 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f28237611c6c01e56143125786293558786648da579de9e3362626a994eae0
Instruction ID: f99cf89bf05c6936acaca7fee5078e5292b7b32d6442ee80000add86861305de
Opcode Fuzzy Hash: 71f28237611c6c01e56143125786293558786648da579de9e3362626a994eae0
Instruction Fuzzy Hash: FB41D235F0E64E8FEB65DBA4C4656ED7BA1FF09340F42017AD848C71E6DE38AA448781

Function 00007FFD9B7FC480 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2814bce236b87f6c6bb4e642123ee980a1f000969198331dc851379cf054f68
Instruction ID: b51dae019c1756e6c84f1d8c1a42e907453d44f60c80a05e42bf3e558ba5475c
Opcode Fuzzy Hash: d2814bce236b87f6c6bb4e642123ee980a1f000969198331dc851379cf054f68
Instruction Fuzzy Hash: 91312170F0DA1D8FEBA4EBA894A56BCBFB1FF59300F51023AD01DD32A2DE2469018744

Function 00007FFD9B807111 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49a08b9853667573f377f37cef0bee348626a7d2da7f5132e4bb5c0a5bb5b83
Instruction ID: d7de7dcb10d748303ff1a00854f0f3bd0a48683d24ae9ec01b7ca806294d545a
Opcode Fuzzy Hash: e49a08b9853667573f377f37cef0bee348626a7d2da7f5132e4bb5c0a5bb5b83
Instruction Fuzzy Hash: 8E31AD74E0A64E8FEBA8EFA4C4655FE37A0FF58340F0101BAD459C31A6DE34A5518740

Function 00007FFD9B7FCAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5673063f8cc97688d42977908be80b13f084e0b4ccbbb4f351ae367dbcd3fd60
Instruction ID: c8b5641d187614f01c0095d5d719b2279cdeddbebebd4d21e80a263ccc8d215c
Opcode Fuzzy Hash: 5673063f8cc97688d42977908be80b13f084e0b4ccbbb4f351ae367dbcd3fd60
Instruction Fuzzy Hash: 8421E43AF0D39A4AE715B7B8A8254FD3B70EF41369F0642B7D41DC60F7CE2925848299

Function 00007FFD9B803EFA Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8578755c606b830ac7add524aade7a160225dea98abfc34d911f555b3585135c
Instruction ID: cd4c267cd1d02607da8e7f661499c335688257ac7e31aedbbea518a99a211d59
Opcode Fuzzy Hash: 8578755c606b830ac7add524aade7a160225dea98abfc34d911f555b3585135c
Instruction Fuzzy Hash: 41313632F0D68A4FE751FBA898A95E87BF0EF4D314F0604B7D458CB1A7DE28A6448711

Function 00007FFD9B807255 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9e4ecb3c13d57f06c555d1e120ce9665a58a8f8338e0454851b73d1044cde7
Instruction ID: f1e6b6a547e32622ea74b60ef9e3750a87751fe9c7a17bf95630260b07cc4789
Opcode Fuzzy Hash: dc9e4ecb3c13d57f06c555d1e120ce9665a58a8f8338e0454851b73d1044cde7
Instruction Fuzzy Hash: 3721D535E0E64F8BEBA89FA488666FD37A0FF18340F01047AE45EC25E6DE356550C741

Function 00007FFD9B7F0805 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0391076fb8183385332bd5d82e00128af2e1d0b2350e7134524bef98f830414
Instruction ID: c7f36af78dfcf1bff23d912bf1e6b60cf1bed214ffa4820826d3654a87cb1cbf
Opcode Fuzzy Hash: e0391076fb8183385332bd5d82e00128af2e1d0b2350e7134524bef98f830414
Instruction Fuzzy Hash: 0E21BE12F0E2CB97E7106BBC987A4ED3B90EF41218B0982B7D0ADDA0E3DD04A119C2C5

Function 00007FFD9B806439 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2917f6e4f18db5f5ef934ac920d533702d8aea84ed0bd701705779970c9b51
Instruction ID: ebdd29816ff10b6ffa38a8f5236205dbec8605442896b68b6bd39f7d1ce7fea2
Opcode Fuzzy Hash: 0d2917f6e4f18db5f5ef934ac920d533702d8aea84ed0bd701705779970c9b51
Instruction Fuzzy Hash: 1B21C371E0EA8E8EEB61ABA488696FD7BA0FF19300F0605B6D458C70E2DE246644C751

Function 00007FFD9B7F33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9dc83610676cfcac091ae4cb72baacc2eedbfc508fc8105ba85af061c86efd
Instruction ID: 161397f5a9612ccaf6bc70a2e7db12ad417363e0e3918fe4d485a04e19a42c79
Opcode Fuzzy Hash: 9a9dc83610676cfcac091ae4cb72baacc2eedbfc508fc8105ba85af061c86efd
Instruction Fuzzy Hash: F1218E3094E78A9FD742EBB488586A97FF4FF06310F0605F6D058CB0B2DA289585C761

Function 00007FFD9B807E59 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da470c4f50835fe35a8cc352e309f953749bf3692aff940665139e4d32f4d82b
Instruction ID: 44bb444a28ceef67ea510abce9ae59502e6311554f605b97affc2b1fb30432fe
Opcode Fuzzy Hash: da470c4f50835fe35a8cc352e309f953749bf3692aff940665139e4d32f4d82b
Instruction Fuzzy Hash: 0711AF34E0E64E8FDB65DBA4C4252FD7BB0EF1A300F1104BAD01AE71A2DA39A9008752

Function 00007FFD9B7F0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e455d7429294b5f98dcbe371cb0d91ce64dfa0c4f6cff82717f5e4c4bff82a
Instruction ID: ab07e4855f2d937957836ea25fc3ba84fff57ad85c4e19012da16ad5689089a4
Opcode Fuzzy Hash: b3e455d7429294b5f98dcbe371cb0d91ce64dfa0c4f6cff82717f5e4c4bff82a
Instruction Fuzzy Hash: A411BF31F1960E8EEB50EFA888585BD7BE0FF58700F8106B6D418C72B6EE34A6448740

Function 00007FFD9B804B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f80cd0dbf98807f88eb89ceb2717deb4b66d5f5e85981d26d1b1e32a22a9f4
Instruction ID: 32d4b2231ba142c21403d7a7603711f3f9ffc051e0a5362eda147a8c398f25b5
Opcode Fuzzy Hash: 36f80cd0dbf98807f88eb89ceb2717deb4b66d5f5e85981d26d1b1e32a22a9f4
Instruction Fuzzy Hash: 7D119D30A09A4E8FDB98EFA884696F97BA0FF58301F0505BED41DC61A6DA34A540C750

Function 00007FFD9B8071B5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5921579823cbeedcd4b0498b4c7636f14f57a10b6a704d4949ef0470a13047b8
Instruction ID: 0abd4e565cb0c68586b7c435cc7dcdd783677d059f27702eaa369e529539d142
Opcode Fuzzy Hash: 5921579823cbeedcd4b0498b4c7636f14f57a10b6a704d4949ef0470a13047b8
Instruction Fuzzy Hash: 3E118130E0964E8FDB98EF68C4696FD7BA1FF68301F0105BAE41DC61A6DA34A550C750

Function 00007FFD9B8028B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c756fa9b5a4fcff8d087c4ef626fe18e51dc6baaab4288e5d0edeb7368794e8d
Instruction ID: 2ca71512d0cbc9a5c852087b241397260cf81419334f9a09fb42d49afe3ed2fd
Opcode Fuzzy Hash: c756fa9b5a4fcff8d087c4ef626fe18e51dc6baaab4288e5d0edeb7368794e8d
Instruction Fuzzy Hash: 5C117970A1964E8FDB58DF58C4A55F93BA1FF58304F1202BEE84A932A5CB34A650CB81

Function 00007FFD9B804AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385f96ec66c58a4157365978fc1da0b571ac029dd531c85147e165ce38c42e6d
Instruction ID: 3efc15fb7650a26c92243a7e6d75df348625b20adecdebb20c016c493cbbc84b
Opcode Fuzzy Hash: 385f96ec66c58a4157365978fc1da0b571ac029dd531c85147e165ce38c42e6d
Instruction Fuzzy Hash: F3216F31E0A68E8FDBA9EFA884692B97BB0FF58301F4501BED459C61A6DA3465408741

Function 00007FFD9B805025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc7e41268ecbd321fe93ad45dc141793ce2122911860f02c16c1263fae0225d
Instruction ID: e16de61effeabf9f78c13a61adef84d693366f2976e61768b378f2cd6545ae30
Opcode Fuzzy Hash: fbc7e41268ecbd321fe93ad45dc141793ce2122911860f02c16c1263fae0225d
Instruction Fuzzy Hash: 0A110471E0EA8E4BEB69DF6488B52FC7BA0EF19340F0600BED04DC21A2DE296550C751

Function 00007FFD9B7FDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 2f0c9a19b1645f7d3639ba00abc0afcc82502d151037de54b811c8b3b6866521
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 2121A570E0561D8FDB50DFE8C4946EDBBF1FB18311F11123AD419E72A1DB786A448B94

Function 00007FFD9B803560 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fcb13fffad66915079dcdf8ed24a191d0413f9cdb2834a4f5b1e8407481681
Instruction ID: d5a66f5e5b1dd404c5e50417c0db2d9807ca779ca1c82a3f50eee0cd2cab8b5f
Opcode Fuzzy Hash: 62fcb13fffad66915079dcdf8ed24a191d0413f9cdb2834a4f5b1e8407481681
Instruction Fuzzy Hash: F2119A31E0AA0E8EEB60EBA8C8156EEB6E5FF5D340F010576E009E31A5EE34A5408781

Function 00007FFD9B7FCB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1449e310c62368461f4cb7a83def504a5d5054f626136890ba45d21f0c3fa93b
Instruction ID: f8057e47e8f187b09dda32b8e6a98c04705939add9e6dd5d15f4a2bf8aab4d25
Opcode Fuzzy Hash: 1449e310c62368461f4cb7a83def504a5d5054f626136890ba45d21f0c3fa93b
Instruction Fuzzy Hash: 27118C30E0A64E8EDB56EBA484285B93BB0FF09304F0105BBD42AD61B6DE356A94C750

Function 00007FFD9B7F11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bdfc5e95513a00e702c6d1380f286e34ad1a5bd5702b4ab3d08327344a19a8
Instruction ID: e4790313ef0332fc2130345055e7e0ab8bc5312cd74ce2550066a3a4c365074c
Opcode Fuzzy Hash: b9bdfc5e95513a00e702c6d1380f286e34ad1a5bd5702b4ab3d08327344a19a8
Instruction Fuzzy Hash: 3911D070F0A64E4EEBA99BA488786B97FE0EF19300F0101BEC41AC65F2DA246640C740

Function 00007FFD9B805399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a149e165e9d65d5416550e86629620e134f85f7229130f32daef5d5c38bf6aff
Instruction ID: 1f9537450a93f2c7e0aacc8bbdf5779e2b29b1a8580e3c3e461da266a7ffafdb
Opcode Fuzzy Hash: a149e165e9d65d5416550e86629620e134f85f7229130f32daef5d5c38bf6aff
Instruction Fuzzy Hash: 4F11D370A0AA8E8FEB55EF6488A95FD7BE0FF19300F0204BAC459C71E2DE746640C711

Function 00007FFD9B7FC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction ID: 95ce4baa2884d22a633751fe71b685bb78084534f2d8ae24b0bd0749c5e2155b
Opcode Fuzzy Hash: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction Fuzzy Hash: 2011B470E0960D8FDB64DF98D8A4AEDBBB5FF58310F01423AD419E72A1DB346A41CB84

Function 00007FFD9B7FBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c6c7a79f86b316265fe279cb8d4f6e5560b20222f3e7432f687ca071246aa0
Instruction ID: 41f44f15195e0b7353798175a178ca3a853ca348537c669c0c63d6da15725d2a
Opcode Fuzzy Hash: 58c6c7a79f86b316265fe279cb8d4f6e5560b20222f3e7432f687ca071246aa0
Instruction Fuzzy Hash: 5F118E71E0A64E8FEB55EFA4C8696BD7FA1FF18300F1205BAD419C62B1DB35A640C780

Function 00007FFD9B8078A1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7945de234b37151b7453481619e05d4d2c1e4642ab7e9f1d720cdf592b04d1a4
Instruction ID: 8e55a9ea60d76926fd83a650b2888d67188efb6be11700e3be648498948caab3
Opcode Fuzzy Hash: 7945de234b37151b7453481619e05d4d2c1e4642ab7e9f1d720cdf592b04d1a4
Instruction Fuzzy Hash: E211A131A0950E8FEB52EBA4C858AFA77F4FF19340F0104B6D418C70A5DB38A280C711

Function 00007FFD9B8072ED Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401d0a2959aa79003a0360ef169c2ee9f0f990f69532b410d7518f51909e6e88
Instruction ID: b9197de7d405b8979c0a671bdcc54da0455763574174dd3fd8f53fb9acf01de1
Opcode Fuzzy Hash: 401d0a2959aa79003a0360ef169c2ee9f0f990f69532b410d7518f51909e6e88
Instruction Fuzzy Hash: A311C131B0968F8FEB68EF64C4656F93BA0EF58300F4201BAD81DC61A6DA346554C780

Function 00007FFD9B802D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2599c604e5ef6723e85cab656a52b0725cf7e5e0e7243fa0f452e72e45d22a41
Instruction ID: ef7fde772bbbda6aa90a03ac9af75264ed024ac8b3701a24bd8e6547cb51f6a8
Opcode Fuzzy Hash: 2599c604e5ef6723e85cab656a52b0725cf7e5e0e7243fa0f452e72e45d22a41
Instruction Fuzzy Hash: A501C430E1954E8EEB51EBB8845D5F97BE0EF09300F0105B6D858C6075DA78A6448740

Function 00007FFD9B801061 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6e16f00adc7c92ab339010857ae33079a350427d9fce3d441c9d5985709e1d
Instruction ID: 6c74ebc95970e1e86751e71aee097104fb820b2d6f781f10d46226169316021c
Opcode Fuzzy Hash: df6e16f00adc7c92ab339010857ae33079a350427d9fce3d441c9d5985709e1d
Instruction Fuzzy Hash: AE11AC30A0968E8FDB95EB6484692FD3BB0FF19300F4104BAE459C61A2DA34A640C700

Function 00007FFD9B80530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc4d0aedbb2e0ff4754107afea77c521344daebb8c4942543679f1b372555b4
Instruction ID: 82773e2ed4a91ada4120e0698ce727aded23d5df4e03f6ee3a05450c67ab9a37
Opcode Fuzzy Hash: cbc4d0aedbb2e0ff4754107afea77c521344daebb8c4942543679f1b372555b4
Instruction Fuzzy Hash: 5D119E31E0964E8FEB58EF6488A96F977A0FF19304F4604BAD41DC61A2DF746540CB21

Function 00007FFD9B80514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae08bfca406a9418ac56a627fd19b20c410afbf7889934f53a882c00d2f5789
Instruction ID: 8395868247703b436198da677bb3d6c9dc2f589c52531897b06700ce94097fd6
Opcode Fuzzy Hash: 9ae08bfca406a9418ac56a627fd19b20c410afbf7889934f53a882c00d2f5789
Instruction Fuzzy Hash: 4611BF70E4A64E8FEB69EF6488B96FD7BE0FF18304F0104BED459C21A6DE3465408711

Function 00007FFD9B7F3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c20034de5d320ed342d1308bb63480c154969a8ec5b557505b28205ab061402
Instruction ID: e87cd104539ff8848f32d7fb17eaf791da1d2f42a30b8f13343f4a391ee88304
Opcode Fuzzy Hash: 4c20034de5d320ed342d1308bb63480c154969a8ec5b557505b28205ab061402
Instruction Fuzzy Hash: 79113C70E1A68E8FDB55EF64C4695BD7BA0FF58304F4205BED419C71A1DB35A640C740

Function 00007FFD9B8026D1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199d6d4cb88dbeaab6ef4a1872e5d22d7d7a66237f3de11914e49d23bb7540ec
Instruction ID: 2a273c9d803d56f8b147df1eac8af1fe65a49d61980f8b7382a7976c301ba092
Opcode Fuzzy Hash: 199d6d4cb88dbeaab6ef4a1872e5d22d7d7a66237f3de11914e49d23bb7540ec
Instruction Fuzzy Hash: A9018430E4960E8FDB59EFA4C465AF937A0FF08304F4104BAD41EC61A6DE75B550CB50

Function 00007FFD9B7F05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66802bfca7f9eb31ace6b0e9de87188e1d5481f7a5beb4f3f913e6a2515ea2ca
Instruction ID: 223f41633fec169d7dd214fcf905beda2f0a53d0e1c0644820161d5326f96da1
Opcode Fuzzy Hash: 66802bfca7f9eb31ace6b0e9de87188e1d5481f7a5beb4f3f913e6a2515ea2ca
Instruction Fuzzy Hash: 1D018C30B09A0E8FDB68EF64C4656BA7BA1EF58304F5105BAD41EC65A4CA32A650CB80

Function 00007FFD9B7F2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11e41adbde9cacc79e96aa626298104fc6565d5bc29d241b1a9df9dfea4ce4b
Instruction ID: d73f21aeb15fd11bf5e48d847550d26e3f996597821fa10fbb57f4cac091cf5f
Opcode Fuzzy Hash: c11e41adbde9cacc79e96aa626298104fc6565d5bc29d241b1a9df9dfea4ce4b
Instruction Fuzzy Hash: F0018471F1E74E8FE761EBA488595A97FE0EF19300F8606B6E418C70B6EA34E5448740

Function 00007FFD9B802B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6796bb2d34c4a8e32d18ebd9b8b9a060129da4af2d84eedb329069092e588232
Instruction ID: 2004f49ee8712c92e5810125b66f3e42ad9f6a12d53075d05d451e8c0e579d60
Opcode Fuzzy Hash: 6796bb2d34c4a8e32d18ebd9b8b9a060129da4af2d84eedb329069092e588232
Instruction Fuzzy Hash: 98015E31A0A64E8FDB68EFA4C4A95F97BA0FF18304F8204BED40EC65A2DE75A550C700

Function 00007FFD9B7FD98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 10c24011dbcd311cf3fe49842beb5373b9ca6626ed0308375c7f11663548b621
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 6A11F770E0961D8FDB50EFE8C8946EDBBF1FB18311F11023AD419E72A1DB34A9848B54

Function 00007FFD9B808019 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff79f94637031183615d1cb5f7fbde2efa77d958e147ea198f259ecda95067a
Instruction ID: 6f35b57c3588b874cb84ffb496e2730af45599dd2426b97726f299f12d74f0b6
Opcode Fuzzy Hash: 5ff79f94637031183615d1cb5f7fbde2efa77d958e147ea198f259ecda95067a
Instruction Fuzzy Hash: 30019E30E0A64E8FDB55EF60C8686FA3BA0FF19304F4204BAD41ACB1E2DA34A590C711

Function 00007FFD9B7F28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e161b52f0e4feeea63d0574b762d2814c8fef8654d018d07d198bba527015a7
Instruction ID: bc1b2111272e3705424354ad1287408675529c43d98c1f44c303a675714a5f18
Opcode Fuzzy Hash: 5e161b52f0e4feeea63d0574b762d2814c8fef8654d018d07d198bba527015a7
Instruction Fuzzy Hash: 0401D430F1A64E8FE751EBA484585B93BE0EF19300F8205B6E418C70B6DA34E240C741

Function 00007FFD9B7FAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab9c2a67a91ccf180a0d4b034bcfa2add4d558a7b29ef5f8f057ad1574874a7
Instruction ID: 6f4e9e8b5bed2b8d69bb1041af757f377ec175162d63e6c8d0d6c235e0fff0fd
Opcode Fuzzy Hash: 9ab9c2a67a91ccf180a0d4b034bcfa2add4d558a7b29ef5f8f057ad1574874a7
Instruction Fuzzy Hash: D101A730B5A74E8FD761ABB484696A93BF0EF09301F4205B3D009C70B6DA38E544C740

Function 00007FFD9B807A29 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b9554f4c0c382b2157fbd24707181a355734a68dadcc43ede3a928df77d442
Instruction ID: cf52a236a8bb05afc1e224898daab9b4c2ca32c65379cea7646b4338c90ce4cd
Opcode Fuzzy Hash: 12b9554f4c0c382b2157fbd24707181a355734a68dadcc43ede3a928df77d442
Instruction Fuzzy Hash: 4B018434A4E64E4FE752ABB488696A93BE0EF0A300F0604F3D458CB0B6DA38A644C711

Function 00007FFD9B7F2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a5a177d92781b7b615817b847fbadb459e3fe1cb70fceeca6071a4b805f94f
Instruction ID: c9c39fe645378eb358305de2c9577d570df8bd4c875cdde7b75724c21d1b7366
Opcode Fuzzy Hash: 58a5a177d92781b7b615817b847fbadb459e3fe1cb70fceeca6071a4b805f94f
Instruction Fuzzy Hash: E301D870F1E74E8FE762A7B488695A97FE0EF15300F8605F2E409C70B6EE34A5448740

Function 00007FFD9B80808D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56bf92c3b8cdf28c770bd9fe89ba589220b18ceb632ac92f3576fc133b0d639
Instruction ID: 3544c17cb36f71e7554e405d8dd9a08d07418e1c806641280c388d0fcc5795a3
Opcode Fuzzy Hash: e56bf92c3b8cdf28c770bd9fe89ba589220b18ceb632ac92f3576fc133b0d639
Instruction Fuzzy Hash: 9D01B130A0A64E8FDB59EF64C4695FA3BA0EF09304F0204BED41AC70A2DE35A691C740

Function 00007FFD9B7F0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9276fb780fef10bff337c133fdf5f212e243f549b69bc3f5634b33029d563193
Instruction ID: 60e3eb2717d0fabc8b16feba7e14e0382d11bba6d427f612981470af7a6cb367
Opcode Fuzzy Hash: 9276fb780fef10bff337c133fdf5f212e243f549b69bc3f5634b33029d563193
Instruction Fuzzy Hash: BC016230B1960E8BDB59EBA4C4686B976A0FF18305F51097EE41ED21F5DF35A550C640

Function 00007FFD9B7F0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa797c88ae68e3d85e854965fdb14a525f73173f9609b7429391919c788aab02
Instruction ID: ff7a9f0aea2557f8317bf4f3c295ef1132f1e7a2f7c2f0aefeec749ad9a961ce
Opcode Fuzzy Hash: fa797c88ae68e3d85e854965fdb14a525f73173f9609b7429391919c788aab02
Instruction Fuzzy Hash: 8801A230B0560E9BDB68EBA4C0285BD76A0FF18304F91057EE41ED61F4DE35E640C640

Function 00007FFD9B7F11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d808682de1298dbe61eb18c08b5b5481ef2732e11609a1ac2e9f1e05aed6be3c
Instruction ID: 906044ebdfc6a48452622511458d064582316aeb11a792cebb380eeaa4e9f341
Opcode Fuzzy Hash: d808682de1298dbe61eb18c08b5b5481ef2732e11609a1ac2e9f1e05aed6be3c
Instruction Fuzzy Hash: A1F0A430F1A64E8AEFA49BE488782FE7BE4BF55305F01053ED41DD25F1DE246650C684

Function 00007FFD9B7F1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fffdd67e8baa994790892c7f8a46528276000941595a4c1a407fbc05c5c4df0
Instruction ID: 683c5deb92c54767705d5837dd103996b546ccc20f7d5017e4147786f972a352
Opcode Fuzzy Hash: 2fffdd67e8baa994790892c7f8a46528276000941595a4c1a407fbc05c5c4df0
Instruction Fuzzy Hash: 0D01A430A0E78E8FDB58DF6484656FA7BA0EF55304F4105BAD80DC75A2CB35A650C790

Function 00007FFD9B7F05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add19c4eb7ba1bcb5165e632e5134bf8dd6beeca8567cc31ef38665c9f8578fb
Instruction ID: c57d5143912191db10299df8e2fbafaca4fdbedc540b328acbbc5f3afad030f6
Opcode Fuzzy Hash: add19c4eb7ba1bcb5165e632e5134bf8dd6beeca8567cc31ef38665c9f8578fb
Instruction Fuzzy Hash: FAF0C230B0E64ECFEB68EF6484656FE7BA0EF05308F51057AE40DC25A1CE35A650C784

Function 00007FFD9B7FB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e64a6c5513271ad275df16c4c93730459623a3aa7155f11d62b57b5eb9742f0
Instruction ID: d5fb5f6497ccab9128b98e1f26714998b553becc80ce45e6b01eb1aece55509b
Opcode Fuzzy Hash: 7e64a6c5513271ad275df16c4c93730459623a3aa7155f11d62b57b5eb9742f0
Instruction Fuzzy Hash: 79011E70F0961E8ADB24DF90C450AFEBBB1AF54300F554676D009A32A5DA38A645CB94

Function 00007FFD9B7F27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4d9787893b6f634abc076c91e343cba9acfd231a052b1e52afadc007004ce4
Instruction ID: 7e310745e6a86fd5f16e37c219be040e801d3cb5ba2639180759d71fdb7de088
Opcode Fuzzy Hash: 3e4d9787893b6f634abc076c91e343cba9acfd231a052b1e52afadc007004ce4
Instruction Fuzzy Hash: F8F0F630A0E38E8FDB1A9F6088241E93FA0AF46204F8509FAE409C61F2DB389958C751

Function 00007FFD9B7F284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987f40d96b59b908399c4a4f105d8f0eca1581a917ea77c40e05a0de32507a67
Instruction ID: 20f6c62ff9a1be6b4d733ceeef86c50753dfc3679b23c2569bec6475171f9804
Opcode Fuzzy Hash: 987f40d96b59b908399c4a4f105d8f0eca1581a917ea77c40e05a0de32507a67
Instruction Fuzzy Hash: 03F02430B1E38E8FDB599BB088241F93BA0BF56200F8205BAE818C61F2DF38E554C701

Function 00007FFD9B801080 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c934e2fbd349650764fda1efdda599a7310da086e588b80b5b16ea0f95aa987
Instruction ID: 4c2acdad5377e6b08c4bc2695478e1014aa8a77a298a881c67f32d5b491eed64
Opcode Fuzzy Hash: 8c934e2fbd349650764fda1efdda599a7310da086e588b80b5b16ea0f95aa987
Instruction Fuzzy Hash: BFF08230E15A4E8EEBA4EFA498192FE76F0FF19314F41053AF85DC21A0DF3066548740

Function 00007FFD9B7FBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7fa000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: a4e36290925850ea6d9f1bd9362feaded40e289a2b011495f5237ffedb9bb6b7
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: DDD04274A0D64E8BDB58DF9889646BD7AA9FB58300F111129D40EE72A1DA346A019B84

Function 00007FFD9B7F0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7f0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae828aa76feab92bf61d8ec2b35af033a95713bb9d7262b69ada2d0c88c17b4
Instruction ID: e8637b77774e568ee33d8556197e42a0e1016aef499aae4c0e37019e0b0de224
Opcode Fuzzy Hash: aae828aa76feab92bf61d8ec2b35af033a95713bb9d7262b69ada2d0c88c17b4
Instruction Fuzzy Hash: DCE0EC30E1991D8AEBA4EB54CC60FEDBA71BF44304F1142B5D00DA32E5CE7869858B84

Function 00007FFD9B805794 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b801000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b039822159c8aa54e1bab2d16694ebe3f4474eb2a7af2b5ed4f107d4f9c457
Instruction ID: e24f7df9121224e52716ee65fa7aa00ca819aaab0395afde7eed22c7e8e91264
Opcode Fuzzy Hash: 54b039822159c8aa54e1bab2d16694ebe3f4474eb2a7af2b5ed4f107d4f9c457
Instruction Fuzzy Hash: 50D05E62E1A51ECFEB90EF5C44E46E97BE0EF08300B41003AD44CC2192DE3420019720

Non-executed Functions

Function 00007FFD9B7FF0B5 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B7FF100
0, xrefs: 00007FFD9B7FF179
k, xrefs: 00007FFD9B7FF81B
S, xrefs: 00007FFD9B7FF0BA

Memory Dump Source

Source File: 0000001E.00000002.1769572539.00007FFD9B7FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7FF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9b7ff000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: "$0$S$k
API String ID: 0-2456877467
Opcode ID: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction ID: f3ae50c28b2e88e6b8d22ceac39f9ae5e714d336811bb20043666178c5b454bc
Opcode Fuzzy Hash: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction Fuzzy Hash: 1C21E674E0A62D8EDB64DF54D8943E9BBB1BB18300F0186F9D00DA72A0DB789B84CF55

Analysis Process: backgroundTaskHost.exePID: 8128, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9084d3d4a62c8d9af91eb6b45601151c12962901825d286259023f887f5149fd
Instruction ID: 6b052f821434d0f6b430ca5f058b4f07fcd39306f46c5bd1ee0fe3ae018f9536
Opcode Fuzzy Hash: 9084d3d4a62c8d9af91eb6b45601151c12962901825d286259023f887f5149fd
Instruction Fuzzy Hash: 36A1A171A1994D8FEB99DB68D8657ED7BF1FF95300F8102BAD009D73E6DBA428018740

Function 00007FFD9B7F1380 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD9B7F1C8E
", xrefs: 00007FFD9B7F1525
[, xrefs: 00007FFD9B7F1555
/, xrefs: 00007FFD9B7F14CC
!, xrefs: 00007FFD9B7F1463
}, xrefs: 00007FFD9B7F13B7

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: !$"$($/$[$}
API String ID: 0-134420937
Opcode ID: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction ID: 9a2e354611c71a127452ea44731d950af01de9665402401c777b79cdcdf93cbb
Opcode Fuzzy Hash: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction Fuzzy Hash: B371C570E0932E8EEBA4DF94C8647BDBAF1AF54300F1145AAD44DA72A1CB385A84CF54

Function 00007FFD9B7F156E Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B7F19C0
/, xrefs: 00007FFD9B7F14CC
!, xrefs: 00007FFD9B7F1463
{, xrefs: 00007FFD9B7F19B3

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: !$"$/${
API String ID: 0-4192511668
Opcode ID: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction ID: d784b745441f592ffc76acfbdd5a80fb5e1d0206150412b712aa2410efb19097
Opcode Fuzzy Hash: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction Fuzzy Hash: CB51B770E0532E8EEB68DF94C8647EDBBF1AF54300F5145AAD40DA72A1DB785A84CF44

Function 00007FFD9B7EFA23 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B7EFA37
k, xrefs: 00007FFD9B7EF81B
h, xrefs: 00007FFD9B7EFA44
I, xrefs: 00007FFD9B7EFAB8

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ef000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: I$[$h$k
API String ID: 0-3709709737
Opcode ID: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction ID: 5c2413dce3d38c3b1cef7b9c6e4508a2331cb780da9eac740d1f47e49f6fabeb
Opcode Fuzzy Hash: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction Fuzzy Hash: 7A21B870E09A2D8FEBA4DF14C8547A9B7B2BF55301F4086E9D00DE62A5DB345A85CF41

Function 00007FFD9B7F42B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B7F4397
@, xrefs: 00007FFD9B7F43BC

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 4749f4195b78f1d38d76f34e96ce4e52c7ed09c49ac2c6d6f78e9bf2f17abc88
Instruction ID: 9682dd012831ffe8d4b69b35be8aa83cfdfa59deefee2eae0232fb8adbaffd31
Opcode Fuzzy Hash: 4749f4195b78f1d38d76f34e96ce4e52c7ed09c49ac2c6d6f78e9bf2f17abc88
Instruction Fuzzy Hash: A1419470E19A2D8FDBA5EB58C8657FCBAB1FF58301F5101B9D01DE32A1CA746A808F54

Function 00007FFD9B7EC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7ECA6E

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction ID: 2cc76cd23c4110a4ae36f5b607edd6969982541be155295d383f0ddc71ca9b4f
Opcode Fuzzy Hash: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction Fuzzy Hash: 2441F52BF0D66A8AE711B67CB8254FD3760EF80339B1642B7D159C90F7DD28348686E0

Function 00007FFD9B7ECAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yM_^, xrefs: 00007FFD9B7ECB01

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: yM_^
API String ID: 0-4274066417
Opcode ID: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction ID: b7079e7a626f4de7ab55ade987b1465e05616229b0766a2e87187ff12fa0de24
Opcode Fuzzy Hash: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction Fuzzy Hash: 2131D03AF0D35B4AEB16BBB8A4254FC3770AF45329F0642BBD01DC90F3CE2825818295

Function 00007FFD9B7F1202 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7F14CC

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction ID: ce069ef8d5b8c70f623153359c10216a475244089380a901710901f04120d3ee
Opcode Fuzzy Hash: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction Fuzzy Hash: 1A21C670E0932D8BEB68DF84C8A4BF8B7F1AB54300F1141AAD00DA72A1CB385A84DF45

Function 00007FFD9B7EDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction ID: ef66b38b797efe6e9768c2e6936316148871cd49a4bebdeacd2ea13d4a097205
Opcode Fuzzy Hash: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction Fuzzy Hash: BEE13D71E19A5D8FEBA8DF58C8A4BB8B7A1FF58300F4541BAD01DD72E6DA346940CB40

Function 00007FFD9B7E1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction ID: d2d5fadd8fa6b60ffdbd9f4c4f8f7008aa26eba4e4bbff9bee26254931782c9b
Opcode Fuzzy Hash: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction Fuzzy Hash: CD81DF31B0DB494FDB58DE5888A65A977E2FF98310B15027EE45EC72B2DE34AD028780

Function 00007FFD9B7E1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction ID: 5f6059d7a5637e159a72c561228d8bdb47a8e6e1e7b2ff829e89800da1db0c1c
Opcode Fuzzy Hash: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction Fuzzy Hash: 3D51CD31B08B4A8FDB5CDE5888655BA73E2FF98311B10467EE45EC72A5CE34EC028780

Function 00007FFD9B7E22D5 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5d6ee694be655071991f6a810f7cd16c8cc52f867f57963fc411b673267b92
Instruction ID: 21bed0151854ea9426e85b875f3986164b930a8109451d601cbe8506938060b2
Opcode Fuzzy Hash: 6a5d6ee694be655071991f6a810f7cd16c8cc52f867f57963fc411b673267b92
Instruction Fuzzy Hash: F0516C30E0A61E8EEB78DB90C861BF9B7B1FF45304F1102B9D04E961B2DE796A45CB51

Function 00007FFD9B7EC359 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction ID: 43f41c7fde64fda4bbdbbb3143dc10dd4ea72e407acbea0dd3a948a02f3957f7
Opcode Fuzzy Hash: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction Fuzzy Hash: 48514D75E0961D8FEB64EBA8C4A56FD7BB1FF59300F51027AD009E72B2DE3869408B50

Function 00007FFD9B7E31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf7fe116946df5cfa10a00427ac8e1533863e302bc475217690432f1c4874c6
Instruction ID: 1126841d197adf76764e01f00c15f61a093f2b8beecea19770b32f6043417142
Opcode Fuzzy Hash: cbf7fe116946df5cfa10a00427ac8e1533863e302bc475217690432f1c4874c6
Instruction Fuzzy Hash: A7512C70E0960E8FEB65DB98C464AEDBBF1EF48300F524279D409E72B1DE386A44CB50

Function 00007FFD9B7E21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243289cc2ce534c17e0762c1df613ce3b3fd02c9770d6c44af76a2dd6e37b6be
Instruction ID: fbb1d42e447942ecabe2bf5d1d7114b141e83576f5b1986b04748cd90bc8fbad
Opcode Fuzzy Hash: 243289cc2ce534c17e0762c1df613ce3b3fd02c9770d6c44af76a2dd6e37b6be
Instruction Fuzzy Hash: 42414A31B0E78E4FD765D7B888651B9BBE4EF46310F0606FBD449C71B6DE28AA018341

Function 00007FFD9B7EB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bc032f1404c6026dde81363366de948a18e07a27e94b41004c1d660bd77f00
Instruction ID: b28d4b8297a2baa678c6dfaed7fd15ba8c6076def28337e387e64a2745f888e7
Opcode Fuzzy Hash: a4bc032f1404c6026dde81363366de948a18e07a27e94b41004c1d660bd77f00
Instruction Fuzzy Hash: C841B661F0E79A5BE721DBB888E91A87FA0FF51210F0906B6D069C71F3EE24A5158741

Function 00007FFD9B7F2BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c1b2df65538f8943079f6bd284c27fbf702175162684e0595fc4871d348c17
Instruction ID: a61d0c8daa00cb65d7fd01b3e08b8f7df0cf96cd81a46d695911b07b515ef09a
Opcode Fuzzy Hash: c9c1b2df65538f8943079f6bd284c27fbf702175162684e0595fc4871d348c17
Instruction Fuzzy Hash: 57413A70E1965E8FDB54EBD8D865AEDB7B1FF48300F410179E419E32A6CE346940CB81

Function 00007FFD9B7F7379 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction ID: bb7f84aa823934b90008b57ef5a1888ed132e46b0f25b772ed43f3eefefe32da
Opcode Fuzzy Hash: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction Fuzzy Hash: 1941C131F0A68EAFEB64DB94C4656FD7BE0EF54300F01027AD809C61B2DE3869449785

Function 00007FFD9B7EC408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction ID: 7edec665bf39e5406511a9ac747abfefa52cc7dcd9189d71a2244e38fa95f564
Opcode Fuzzy Hash: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction Fuzzy Hash: F831DE75E0DA1D8EEBA4EBA8D4A5ABCB7B1FF99300F51023AD00DD3271DE2469418B40

Function 00007FFD9B7EC480 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction ID: 6ebe7fe9ddc887c378ad783325f921d6c215779b4a51c999a56ae042f9ceafdb
Opcode Fuzzy Hash: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction Fuzzy Hash: C3312174E0DA1D8FEBA4EBA894A56BC7BB1FF59300F51023AD00DD72B2DE2469018710

Function 00007FFD9B7F7111 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction ID: 4e16ee2b462dbaff0585373aaf63af3461e883152d47832c67666bb7144f8e58
Opcode Fuzzy Hash: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction Fuzzy Hash: A3319371F0A64E9FEB64DF64C8656BE3BA0FF54301F01027AD419C71B6DE34A5458781

Function 00007FFD9B7ECAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction ID: 6c66028bf110f86e751dd38778996cb27c97176e07d4ed0d0d34c0b77be3d9a1
Opcode Fuzzy Hash: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction Fuzzy Hash: 4321E43AF0939E4AEB15BBB8A8254FD7770EF41329F0642B7D41DC60F7CE2825848694

Function 00007FFD9B7F7255 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction ID: 74987f2a758151915dd32326ba25df6266abd1ffb3ab5ab41f4a47b8716f2cc6
Opcode Fuzzy Hash: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction Fuzzy Hash: BE21E331B0E64E9BEBA8DF6488762BD3BA0FF14300F0101BAE41DC25B2CE346654C781

Function 00007FFD9B7F6439 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction ID: 7e4fc295679841895dc73aaa2a5acab2f37358bac3b459af69b0f4ba143f176f
Opcode Fuzzy Hash: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction Fuzzy Hash: 95219531F0E74E8EEB65ABA488696BD7AE0FF15310F0506B6D418C71F6DE34A644C741

Function 00007FFD9B7E32C6 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b279150a228d2a73fec62245afaa6e1e2ff75f063d9af0a6a1ae41f7317127ce
Instruction ID: 32e673f60afa05d23af1894ee952a8bdb45defe1d11c8b25bf4b134585d31a91
Opcode Fuzzy Hash: b279150a228d2a73fec62245afaa6e1e2ff75f063d9af0a6a1ae41f7317127ce
Instruction Fuzzy Hash: 0821B671E1961D8FEB64DBD8C4A4AECBBB1EF58301F520179D409E72B1DE386941CB10

Function 00007FFD9B7E33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction ID: 87ecc5579ae01c9a61de4ed2fb44f74a40a309c5ae52fe962f47fe1c3f6123a5
Opcode Fuzzy Hash: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction Fuzzy Hash: EC21813094E79A9FD743ABB488586A57BF4FF06310F0605F7D054CB0B2DA389545C721

Function 00007FFD9B7F7E59 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction ID: 2a668b331cdedc78cebf645bdffeebc91c0daa9a1b96cbb3424b6d345131122e
Opcode Fuzzy Hash: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction Fuzzy Hash: 3811A230F0E64E8FDB65DBA484252FD7BB1FF09300F1105BBD01AE71A2DA39A9408786

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec1ea26aab998a53105c1919be1e4341c3fc1d613ac3912f2a19ed2213a2135
Instruction ID: 028e266bfb7dfea9d3cd7c856f160c74c67514f7d8710df78a47959f0d7dc9c2
Opcode Fuzzy Hash: eec1ea26aab998a53105c1919be1e4341c3fc1d613ac3912f2a19ed2213a2135
Instruction Fuzzy Hash: 83119131E1960E8FEB50EFA8C85A5BD77E1FF58700F8146B6D41CC61B6EE34A6408740

Function 00007FFD9B7F4B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction ID: f595fbe0f3dddf37aedb299c8b5021f7e234a1deb3039aef36b6e4e279dfcef1
Opcode Fuzzy Hash: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction Fuzzy Hash: 8F11A230E0964E8FDB58EFA884696BD7BB0FF58301F0102BED41DC61A6DA346540C780

Function 00007FFD9B7F28B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction ID: 416b2c718a487c2b731ec3cd0a026c8f149e93733afe9dd24ee1caace66c0372
Opcode Fuzzy Hash: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction Fuzzy Hash: AF11AC70A0974D8FDB58DF58C4A51E93BA0FF68304F42027EE80A931A1CB34A640CB80

Function 00007FFD9B7F71B5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction ID: b39416ee14ddc1b5769d3cda8cff4cdddd619641143b4d5a55b4d0894cf98424
Opcode Fuzzy Hash: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction Fuzzy Hash: CE11B430E0964E9FDB94EF6484656BD7BB0FF58301F0105BAD41DC61B2DA34A240C780

Function 00007FFD9B7F4AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction ID: 57db9924e946491abddddfcca4e2014f703912c3a1fd8d16c4a8b684a19ce1a9
Opcode Fuzzy Hash: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction Fuzzy Hash: DF216D30A0E68E8FEB59EF6884692B97BB0FF58301F0102BFD419C65B6DA346540C781

Function 00007FFD9B7F5025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction ID: cf1a16ed6b55d4fc46ffbd828212a01b4f069b965bf1ae10f2b193689d86cd59
Opcode Fuzzy Hash: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction Fuzzy Hash: 0F11B271B0EB8E4BEB69DF74C8B52B87BA0EF55300F0601BED419865B2DE256550C781

Function 00007FFD9B7EDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 77efa2b42ab6ae2a983b7ef47ceab24a7f403f70e7d760d38fba8e4033b51893
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 53219370E0561D8FDB50DFA8C8946EDBBF1EF18311F11162AD419E72B1DA786A448B50

Function 00007FFD9B7E11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction ID: 4ff4ecef20118a65576a2b83ba56fbcdd783eaa53e31a9829b9ad3dc4e02c9db
Opcode Fuzzy Hash: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction Fuzzy Hash: C311B671E0A64E4EEB65DBA4887A6BD7BE0FF59305F0105BED41AC64F1DA346650C700

Function 00007FFD9B7ECB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction ID: fbb3764e073860a9954f898850eb42b5e2dc21cd6c0ce99b910d3c327abf26ff
Opcode Fuzzy Hash: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction Fuzzy Hash: C4114F30E0974E8FDB56EB6488695B97BB0FF09304F0105BBD419D61B6DE346A50C750

Function 00007FFD9B7F5399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction ID: 33bdbd2da25b80dab35436bdd1064f086bac68142a2720a161f71f448401129e
Opcode Fuzzy Hash: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction Fuzzy Hash: 2011B130A0A78E8FEB55EB68C8692BD7FE0FF14304F0105BAC419C71B2DE7465448741

Function 00007FFD9B7EC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction ID: 976b6a27e484f822ef01004c9e6f63170823b65c9f1acfb512be85ed51660153
Opcode Fuzzy Hash: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction Fuzzy Hash: 0E11B374E0960E8FDB64DF98D8A4AEDB7B1EF58310F01423AD419E62B1DB346A40CB40

Function 00007FFD9B7EBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction ID: 429b4cd7001047f6a255734f9b20a1d4e4bfe9e985bb84cbe8b7af9d7a7e37d0
Opcode Fuzzy Hash: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction Fuzzy Hash: 6A115231E0A64E8FEB55EFA4C4A96BD7BE0FF18300F5105BAD419C62B1DB35A650C740

Function 00007FFD9B7F78A1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction ID: 1a5bb2e7812df68eee3cd77a8cc4bf7147f162ab9db57e7e1f2bdf526444e3b9
Opcode Fuzzy Hash: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction Fuzzy Hash: 06116131A1960E9FE752EBB4C858AAA7BF4FF19301F0106B6D019D70B5DB38A281C751

Function 00007FFD9B7F1061 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction ID: 6387f0db71c402edd0f6410260e0f34fd4cdabe95a58887e1360be97194a5257
Opcode Fuzzy Hash: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction Fuzzy Hash: 3D118E30E0968E8FDB95EB64C4696BD7BF0FF18300F0106BAD419D65B2DB35A644C740

Function 00007FFD9B7F2D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction ID: ff3189690f96ddda4c16d0a1fb5f1c5ed344caa75334e560f7739f1f179748cb
Opcode Fuzzy Hash: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction Fuzzy Hash: 67018431E1964E8FEB51EBB4845D5F97FE0FF19300F4146B6E418C6075DA78A2858780

Function 00007FFD9B7F72ED Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction ID: e652b91956b32069a74635519000af0e894095d273989f29e6f241b271cd0ddf
Opcode Fuzzy Hash: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction Fuzzy Hash: 4211E331B0968E9FDBA8EF6484656B93BA0EF58300F4501BAD81DC61B2DE346540C780

Function 00007FFD9B7F530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction ID: f0a50121c913799d39df171f92a00f1520191ae6b721aef8fb0df2d54ee3e1ed
Opcode Fuzzy Hash: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction Fuzzy Hash: FE11E030E0968E8FEB58EB68C8296B97BE0FF19304F0505BAD41DC61B2DF346540C740

Function 00007FFD9B7F514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction ID: 5ede7dd8cd7ff6906612b441545d6716d76bbfae140b7ade9c05894ced725d9a
Opcode Fuzzy Hash: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction Fuzzy Hash: 1F119D70A4A64E8FEB69EB68C8796BD7BE0FF18304F0105BAD419C61A2DE347540C741

Function 00007FFD9B7E3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction ID: 4825f9dfea0aa4e17dcbceb30a5c5b2a1b0aa73ee1641ffce400abdc4a1d7eb0
Opcode Fuzzy Hash: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction Fuzzy Hash: 29113C70E1A68E8FDB59EB6484695BD7BA0FF18304F4205BED419C62B1DA35A640C700

Function 00007FFD9B7F26D1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction ID: 8fdee27fb3cd0e67a3e97e7309d0ceb38fff0071ac1a5ea23b1b95afedac1138
Opcode Fuzzy Hash: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction Fuzzy Hash: 9C018430F4A64E8FDF59ABA0C4656F93BA0EF19304F8105BAE41EC61F6DE35A540CB50

Function 00007FFD9B7F2B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction ID: 5ce57395586417e644f97a79d782221a86439374e6d74070a3a7c29ee9ed6fed
Opcode Fuzzy Hash: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction Fuzzy Hash: 53019230A0A64E8FDB659FA084685F97BB0FF19304F8205BEE80DC60B2DE35A540C700

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction ID: b5e80b6cd77655702bdb6533a349a4603707a556713f03e17641e7ca096bc2fa
Opcode Fuzzy Hash: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction Fuzzy Hash: 34019E30A09A0E8FDB68EF64C4666BE77A1FF58304F5105BED41EC65B4CE31A690CB40

Function 00007FFD9B7E2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction ID: 2486b04fb1c7517ff4277a11b4d1c53cb49eec2f6c69bf7fe9d069bfa5b1924b
Opcode Fuzzy Hash: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction Fuzzy Hash: 74018F71E1E74E8FE761EBA488695B97BE0EF19300F4606B6D408CA0B6EA34E6548700

Function 00007FFD9B7ED98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 36a3bcc202955c90f292d56b63a2387f8f08d7d2d5e10aeb6bb86ee59c918f66
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 98119370E0561D8FDB50EFA8C8946EDBBF1FF18311F11162AD419E72B1DB74A9848B50

Function 00007FFD9B7E28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction ID: 0b3c460dcda9d212c72eb4bac21fd6a9730d4efbe6d7a4de151243ee67872557
Opcode Fuzzy Hash: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction Fuzzy Hash: FB018F30E1A60E8FE751EFA484599B977E0FF19304F4245B6D418D70B6EE38E690C741

Function 00007FFD9B7EAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction ID: 8fc282bda5b706382289fd690a784f568fa6a047704754763c66c4b38fb8d431
Opcode Fuzzy Hash: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction Fuzzy Hash: 1B01A730A4A74E5FD761EBB4C4596A97BF0EF05301F4205B3D009C70B6DE38E5548700

Function 00007FFD9B7F7A29 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction ID: c0e3163eb2ca20bfd3ad1558ef5e052fa39a0ce8ad8119882ed604b0b4387272
Opcode Fuzzy Hash: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction Fuzzy Hash: 79018430A5E74E9FE752A7B888696A97FE0EF06300F4605F3D018CB0B6DA38A644C751

Function 00007FFD9B7E2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction ID: be3c5a43f28d857522403e4d9406a28f6a566a728bc3cc73e953c598093303bf
Opcode Fuzzy Hash: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction Fuzzy Hash: 01018471A1E74E8FE762A7B488695A97BE0EF15300F4605F6D409CB0B6EE28A5448701

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction ID: a090a8e9651b2fde35dff3977ee04fffe372e80dda372714ecbdb61018c000c6
Opcode Fuzzy Hash: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction Fuzzy Hash: 6B016D30A1960E8AEB69EBA4C4686B973A0FF18305F51097EE41ED21F5DF35A650C600

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction ID: 72dcd18d1f05ad3daed851e5d093b69f1a840704cd01bdafb886eb03a5800b3c
Opcode Fuzzy Hash: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction Fuzzy Hash: E2016D30A1960E9AEB6CEBA4C4686BD72A0FF58305F51097ED41ED61F5DE35E650C600

Function 00007FFD9B7E11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction ID: 79f262be689087ddb600174b02a736105fc216188aaf164a2465de1e726fcda7
Opcode Fuzzy Hash: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction Fuzzy Hash: BFF0F470E0A74E8AEBA49BA48C2A3BE77E4BF59204F01053EE41EC24F1DE346610C201

Function 00007FFD9B7E1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction ID: 8372d164cba2b75e45e12124df356c3260104bcd0b8d6160368a0add697b1ff6
Opcode Fuzzy Hash: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction Fuzzy Hash: A701A430A0A78E8FDB59DF64C4666BA37A0FF15304F4105BAD80DC65B1CB35A990C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction ID: 1b071fbcfc36dba70498dfa42376b154fd7c70c3916f1097bc606f0709508356
Opcode Fuzzy Hash: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction Fuzzy Hash: 44F0F630A0A74E8FEB68EF6484666FE37A0EF05308F51057AE41DC25F1CE35A690C740

Function 00007FFD9B7EB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction ID: e31cb3b31839689b2a8e7d7f272e82fdd57dc52e332335fc683e6206e5f1553f
Opcode Fuzzy Hash: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction Fuzzy Hash: 5F011E70E0961E8ADB24DF90C450AFEB7B1AF54300F154676C009A22B5DA38A645CB90

Function 00007FFD9B7E27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction ID: dc02038a37882afb58346b0719b108ffa5bbcf6e7d9680981e1b3dc85869d12f
Opcode Fuzzy Hash: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction Fuzzy Hash: 5CF0F630A0E38E8FDB1A9F6088245B93BB0BF06204F4109BBD409C61F2DB389944C701

Function 00007FFD9B7E284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction ID: 76179327ef6c3f49c7b3dda66f32716becf2e468c86a1a7aed0cba4415c35a50
Opcode Fuzzy Hash: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction Fuzzy Hash: 39F09030A5A78E8FDB5D9FA488241F937A0FF55304F8105BAE819C91F1DF38A554C601

Function 00007FFD9B7F1080 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f1000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction ID: 0d65c732253c4d91d27c239d697fdbd75c4bdddb5acc00f117ab95a24e3d3127
Opcode Fuzzy Hash: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction Fuzzy Hash: B4F0FE30E15A4E8EEBA4EFA4D8696FE76E4FF18305F41053AE81DD21B0DB3466548784

Function 00007FFD9B7EBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ea000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: 063a10b5dd3ec6aa29c24dfba2efe4146a7bcab285dc4b6598d8bb937777b495
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: 66D04274A0D64E8BDB58DF9889A56BD76A5FF58300F111629E40EE72B1DA346A009B40

Function 00007FFD9B7E0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7e0000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf2c32b558cd7cbf32fbe6c3a1e25440587334dd1d142f2c2cd2f800235b25e
Instruction ID: 0e320fbb4b5db821befbade7dbe05556c5ed879804c7b91f990bf7ba5765789c
Opcode Fuzzy Hash: eaf2c32b558cd7cbf32fbe6c3a1e25440587334dd1d142f2c2cd2f800235b25e
Instruction Fuzzy Hash: D8E0EC30E1591D4AEB94EB54CC61FEEB671BF44304F5146B5D00DA32A5CE7869854B44

Function 00007FFD9B7F5794 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7f4000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction ID: 7ebc4f51af634ec24f5ad909049ebe1b36f833e41e690780256b98eb99be2a1c
Opcode Fuzzy Hash: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction Fuzzy Hash: 9BD05E62E0AA1E9EEFA0EA5C80A45A97BE0EF28300F010139D44CC21B6DE2820028761

Non-executed Functions

Function 00007FFD9B7EF0B5 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

S, xrefs: 00007FFD9B7EF0BA
k, xrefs: 00007FFD9B7EF81B
0, xrefs: 00007FFD9B7EF179
", xrefs: 00007FFD9B7EF100

Memory Dump Source

Source File: 00000020.00000002.1772619852.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b7ef000_backgroundTaskHost.jbxd

Similarity

API ID:
String ID: "$0$S$k
API String ID: 0-2456877467
Opcode ID: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction ID: 4c1945261375aa22af48d14475ccc460cc5e49cf52b58f9926e73243994d9b4d
Opcode Fuzzy Hash: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction Fuzzy Hash: A621E574E0A62D8EEB64DF64D8943A9B7B1BF58300F0186E9D00DA72A0DB785B84CF51

Analysis Process: dllhost.exePID: 8156, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb695fdf9db5f34022788d502213a511d5effe1a44c35c731ede746d72276b9
Instruction ID: 44b6b73f207c140f32b1908bb212f69c9bf354c9c035cdcfe642887a7d009cea
Opcode Fuzzy Hash: 9fb695fdf9db5f34022788d502213a511d5effe1a44c35c731ede746d72276b9
Instruction Fuzzy Hash: B2A1A271A1994D8FEB99DB68C8657EDBBE1FF95300F4102BAD00DD72E6DB7428018741

Function 00007FFD9B7F1380 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B7F1463
}, xrefs: 00007FFD9B7F13B7
(, xrefs: 00007FFD9B7F1C8E
", xrefs: 00007FFD9B7F1525
[, xrefs: 00007FFD9B7F1555

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: !$"$($[$}
API String ID: 0-2884956333
Opcode ID: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction ID: 9a2e354611c71a127452ea44731d950af01de9665402401c777b79cdcdf93cbb
Opcode Fuzzy Hash: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction Fuzzy Hash: B371C570E0932E8EEBA4DF94C8647BDBAF1AF54300F1145AAD44DA72A1CB385A84CF54

Function 00007FFD9B7EECA8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

K, xrefs: 00007FFD9B7F0356
X, xrefs: 00007FFD9B7F032B
{, xrefs: 00007FFD9B7F021F
C, xrefs: 00007FFD9B7F02D7

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: C$K$X${
API String ID: 0-542216337
Opcode ID: ca19e24da7850059a005ec1ccfa3eecf69c7305d8f7f65f9a348a3deccddc761
Instruction ID: 5868a1d7b9e3f8aaa623331ded1fbab3bba01987d3762e8157f768261d8406c0
Opcode Fuzzy Hash: ca19e24da7850059a005ec1ccfa3eecf69c7305d8f7f65f9a348a3deccddc761
Instruction Fuzzy Hash: B441B570E0A62D8FEB68DF54D8A47E9B7B1BF55301F0146A9D40EA72A0CB785B80CF41

Function 00007FFD9B7F156E Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B7F19B3
!, xrefs: 00007FFD9B7F1463
", xrefs: 00007FFD9B7F19C0

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: !$"${
API String ID: 0-405082716
Opcode ID: 71ebe79db2d006af545c736345a49f7ced424b13323b40185071ae250e1ea7b3
Instruction ID: d784b745441f592ffc76acfbdd5a80fb5e1d0206150412b712aa2410efb19097
Opcode Fuzzy Hash: 71ebe79db2d006af545c736345a49f7ced424b13323b40185071ae250e1ea7b3
Instruction Fuzzy Hash: CB51B770E0532E8EEB68DF94C8647EDBBF1AF54300F5145AAD40DA72A1DB785A84CF44

Function 00007FFD9B7EFA23 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

h, xrefs: 00007FFD9B7EFA44
[, xrefs: 00007FFD9B7EFA37
I, xrefs: 00007FFD9B7EFAB8

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: I$[$h
API String ID: 0-1861827793
Opcode ID: e744d4a70a338fe6817810561a939f8a561018e470fe9406c314a3d8001828c3
Instruction ID: 5c2413dce3d38c3b1cef7b9c6e4508a2331cb780da9eac740d1f47e49f6fabeb
Opcode Fuzzy Hash: e744d4a70a338fe6817810561a939f8a561018e470fe9406c314a3d8001828c3
Instruction Fuzzy Hash: 7A21B870E09A2D8FEBA4DF14C8547A9B7B2BF55301F4086E9D00DE62A5DB345A85CF41

Function 00007FFD9B7F42B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFD9B7F43BC
, xrefs: 00007FFD9B7F4397

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: c0003970844b847f72aa6fdb6ca137f8e6f4d22ff7d0c976e6165924c48d3ee4
Instruction ID: ebbc5fbbfa6a46f1eedf47e51ac88151d3535a20e60c33c0124101c38f59f48a
Opcode Fuzzy Hash: c0003970844b847f72aa6fdb6ca137f8e6f4d22ff7d0c976e6165924c48d3ee4
Instruction Fuzzy Hash: 87419470E19A2D8FDBA5EB58C8657FCBAB1FF58301F5101B9D01DE32A1CA746A808F54

Function 00007FFD9B7EC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7ECA6E

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 11a8fcf28cf8be9454f8a2b0a60c2a2754d211b3ac574504da8d661d726f657f
Instruction ID: 2cc76cd23c4110a4ae36f5b607edd6969982541be155295d383f0ddc71ca9b4f
Opcode Fuzzy Hash: 11a8fcf28cf8be9454f8a2b0a60c2a2754d211b3ac574504da8d661d726f657f
Instruction Fuzzy Hash: 2441F52BF0D66A8AE711B67CB8254FD3760EF80339B1642B7D159C90F7DD28348686E0

Function 00007FFD9B7ECAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yM_^, xrefs: 00007FFD9B7ECB01

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: yM_^
API String ID: 0-4274066417
Opcode ID: 219743c4d6b9b7126ef04772a4b073e56de73ad77a122eeedce671eb2b73ce2c
Instruction ID: b7079e7a626f4de7ab55ade987b1465e05616229b0766a2e87187ff12fa0de24
Opcode Fuzzy Hash: 219743c4d6b9b7126ef04772a4b073e56de73ad77a122eeedce671eb2b73ce2c
Instruction Fuzzy Hash: 2131D03AF0D35B4AEB16BBB8A4254FC3770AF45329F0642BBD01DC90F3CE2825818295

Function 00007FFD9B7F36C5 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a099a01a00547bea46ab83fcdedf43657a3612d228051dd100201dc1acd5a418
Instruction ID: d234e72c8da1847e939eb9caf1a01fb34bd996e3427cda35cd416f2e34287cdb
Opcode Fuzzy Hash: a099a01a00547bea46ab83fcdedf43657a3612d228051dd100201dc1acd5a418
Instruction Fuzzy Hash: 06518452B0F7C54FE713A77858791A87FB0AF53214B0A46FBD098CB0F7E918594483A6

Function 00007FFD9B7EDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40469d7790714fa42f1b96d7748aae4e279824af9e021797b0a375238909a1d
Instruction ID: ef66b38b797efe6e9768c2e6936316148871cd49a4bebdeacd2ea13d4a097205
Opcode Fuzzy Hash: f40469d7790714fa42f1b96d7748aae4e279824af9e021797b0a375238909a1d
Instruction Fuzzy Hash: BEE13D71E19A5D8FEBA8DF58C8A4BB8B7A1FF58300F4541BAD01DD72E6DA346940CB40

Function 00007FFD9B7F0A70 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ee19a95027eaf6f6f8d6450e7d5d0e735b1d2d09da906f240a4257568ae880
Instruction ID: 0df5f06be8487ba5c4d535562825eeca6e4382cb82721c35d6172d2d99110819
Opcode Fuzzy Hash: 99ee19a95027eaf6f6f8d6450e7d5d0e735b1d2d09da906f240a4257568ae880
Instruction Fuzzy Hash: 14D13970E1A65DCFDB68DFA8C4A4ABCBBB1FF59705F110179D00DA32A2CA386940CB45

Function 00007FFD9B7E1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb72d1fd919e9601c3803e59ac26cbf3055627d12bcfd475348d91f4c88a9f62
Instruction ID: d2d5fadd8fa6b60ffdbd9f4c4f8f7008aa26eba4e4bbff9bee26254931782c9b
Opcode Fuzzy Hash: cb72d1fd919e9601c3803e59ac26cbf3055627d12bcfd475348d91f4c88a9f62
Instruction Fuzzy Hash: CD81DF31B0DB494FDB58DE5888A65A977E2FF98310B15027EE45EC72B2DE34AD028780

Function 00007FFD9B7F2E3A Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2d5071c932907dc49d04820a628fb6aa8a7b7b5afeb8de7b1adf9bb350ba81
Instruction ID: dd00d2bdaa1add8e525ab394ff475ffd5034af02434fb79c316dc770b3e52f89
Opcode Fuzzy Hash: fe2d5071c932907dc49d04820a628fb6aa8a7b7b5afeb8de7b1adf9bb350ba81
Instruction Fuzzy Hash: 4081D874E1561D8EDBA4EFA8C865BECB7B1FF58300F5141B9D00DE72A6DE346A818B40

Function 00007FFD9B7E1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f86958c02d64c87c31867975103b38c48628a520e812c396ddf97ce2aa9a33
Instruction ID: 5f6059d7a5637e159a72c561228d8bdb47a8e6e1e7b2ff829e89800da1db0c1c
Opcode Fuzzy Hash: 60f86958c02d64c87c31867975103b38c48628a520e812c396ddf97ce2aa9a33
Instruction Fuzzy Hash: 3D51CD31B08B4A8FDB5CDE5888655BA73E2FF98311B10467EE45EC72A5CE34EC028780

Function 00007FFD9B7EC359 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621df45ad43734a59a64e2da3d7476e1b22a7739e4794c28ae96547e4b25148e
Instruction ID: 889befcb132ba32058103da3fc1b630ffaf47175d7696d2619d4b620fec95b50
Opcode Fuzzy Hash: 621df45ad43734a59a64e2da3d7476e1b22a7739e4794c28ae96547e4b25148e
Instruction Fuzzy Hash: 01514D75E0961D8FEB64EBA8C4A56FD7BB1FF59300F51027AD009E72B2DE3869408B50

Function 00007FFD9B7E22F0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f772dae740f37c040b822f411631d88d2400fddd19519bdc0fb5f2c33e2c932
Instruction ID: 8501f4054c42f68d87ebd767b64b9d06bec5ce4c5d1a6bdd77cdc91a3253de16
Opcode Fuzzy Hash: 4f772dae740f37c040b822f411631d88d2400fddd19519bdc0fb5f2c33e2c932
Instruction Fuzzy Hash: 27516D30E0A61E8AEB78DB90C861BF9B3B1FF45304F1102B9D04E961B1DF796A85CB51

Function 00007FFD9B7E31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075669263dc247814b557cc47856557d0abd7b7f27d715b4b02607154ed91b32
Instruction ID: 284f5db154ddd21a18986e16f2402cc0fb5b8fd1e8bc0ae06902d23f009923fd
Opcode Fuzzy Hash: 075669263dc247814b557cc47856557d0abd7b7f27d715b4b02607154ed91b32
Instruction Fuzzy Hash: 02510B70E0960D8FEB65DB98C464AEDB7B1EF58300F524179D409E72B1DE386A44CB60

Function 00007FFD9B7E21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed100b9057923ccdd59345ba55f67e11b3d80806d5cee1bb177e5431acd44ec
Instruction ID: 4778ba1e3428df82a3a2da32c20cf62b51b7e14e0a5a871caa71833baebe7a0d
Opcode Fuzzy Hash: 4ed100b9057923ccdd59345ba55f67e11b3d80806d5cee1bb177e5431acd44ec
Instruction Fuzzy Hash: F4414A31B0E78D4FD765D7B888651B9BBE5EF46310F0606FBD449C71B6DE28AA018341

Function 00007FFD9B7EB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff2e714a8414e41a290aa9b2b8bb8c98535eaccb30487131e69240ef4320a57
Instruction ID: bcc2916b29e0a9f8937e0a51d02d54e0c91df6575a24362ba5c3f05b7d71161b
Opcode Fuzzy Hash: dff2e714a8414e41a290aa9b2b8bb8c98535eaccb30487131e69240ef4320a57
Instruction Fuzzy Hash: 3F41C661F0E79A4BE721DBB888E91A87FA0FF51210F0506B6D069871F3EE24A5158341

Function 00007FFD9B7F2BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029640412775889066c6b7aa93583bd250601cc25c3aad0f204ca64ed4c88f12
Instruction ID: 51a98fe9de18a7af4ec22485070a5b3cd19bef29346271897974c257e637fa72
Opcode Fuzzy Hash: 029640412775889066c6b7aa93583bd250601cc25c3aad0f204ca64ed4c88f12
Instruction Fuzzy Hash: 46413970E1965E8FEB54EBD8D865AEDB7B1FF48300F410179E419E32A6CE346940CB81

Function 00007FFD9B7F3001 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb27fcbf3f86c7eee7f04c0eec9954dfe28c35698a154b602ebe8e50756d0e5
Instruction ID: e00c9ca9242d95fb2686677e044d7282c32cbd05d7086c06fad7cd90215fe84b
Opcode Fuzzy Hash: 0eb27fcbf3f86c7eee7f04c0eec9954dfe28c35698a154b602ebe8e50756d0e5
Instruction Fuzzy Hash: 8B41DA75E09A1D8FDBA4EFA8C855BACB7B1FF59300F5141AAD00DE72A1DE345981CB40

Function 00007FFD9B7EC408 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ad55decbc4f6499d30be1b8b5a448d2be4737383a97d9211d85a3cc77409ad
Instruction ID: 40fdb6ab28ccdc60b46154bcb9af44ce354cb3ab0d1abc12159c6c4e91cd5427
Opcode Fuzzy Hash: 82ad55decbc4f6499d30be1b8b5a448d2be4737383a97d9211d85a3cc77409ad
Instruction Fuzzy Hash: E331DE75E0DA1D8EEBA4EBA8D4A5ABCB7B1FF59300F510239D00DD3271DE2469418B40

Function 00007FFD9B7EC480 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefc4c9d0d29462efe00eb436d9586022fe747024cfb1fe929d95f13c185bdcd
Instruction ID: 6c084406ec3b7ccfc7238e08cb89e8ebe2d825f90244eb618f8c79d4ab68aa99
Opcode Fuzzy Hash: eefc4c9d0d29462efe00eb436d9586022fe747024cfb1fe929d95f13c185bdcd
Instruction Fuzzy Hash: 54310374E0DA1D8FEFA4EBA894A56BC7BB1FF59300F510279D00DD72B2DE2469418750

Function 00007FFD9B7ECAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2b8af80708d8c46a3daa01488f262ce3d3de46cfe8312c8f0b6c851bcc29a5
Instruction ID: 6c66028bf110f86e751dd38778996cb27c97176e07d4ed0d0d34c0b77be3d9a1
Opcode Fuzzy Hash: 6e2b8af80708d8c46a3daa01488f262ce3d3de46cfe8312c8f0b6c851bcc29a5
Instruction Fuzzy Hash: 4321E43AF0939E4AEB15BBB8A8254FD7770EF41329F0642B7D41DC60F7CE2825848694

Function 00007FFD9B7F3EFA Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adb89f7ae3b55dc07c85e624e4fe5cd62f510f7eb2992b224ef2648ca923a0f
Instruction ID: ab40f93b4c841ec99b7c4c3dfdd3b541bc29567d15fe76eca50ce494a0388757
Opcode Fuzzy Hash: 9adb89f7ae3b55dc07c85e624e4fe5cd62f510f7eb2992b224ef2648ca923a0f
Instruction Fuzzy Hash: 21313832F0D68A8FE751EBA898691E83BF0EF45310F0605F7D458CB1A3EE24A6448364

Function 00007FFD9B7E32C6 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6f753377066a9392b5e6c82b35592846befca4599d4989b6b4544024e38904
Instruction ID: 242bd46ffd4700a19f89f024fa82608974a8183ae17615adfff6c1b3250f24e2
Opcode Fuzzy Hash: ab6f753377066a9392b5e6c82b35592846befca4599d4989b6b4544024e38904
Instruction Fuzzy Hash: AE21A571E1961D8FEB64DBD8C4A4AECBBB1EF58301F520179D409A72B1CA386941CB10

Function 00007FFD9B7E33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction ID: 87ecc5579ae01c9a61de4ed2fb44f74a40a309c5ae52fe962f47fe1c3f6123a5
Opcode Fuzzy Hash: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction Fuzzy Hash: EC21813094E79A9FD743ABB488586A57BF4FF06310F0605F7D054CB0B2DA389545C721

Function 00007FFD9B7F3545 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a1f7c3d50f90cbb05bb4e751427cfeeb25aa68bc8d071493a96cde7b74d001
Instruction ID: 2a9845db45e32b4d542c21bab4d3b7fe4db50b479bd32373947611a5269f778c
Opcode Fuzzy Hash: d7a1f7c3d50f90cbb05bb4e751427cfeeb25aa68bc8d071493a96cde7b74d001
Instruction Fuzzy Hash: C711AF31F0964E8EEB61EBB888656ED7BB1FF99300F020676D008D71A6DA24A54087A1

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d95847952a2bbfc583524573f0d970eecf319c2680461f22b4a2aee608ab9f
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: e2d95847952a2bbfc583524573f0d970eecf319c2680461f22b4a2aee608ab9f
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceeb0a326c067c68b82926fc2780ee50b9dac728451635d95b5a2a33537d411
Instruction ID: f6ef1ef6089b4aeeb8a081aeae69650abc3aa4cd1e4af9d52536b5839a2b3df7
Opcode Fuzzy Hash: 5ceeb0a326c067c68b82926fc2780ee50b9dac728451635d95b5a2a33537d411
Instruction Fuzzy Hash: 71118F31E1960E8FEB90EFA8885A5BD77E1FF58700F4146B6D418C61B6EE34A6408740

Function 00007FFD9B7F4B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a4b014dc7b7938284c789dfa98df29f34ac1a049ba758ccf6640f150185e18
Instruction ID: f595fbe0f3dddf37aedb299c8b5021f7e234a1deb3039aef36b6e4e279dfcef1
Opcode Fuzzy Hash: 86a4b014dc7b7938284c789dfa98df29f34ac1a049ba758ccf6640f150185e18
Instruction Fuzzy Hash: 8F11A230E0964E8FDB58EFA884696BD7BB0FF58301F0102BED41DC61A6DA346540C780

Function 00007FFD9B7EC9A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d80f681c9ee574ff66368de625f9aee27fcafad6bebaf360e90a3808f7fba5
Instruction ID: c864997e0163632ebf56dafd8b936b3b0b96dcbcaa1be5c87a5218d50efd4836
Opcode Fuzzy Hash: 72d80f681c9ee574ff66368de625f9aee27fcafad6bebaf360e90a3808f7fba5
Instruction Fuzzy Hash: DE119E30F0960E9EEF64DBA8D4246FEBBA5EF49300F11053BD01EE31A0DA35A9508796

Function 00007FFD9B7F28B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534324bb7f2d6866370ba5e037ffb85a359564915c5cecfc53121c6d830ea322
Instruction ID: 416b2c718a487c2b731ec3cd0a026c8f149e93733afe9dd24ee1caace66c0372
Opcode Fuzzy Hash: 534324bb7f2d6866370ba5e037ffb85a359564915c5cecfc53121c6d830ea322
Instruction Fuzzy Hash: AF11AC70A0974D8FDB58DF58C4A51E93BA0FF68304F42027EE80A931A1CB34A640CB80

Function 00007FFD9B7F4AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2065d236b11cca129e09d656bf02c7a574b9d5efc1fe4bfc9a6e0d975e9774
Instruction ID: 57db9924e946491abddddfcca4e2014f703912c3a1fd8d16c4a8b684a19ce1a9
Opcode Fuzzy Hash: 4f2065d236b11cca129e09d656bf02c7a574b9d5efc1fe4bfc9a6e0d975e9774
Instruction Fuzzy Hash: DF216D30A0E68E8FEB59EF6884692B97BB0FF58301F0102BFD419C65B6DA346540C781

Function 00007FFD9B7F5025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248fc13e1f37abf995a0f358d38db43daa1d98df59c1a59bdab991ea7cf4969a
Instruction ID: cf1a16ed6b55d4fc46ffbd828212a01b4f069b965bf1ae10f2b193689d86cd59
Opcode Fuzzy Hash: 248fc13e1f37abf995a0f358d38db43daa1d98df59c1a59bdab991ea7cf4969a
Instruction Fuzzy Hash: 0F11B271B0EB8E4BEB69DF74C8B52B87BA0EF55300F0601BED419865B2DE256550C781

Function 00007FFD9B7EDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 77efa2b42ab6ae2a983b7ef47ceab24a7f403f70e7d760d38fba8e4033b51893
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 53219370E0561D8FDB50DFA8C8946EDBBF1EF18311F11162AD419E72B1DA786A448B50

Function 00007FFD9B7F5399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d944dbef89367d4d26102d95a6f862822cc770af79c3b9635ff26cafb80593e6
Instruction ID: 33bdbd2da25b80dab35436bdd1064f086bac68142a2720a161f71f448401129e
Opcode Fuzzy Hash: d944dbef89367d4d26102d95a6f862822cc770af79c3b9635ff26cafb80593e6
Instruction Fuzzy Hash: 2011B130A0A78E8FEB55EB68C8692BD7FE0FF14304F0105BAC419C71B2DE7465448741

Function 00007FFD9B7ECB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7bc9894128c2a85e5cbde9e91a904b1c6f4b02c6db53b8bc508f919c28fe3b
Instruction ID: fbb3764e073860a9954f898850eb42b5e2dc21cd6c0ce99b910d3c327abf26ff
Opcode Fuzzy Hash: ca7bc9894128c2a85e5cbde9e91a904b1c6f4b02c6db53b8bc508f919c28fe3b
Instruction Fuzzy Hash: C4114F30E0974E8FDB56EB6488695B97BB0FF09304F0105BBD419D61B6DE346A50C750

Function 00007FFD9B7E11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction ID: 4ff4ecef20118a65576a2b83ba56fbcdd783eaa53e31a9829b9ad3dc4e02c9db
Opcode Fuzzy Hash: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction Fuzzy Hash: C311B671E0A64E4EEB65DBA4887A6BD7BE0FF59305F0105BED41AC64F1DA346650C700

Function 00007FFD9B7EBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e560a6579a654e242267769bad8a1b02981cd2fb017cc4b44689ddac99333c
Instruction ID: 429b4cd7001047f6a255734f9b20a1d4e4bfe9e985bb84cbe8b7af9d7a7e37d0
Opcode Fuzzy Hash: 13e560a6579a654e242267769bad8a1b02981cd2fb017cc4b44689ddac99333c
Instruction Fuzzy Hash: 6A115231E0A64E8FEB55EFA4C4A96BD7BE0FF18300F5105BAD419C62B1DB35A650C740

Function 00007FFD9B7EC040 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981480c0e1202cc48577e46dc4305755db11e8f905983fdb50387d5c92c75fb
Instruction ID: 89e7b6242b83bcce227004e7ac7b7c302bc7d883d53318f9420c829108aeb5bf
Opcode Fuzzy Hash: 9981480c0e1202cc48577e46dc4305755db11e8f905983fdb50387d5c92c75fb
Instruction Fuzzy Hash: EE11B374E0960E8FDB64DF98D8A4AEDB7B1EF58310F01422AD419E62B1DB346A40CB40

Function 00007FFD9B7F2D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39aec920abaa056c2ff43cb88cafc21863e2b08cca6dd8f358b8961ea36f7983
Instruction ID: ff3189690f96ddda4c16d0a1fb5f1c5ed344caa75334e560f7739f1f179748cb
Opcode Fuzzy Hash: 39aec920abaa056c2ff43cb88cafc21863e2b08cca6dd8f358b8961ea36f7983
Instruction Fuzzy Hash: 67018431E1964E8FEB51EBB4845D5F97FE0FF19300F4146B6E418C6075DA78A2858780

Function 00007FFD9B7F530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f25db396dd7d715fd32c684989227ac28a79c5bcbcef30050ae88438ac6726
Instruction ID: f0a50121c913799d39df171f92a00f1520191ae6b721aef8fb0df2d54ee3e1ed
Opcode Fuzzy Hash: 35f25db396dd7d715fd32c684989227ac28a79c5bcbcef30050ae88438ac6726
Instruction Fuzzy Hash: FE11E030E0968E8FEB58EB68C8296B97BE0FF19304F0505BAD41DC61B2DF346540C740

Function 00007FFD9B7F1202 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction ID: ce069ef8d5b8c70f623153359c10216a475244089380a901710901f04120d3ee
Opcode Fuzzy Hash: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction Fuzzy Hash: 1A21C670E0932D8BEB68DF84C8A4BF8B7F1AB54300F1141AAD00DA72A1CB385A84DF45

Function 00007FFD9B7F514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74090f097db981cee707adfd098720747d2283e7538dbda863972a8c2abfbeea
Instruction ID: 5ede7dd8cd7ff6906612b441545d6716d76bbfae140b7ade9c05894ced725d9a
Opcode Fuzzy Hash: 74090f097db981cee707adfd098720747d2283e7538dbda863972a8c2abfbeea
Instruction Fuzzy Hash: 1F119D70A4A64E8FEB69EB68C8796BD7BE0FF18304F0105BAD419C61A2DE347540C741

Function 00007FFD9B7E3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction ID: 4825f9dfea0aa4e17dcbceb30a5c5b2a1b0aa73ee1641ffce400abdc4a1d7eb0
Opcode Fuzzy Hash: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction Fuzzy Hash: 29113C70E1A68E8FDB59EB6484695BD7BA0FF18304F4205BED419C62B1DA35A640C700

Function 00007FFD9B7F2B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea74297eb95c030b184e4e7de317d4ef589a3593d7e4b228129fe3a8eddfa10
Instruction ID: 5ce57395586417e644f97a79d782221a86439374e6d74070a3a7c29ee9ed6fed
Opcode Fuzzy Hash: 7ea74297eb95c030b184e4e7de317d4ef589a3593d7e4b228129fe3a8eddfa10
Instruction Fuzzy Hash: 53019230A0A64E8FDB659FA084685F97BB0FF19304F8205BEE80DC60B2DE35A540C700

Function 00007FFD9B7E2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction ID: 2486b04fb1c7517ff4277a11b4d1c53cb49eec2f6c69bf7fe9d069bfa5b1924b
Opcode Fuzzy Hash: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction Fuzzy Hash: 74018F71E1E74E8FE761EBA488695B97BE0EF19300F4606B6D408CA0B6EA34E6548700

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction ID: b5e80b6cd77655702bdb6533a349a4603707a556713f03e17641e7ca096bc2fa
Opcode Fuzzy Hash: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction Fuzzy Hash: 34019E30A09A0E8FDB68EF64C4666BE77A1FF58304F5105BED41EC65B4CE31A690CB40

Function 00007FFD9B7ED98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 36a3bcc202955c90f292d56b63a2387f8f08d7d2d5e10aeb6bb86ee59c918f66
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 98119370E0561D8FDB50EFA8C8946EDBBF1FF18311F11162AD419E72B1DB74A9848B50

Function 00007FFD9B7F1080 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3e1114b5d633295fee2883400727776caca90cce088c7c619130bf0c7e7468
Instruction ID: a86c0d22bbfe9cb5727765f627ff198724da783bd03a6766b794a7951c78f18f
Opcode Fuzzy Hash: 6b3e1114b5d633295fee2883400727776caca90cce088c7c619130bf0c7e7468
Instruction Fuzzy Hash: 96015A30E15A4E8EEB94EBA4C4696BE7BE0FF18304F11097AE41AD21A4DE31A650CB40

Function 00007FFD9B7E28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction ID: 0b3c460dcda9d212c72eb4bac21fd6a9730d4efbe6d7a4de151243ee67872557
Opcode Fuzzy Hash: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction Fuzzy Hash: FB018F30E1A60E8FE751EFA484599B977E0FF19304F4245B6D418D70B6EE38E690C741

Function 00007FFD9B7EAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fb9465c9f7a8ef01b47ceb8e5d59ae21c5043896ba6594b63113571a38aee6
Instruction ID: 8fc282bda5b706382289fd690a784f568fa6a047704754763c66c4b38fb8d431
Opcode Fuzzy Hash: f4fb9465c9f7a8ef01b47ceb8e5d59ae21c5043896ba6594b63113571a38aee6
Instruction Fuzzy Hash: 1B01A730A4A74E5FD761EBB4C4596A97BF0EF05301F4205B3D009C70B6DE38E5548700

Function 00007FFD9B7E2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction ID: be3c5a43f28d857522403e4d9406a28f6a566a728bc3cc73e953c598093303bf
Opcode Fuzzy Hash: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction Fuzzy Hash: 01018471A1E74E8FE762A7B488695A97BE0EF15300F4605F6D409CB0B6EE28A5448701

Function 00007FFD9B7F1061 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a165a7e17a9dcfe3c5b813afe7ff505addc02fb68a288e1f827d3a6e470f64db
Instruction ID: 9262d8d16ab9977a5ee3ca0d1c46c8466d39c3751c0aa0a88d811c34ab86b023
Opcode Fuzzy Hash: a165a7e17a9dcfe3c5b813afe7ff505addc02fb68a288e1f827d3a6e470f64db
Instruction Fuzzy Hash: 7CF08130E0A78E8FDB65DF6488692BD7FB0FF15200F4506BAE818C21B2DB385654C780

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction ID: a090a8e9651b2fde35dff3977ee04fffe372e80dda372714ecbdb61018c000c6
Opcode Fuzzy Hash: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction Fuzzy Hash: 6B016D30A1960E8AEB69EBA4C4686B973A0FF18305F51097EE41ED21F5DF35A650C600

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction ID: 72dcd18d1f05ad3daed851e5d093b69f1a840704cd01bdafb886eb03a5800b3c
Opcode Fuzzy Hash: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction Fuzzy Hash: E2016D30A1960E9AEB6CEBA4C4686BD72A0FF58305F51097ED41ED61F5DE35E650C600

Function 00007FFD9B7E11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction ID: 79f262be689087ddb600174b02a736105fc216188aaf164a2465de1e726fcda7
Opcode Fuzzy Hash: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction Fuzzy Hash: BFF0F470E0A74E8AEBA49BA48C2A3BE77E4BF59204F01053EE41EC24F1DE346610C201

Function 00007FFD9B7EAE18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d8092ddcf080a11e0ed2bb2036e13377c7e22d0b0497026f99dd454aa538fb
Instruction ID: 2cbc9e1bd138af8eb11cdf128f0feee5e3f0279a027345b94710a7ba01890254
Opcode Fuzzy Hash: b8d8092ddcf080a11e0ed2bb2036e13377c7e22d0b0497026f99dd454aa538fb
Instruction Fuzzy Hash: 94F08130B5960E8BDF68EBA4C4646B976A0EF08304F91057AE41EC21F5DE357650CA94

Function 00007FFD9B7E1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction ID: 8372d164cba2b75e45e12124df356c3260104bcd0b8d6160368a0add697b1ff6
Opcode Fuzzy Hash: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction Fuzzy Hash: A701A430A0A78E8FDB59DF64C4666BA37A0FF15304F4105BAD80DC65B1CB35A990C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e334d0fca3998bf025f4d167ab38553dcd53f84541e5b5b9046e8ea1c45817c
Instruction ID: 1b071fbcfc36dba70498dfa42376b154fd7c70c3916f1097bc606f0709508356
Opcode Fuzzy Hash: 5e334d0fca3998bf025f4d167ab38553dcd53f84541e5b5b9046e8ea1c45817c
Instruction Fuzzy Hash: 44F0F630A0A74E8FEB68EF6484666FE37A0EF05308F51057AE41DC25F1CE35A690C740

Function 00007FFD9B7F26D1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e537f637be3af5804ee92121365b2ee2f219b0f735252b01b30a9f1e1efff1d
Instruction ID: f157a00d195428007d18d7e13362bea0eb2eaf3ef0ea29b1921a198f82671cdb
Opcode Fuzzy Hash: 5e537f637be3af5804ee92121365b2ee2f219b0f735252b01b30a9f1e1efff1d
Instruction Fuzzy Hash: 3EF08231F5A38E8BDF655FA088256FA3B60AF05214F8515BAF81DC60B2DA38A5508A91

Function 00007FFD9B7EB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca8bf35916d4899d0d762d670cbf5feb1fdb93d91ec4ce921e0d35f9b651313
Instruction ID: e31cb3b31839689b2a8e7d7f272e82fdd57dc52e332335fc683e6206e5f1553f
Opcode Fuzzy Hash: 1ca8bf35916d4899d0d762d670cbf5feb1fdb93d91ec4ce921e0d35f9b651313
Instruction Fuzzy Hash: 5F011E70E0961E8ADB24DF90C450AFEB7B1AF54300F154676C009A22B5DA38A645CB90

Function 00007FFD9B7E27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction ID: dc02038a37882afb58346b0719b108ffa5bbcf6e7d9680981e1b3dc85869d12f
Opcode Fuzzy Hash: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction Fuzzy Hash: 5CF0F630A0E38E8FDB1A9F6088245B93BB0BF06204F4109BBD409C61F2DB389944C701

Function 00007FFD9B7E284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction ID: 76179327ef6c3f49c7b3dda66f32716becf2e468c86a1a7aed0cba4415c35a50
Opcode Fuzzy Hash: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction Fuzzy Hash: 39F09030A5A78E8FDB5D9FA488241F937A0FF55304F8105BAE819C91F1DF38A554C601

Function 00007FFD9B7EBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: 063a10b5dd3ec6aa29c24dfba2efe4146a7bcab285dc4b6598d8bb937777b495
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: 66D04274A0D64E8BDB58DF9889A56BD76A5FF58300F111629E40EE72B1DA346A009B40

Function 00007FFD9B7E0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945786b0820b168b1a8171ebdc79fd1872a590ca345bde8bc3f0180f5f465c28
Instruction ID: 7a9d0102a037b684a4581e47e89291a9a63769508d660254b82c801fc3790faa
Opcode Fuzzy Hash: 945786b0820b168b1a8171ebdc79fd1872a590ca345bde8bc3f0180f5f465c28
Instruction Fuzzy Hash: ABE0EC30E1591D4AEB94EB54CC61FEEB671BF44304F1146B5D00DA32A5CE3869854B44

Non-executed Functions

Function 00007FFD9B7EE9FC Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7EFA14
u, xrefs: 00007FFD9B7EFC65
d, xrefs: 00007FFD9B7EFC72
O, xrefs: 00007FFD9B7EEA44

Memory Dump Source

Source File: 00000022.00000002.1769846204.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9b7e0000_dllhost.jbxd

Similarity

API ID:
String ID: /$O$d$u
API String ID: 0-1393434931
Opcode ID: 7374ba1121dffed9b97e869ca458ac7ce73e4178c957f4582dd3eb805471d8f9
Instruction ID: 01f41cf870ce5e2b96e6637973443627987103b890e5e50a24dcb4ea42d18d49
Opcode Fuzzy Hash: 7374ba1121dffed9b97e869ca458ac7ce73e4178c957f4582dd3eb805471d8f9
Instruction Fuzzy Hash: BE51B870E0966E8FEBA8DF54C8947E9B7B1BF54301F0146BAD40DA72A5DB349A80CF40

Analysis Process: dllhost.exePID: 8184, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7D35A5 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9274243917f6687a94f05b66a2a870213acca0fa172338a90551531ee2345d7
Instruction ID: 9d27b43ca56c1b299029e94b7cf98a4e941b23751274695df88da8361542d4dd
Opcode Fuzzy Hash: f9274243917f6687a94f05b66a2a870213acca0fa172338a90551531ee2345d7
Instruction Fuzzy Hash: 00A1E171A09A4D8FEB98DB68C8647EDBBE1FF95344F4102BAD009D32E6DFA428058741

Function 00007FFD9B7E1380 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B7E1555
(, xrefs: 00007FFD9B7E1C8E
", xrefs: 00007FFD9B7E1525
}, xrefs: 00007FFD9B7E13B7
!, xrefs: 00007FFD9B7E1463

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: !$"$($[$}
API String ID: 0-2884956333
Opcode ID: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction ID: 3d18ec6e051f05243fde70490ef07a03289f14494a16f0f982c13b2aade61c03
Opcode Fuzzy Hash: 3059fa0b24759567dfefde387121ab6af53d4afffa5158c4e290f64ef85f255f
Instruction Fuzzy Hash: 0B71D674E0932D8EEB64DF94C865BEDB6F1AF45300F5146BAD04DA72A1CB385A84CF10

Function 00007FFD9B7DECA8 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B7E032B
K, xrefs: 00007FFD9B7E0356
C, xrefs: 00007FFD9B7E02D7
{, xrefs: 00007FFD9B7E021F

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: C$K$X${
API String ID: 0-542216337
Opcode ID: c6ef96a407f4a4a0caa2271bb08d333fe2ae69b62fcf1825705b274534c2c3f2
Instruction ID: b1a1d994e6362126da511de93a2d6eeaaa486b6cbb85c1cf79f7af924d33b3d5
Opcode Fuzzy Hash: c6ef96a407f4a4a0caa2271bb08d333fe2ae69b62fcf1825705b274534c2c3f2
Instruction Fuzzy Hash: 3241C470E0A62D8FEB68CF54D8A47E9B7B1BF95341F0146A9D40DA62A0CB785B84CF41

Function 00007FFD9B7E156E Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B7E19B3
", xrefs: 00007FFD9B7E19C0
!, xrefs: 00007FFD9B7E1463

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: !$"${
API String ID: 0-405082716
Opcode ID: 3687381b1f71c38273044cbbcda69480e0e4f84285745f5d63ec251e234d0817
Instruction ID: f19dcfc9979cd49bde477c72245f82253ea819f110e1ae3663f16668ea2f4efc
Opcode Fuzzy Hash: 3687381b1f71c38273044cbbcda69480e0e4f84285745f5d63ec251e234d0817
Instruction Fuzzy Hash: 7251C670E0532E8EEB68DF94C8657EDB6F1AF05300F5146AAD40EA72A1CB785A84CF00

Function 00007FFD9B7DFA23 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B7DFAB8
[, xrefs: 00007FFD9B7DFA37
h, xrefs: 00007FFD9B7DFA44

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: I$[$h
API String ID: 0-1861827793
Opcode ID: ccb596000d73a71f72fa40e28b889031058322510eb3899460411f7249d41539
Instruction ID: c1c2e7345d86a2392c2f37573bd078a1d49bb165ebe2cca202fd95e33d2079ac
Opcode Fuzzy Hash: ccb596000d73a71f72fa40e28b889031058322510eb3899460411f7249d41539
Instruction Fuzzy Hash: 9821EA70E09A2D8FDB64DF14C8507A9B7B2FB94301F0086E9D00DE72A5DB345A85CF01

Function 00007FFD9B7E42B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B7E4397
@, xrefs: 00007FFD9B7E43BC

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: a363e5470d560fefad21039028279d77899849b0aaa58724aed2ec9de590e592
Instruction ID: 828eedb9f9400a73d8d2101e7a6a810ba1a7bedbf4c81c79b1a68ba52940b6f0
Opcode Fuzzy Hash: a363e5470d560fefad21039028279d77899849b0aaa58724aed2ec9de590e592
Instruction Fuzzy Hash: 22419070E19A2D8EDBA5EB58C8657FCB6B1EF59301F5102E9D00DE32B1CA746A808F50

Function 00007FFD9B7DC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7DCA6E

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 2ca0305a81f81797754847d6fc9cfb163f538536e0f4f8e72467c3cfd113744a
Instruction ID: bd373418d42d9c7f3eae10b7d9393c2e4346f308461c391c31d21a74cd025ff4
Opcode Fuzzy Hash: 2ca0305a81f81797754847d6fc9cfb163f538536e0f4f8e72467c3cfd113744a
Instruction Fuzzy Hash: 5741E027B0966A8AE711B7ACB8254FD3760EFC0379F1643B3D15DC90A3DD28718A86D4

Function 00007FFD9B7DCAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yN_^, xrefs: 00007FFD9B7DCB01

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: yN_^
API String ID: 0-4236750248
Opcode ID: 8733a724a48d7562ec69500d22079d86ab02fc96fb80198af89880b09aa3a610
Instruction ID: 351b2ed3bc2f84a4e46bf1da1e8a27dfd30e0d6d39df0aee8f2607f4678fb922
Opcode Fuzzy Hash: 8733a724a48d7562ec69500d22079d86ab02fc96fb80198af89880b09aa3a610
Instruction Fuzzy Hash: D031F022F4D35B4AEB16BBB8A8254FC7770AF81369F060377D11DC90F3CE2865898295

Function 00007FFD9B7E36C5 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2b37b04296c376f070d68b38c586b035b9ae275235a751f2f1fb4eb38cde4b
Instruction ID: 4fc6bf20ba86eaf0a149dc64beacef10c5b8f28468f78a9278afc6cd2d605959
Opcode Fuzzy Hash: 5c2b37b04296c376f070d68b38c586b035b9ae275235a751f2f1fb4eb38cde4b
Instruction Fuzzy Hash: A1518452A0F7D60FE723A7B85C791A97FB0EF52214B0A45FBD098CB0F7E91869448352

Function 00007FFD9B7DDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7627631bd7a94928bd6c57c5c2079bfd4641be5c4800080b6f8e96c0beafe95
Instruction ID: 06b742db6e6c1fde55135ac1767b5e45e0ce46bf962a165e66b84145282239f8
Opcode Fuzzy Hash: f7627631bd7a94928bd6c57c5c2079bfd4641be5c4800080b6f8e96c0beafe95
Instruction Fuzzy Hash: 67E15E71E19A5D8FDBA8DF58C8A5BB8B7A1FF58340F4402BAD00DD72E6CA346944CB40

Function 00007FFD9B7E0A70 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa49321da63b735014d68d2dc7aa5545f8340a631c9521b33ccec47d85fe564b
Instruction ID: df94abbb1363fcab2d45e22bd3126724e1403921be65a07d5e6b1172c35ec8a2
Opcode Fuzzy Hash: fa49321da63b735014d68d2dc7aa5545f8340a631c9521b33ccec47d85fe564b
Instruction Fuzzy Hash: CED13A70E1A65D8FDB68DBA8C4A5ABCB7B1FF19705F1101B9D00DE32B2CA386941CB41

Function 00007FFD9B7D1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5031a22f245fdfcc3d341da0daa1c39048f04b824df7c67932fb834e3ee242cf
Instruction ID: 06b3fb5b93c15bd9cb51fdaff0d9d5648d2002c0700034b09ad34b03bce1a463
Opcode Fuzzy Hash: 5031a22f245fdfcc3d341da0daa1c39048f04b824df7c67932fb834e3ee242cf
Instruction Fuzzy Hash: 3781EF31B0DB494FDB58DE5888706A977E2EFD8340B14467EE49EC32A6DE30AD06C780

Function 00007FFD9B7E2E3A Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f3e565d662ac519ebe1c399573aea39c7b84e40516fa9a021dd62f9af86468
Instruction ID: 2ecd0987db1c91575f9796c9732ef912a25fee6d8d96c07305cc02958dc86fd1
Opcode Fuzzy Hash: a8f3e565d662ac519ebe1c399573aea39c7b84e40516fa9a021dd62f9af86468
Instruction Fuzzy Hash: F381B971E0561D8EDBA4EFA8C855BECB7B1FF58300F5142B9D00DE32A6DE346A858B40

Function 00007FFD9B7D1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501691611f8a22e7248fe7404a305c0e3180ff14b7b313bd36dd2c3d29c439f0
Instruction ID: d298e2c7913eeb043ee80640e73492e1d8972d209777f9d00f68d573f5d73248
Opcode Fuzzy Hash: 501691611f8a22e7248fe7404a305c0e3180ff14b7b313bd36dd2c3d29c439f0
Instruction Fuzzy Hash: 9B51CE31B08B4A4FDB5CDE5888645BA77E2FBD8351B14467EE45EC72A6CE34E8068780

Function 00007FFD9B7DC359 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d1e9b17b1883c8ba902667979d46583ad7314c0bc526dc65c2d2efac0db7a3
Instruction ID: 43ede18d9495ca973ce434132852d974d45de04ad61345d4e05ff4ad6c1ee3c4
Opcode Fuzzy Hash: a4d1e9b17b1883c8ba902667979d46583ad7314c0bc526dc65c2d2efac0db7a3
Instruction Fuzzy Hash: 05515D70E0961D8FEB64EBA8C4656FD7BB1FF98340F51027AD00DE72A2DE3869448B40

Function 00007FFD9B7D22F0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87440f214c267fe77a6973cb9fabb767b546b745123c5f6d5d9435b5b05cd602
Instruction ID: 206256d6467a40a72629a07696939b7ec14fc574e11ddf273ee9c1a46184630b
Opcode Fuzzy Hash: 87440f214c267fe77a6973cb9fabb767b546b745123c5f6d5d9435b5b05cd602
Instruction Fuzzy Hash: 4A516130E0A61E8EEB74DB90C8617F9B6A1FF85340F1103B9D44EA61B1DF756A4ACB41

Function 00007FFD9B7D31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fa3556421615dbe755c1c459c9860e9939fcee2ad252f4ba4bfe610a7ae2a3
Instruction ID: 080d02e536fda18457920abda0e54af5fb0671449144cc2db76d801ea1eefc3f
Opcode Fuzzy Hash: 73fa3556421615dbe755c1c459c9860e9939fcee2ad252f4ba4bfe610a7ae2a3
Instruction Fuzzy Hash: 07514F71E0964E8FEB64DF98C4646EDBBF1EF94340F524279D009E72A1DE386A48CB50

Function 00007FFD9B7D21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1903415a1afe8959bfc4516996347d4820046b00d352dc762b332f780f467ef
Instruction ID: 670efa8064112ca7e33e48dfbd6b1be3effb226bfa2c298656070ec92b347b57
Opcode Fuzzy Hash: f1903415a1afe8959bfc4516996347d4820046b00d352dc762b332f780f467ef
Instruction Fuzzy Hash: E5414931B0E68A0FD765D7B8C4651B9BBE0EFC6350B0603FBE449C71B6DD28AA068341

Function 00007FFD9B7DB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0ddea6699137b90728ba3b3ef89bf82d143eb04da6cc56aa5d2455a61d2e48
Instruction ID: 6bf84e2590fead1dd4360a9f361f24439082b73e989c0360c4c7ae4c52507510
Opcode Fuzzy Hash: 0f0ddea6699137b90728ba3b3ef89bf82d143eb04da6cc56aa5d2455a61d2e48
Instruction Fuzzy Hash: E241EC62F0E69A4FE711DB7888A91A877A0FF95380F0507B6C069CB1F3EE15A509C341

Function 00007FFD9B7E2BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb882a439d395b2496f8512f07352c8c5f01d0fc72ff5ebb2446017d0a522cbf
Instruction ID: b6ae01331495401884022dbb6f071ef51323eabf40a5faab76881ad79466321f
Opcode Fuzzy Hash: cb882a439d395b2496f8512f07352c8c5f01d0fc72ff5ebb2446017d0a522cbf
Instruction Fuzzy Hash: 89417C30E19A5E8FDB54EBD8D865AEDB7B1FF98300F110279E009E72A6CE346941CB41

Function 00007FFD9B7DC408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f2be36aae11abc35d5b1c5ec0c067d5e08e77da06c97c2f8f838bc4cc8e4b3
Instruction ID: cb299fb1c2847c642e3274c11079dabbaf7b1ae605a645bef0e5c09e5fb068e4
Opcode Fuzzy Hash: 38f2be36aae11abc35d5b1c5ec0c067d5e08e77da06c97c2f8f838bc4cc8e4b3
Instruction Fuzzy Hash: 6231DD71E1DA1D8EEBA4EBA8D4A56BCB7B1FF98340F510239D00ED3261DE2469458B40

Function 00007FFD9B7E3001 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408aae85e1c161b14c7bfa7c673e9d8c34796f1e2f2887313e3dcf110cfe70c4
Instruction ID: 46f1e842a31088829489b9487441d38f549ff2a3c33b2744b40854109bb62e49
Opcode Fuzzy Hash: 408aae85e1c161b14c7bfa7c673e9d8c34796f1e2f2887313e3dcf110cfe70c4
Instruction Fuzzy Hash: A6419971E09A1D8FDBA4EB68C855BECB7B1EF59340F5142AAD00DE32A1DE3469858B00

Function 00007FFD9B7E0A55 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dddba3b5a66c1231d82f4ed74d1a8d44e6d068ba9cacb15be3969a81c2f6d22
Instruction ID: f688b33b62300355019796b5c00a67cb786aa85f4cecce4fad1197f323390466
Opcode Fuzzy Hash: 6dddba3b5a66c1231d82f4ed74d1a8d44e6d068ba9cacb15be3969a81c2f6d22
Instruction Fuzzy Hash: 48316B31A0A64E8FDB68DFA4C8A57ADB7B1FF05304F4101B9D00DD62E1DB386940CB41

Function 00007FFD9B7DC480 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1eb54406ba2988f98caa5ae32a9d9b869322f231fb81f2c17d20614c1d35fa
Instruction ID: 8813ad9f9bd946612fd9604eaaf1246ec9c6b8e53edfdd888b6dc5494e343974
Opcode Fuzzy Hash: be1eb54406ba2988f98caa5ae32a9d9b869322f231fb81f2c17d20614c1d35fa
Instruction Fuzzy Hash: 6531F270F0DA1D8FDBA4EBA894A56BCB7B1FF99340F510369D00ED72A2DE2469458B40

Function 00007FFD9B7DCAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c68b0c3518bd78a2670b8becccfafc4d409477395b9cecfd6552e81a4505fe
Instruction ID: dbc4b774ff339107600bf515725a1ef4a3246af28bc23fa71ddf748988925b26
Opcode Fuzzy Hash: 37c68b0c3518bd78a2670b8becccfafc4d409477395b9cecfd6552e81a4505fe
Instruction Fuzzy Hash: FB21F526F4939A4AEB11B7B8A8244FD7770EF81369F0503B7D41DC90F7CE2865888294

Function 00007FFD9B7E3EFA Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a9a8b4eaebb354218353d36b3cabe1e9eb4bf91c73d59540958682231e697c
Instruction ID: dbe5c419913cd4523fb107b2a210454120e571a3eb4dc5b83776d06a84fddce5
Opcode Fuzzy Hash: d8a9a8b4eaebb354218353d36b3cabe1e9eb4bf91c73d59540958682231e697c
Instruction Fuzzy Hash: D6313332E0D78A4FE752EBA898A95E97BF0EF45314F0605B7D41CCB1B3DE24A6448321

Function 00007FFD9B7D32C6 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc99c9ed556fb44f8117ffbbf84aef919a58faadcdc0d14dda8c4ac456b15d4e
Instruction ID: 0ca43d14f76c9538446e41ca1ade612b363de33881e5dd05a428e9d406cd4d41
Opcode Fuzzy Hash: fc99c9ed556fb44f8117ffbbf84aef919a58faadcdc0d14dda8c4ac456b15d4e
Instruction Fuzzy Hash: 2521C571E0961D8FEB64DFD8C4A4AECBBF1EF98341F520279D409A72A1DE386945CB10

Function 00007FFD9B7D33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0d86ad66eccff9999fc7d591e1ff4b6196dc3a57a2eb9690dd2593ec6bd10b
Instruction ID: ab664ae1e6f2a33de3c79740dce76bd854c7fe1fa7b01f7f68764239cb55b0c7
Opcode Fuzzy Hash: 1b0d86ad66eccff9999fc7d591e1ff4b6196dc3a57a2eb9690dd2593ec6bd10b
Instruction Fuzzy Hash: EF21AE3094E78A9FD743ABB488586AA7BF0FF46310F0605F6D048CB0B2DA289585C721

Function 00007FFD9B7E3545 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0342ac396d4da6519d263b24995356d95152f6b8d1701e126f57298da7f25294
Instruction ID: 3f4f2a9bc041440e387a02b262c0b8dacac8c099844e275a1bb45dcc09a90bbd
Opcode Fuzzy Hash: 0342ac396d4da6519d263b24995356d95152f6b8d1701e126f57298da7f25294
Instruction Fuzzy Hash: BF11B171E0964E8FEB61EBA8C8156ED77B1FF59300F0206B6D008D32B6DE34A5408761

Function 00007FFD9B7D084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9af3f30875fb4e8955fd2224f42bf6f259b927c4d3c4c85cb246ddbfaed2953
Instruction ID: a1f0e0e0560f1b5bf1897d1b60b3bf60cf07ca4042140137860e5a332308cef9
Opcode Fuzzy Hash: c9af3f30875fb4e8955fd2224f42bf6f259b927c4d3c4c85cb246ddbfaed2953
Instruction Fuzzy Hash: 48113630B0924E8FEB11EBB8C4789E937E0EF85304F0656B2D419DB0BBDD34A158C291

Function 00007FFD9B7D0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e437968a5f25e378d2d27eea1ff93e3907461b0c173eea1a0dca5325710fb93
Instruction ID: 3e231e244fcda202c26b05f43cb7ff37c7386a57292033f9f9a79582de180d7d
Opcode Fuzzy Hash: 3e437968a5f25e378d2d27eea1ff93e3907461b0c173eea1a0dca5325710fb93
Instruction Fuzzy Hash: 3111B231E1960E4EE750EBA884685BD77E0FFD8340F8156B6D41DC70B6EE34A648C700

Function 00007FFD9B7E4B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26de2561a4ece0dc651899c4e5fef81a1fe341b06835ffbb7c983b812549b01b
Instruction ID: 102ba4376a92fbfcaeb6ad04020bae81a87d836e45e8ecdbec7b48a9f025d010
Opcode Fuzzy Hash: 26de2561a4ece0dc651899c4e5fef81a1fe341b06835ffbb7c983b812549b01b
Instruction Fuzzy Hash: 5F11AF70E09A4E8FDB58EF6884696BD77A0FF58305F0102BED41DC61B6DA34A540C740

Function 00007FFD9B7DC9A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab58f30593bc8da9a412f0c0287059bdce02916fc548456364d23365cf6566c3
Instruction ID: 123d9580ab6a7f22b2e674d72f7a648b15b1252aafdac13832ec5d5aa05205e6
Opcode Fuzzy Hash: ab58f30593bc8da9a412f0c0287059bdce02916fc548456364d23365cf6566c3
Instruction Fuzzy Hash: 91115E31E0961E9EDF68DBA8D4286FEB7A4EF59300F11067AD01EE31B0DA75A9408752

Function 00007FFD9B7E28B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53afcb0c8434918b15796f9b080c96e49609ff5087452cc3c900b42e36fc857b
Instruction ID: 0f39b3885e1236e0aedb56bb919da448a286e270ddb2cb667def252eacc50be9
Opcode Fuzzy Hash: 53afcb0c8434918b15796f9b080c96e49609ff5087452cc3c900b42e36fc857b
Instruction Fuzzy Hash: A4117C70A1974D8FDB58DF58C4A55E93BA1FF68304F12027EE84A931B5CB34A651CB81

Function 00007FFD9B7E4AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006fa25ad726bb7b54489188943510ba563cb157f81db7733acbd92c588f2107
Instruction ID: 1acac09e45243b9f7fef9d3a5a8107deacba3bc10ff79002ded2104fded87ccd
Opcode Fuzzy Hash: 006fa25ad726bb7b54489188943510ba563cb157f81db7733acbd92c588f2107
Instruction Fuzzy Hash: A7216D30E0E68E8FDB69EF6884692AD7BB1FF59301F0102BFD41DC61B2DA3465448741

Function 00007FFD9B7E5025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05adc4b8db5c79829da5d0b1a676325493971b912ca1da019ccd9622a474ae2a
Instruction ID: fe24849a1d89c081935c57268ed7c6426d8772948cf18251940b8824ebb608b6
Opcode Fuzzy Hash: 05adc4b8db5c79829da5d0b1a676325493971b912ca1da019ccd9622a474ae2a
Instruction Fuzzy Hash: 3A11B271A0EB8D4BEB69DF7488752B87BA0EF55300F0605BEE419861B2DA257550C741

Function 00007FFD9B7DDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 742a3f9912dbcc079d5f77ec3292ffda3bbcd144b088ef8d0520329edb406a2b
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 3921E470E0561D8FDB50DFE8C4947EDBBF1EB58350F11123AD009E72A1DA396A488B50

Function 00007FFD9B7E5399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f97b9e242049e2e7e28718f8113352c8fe3f48163faec2ee73b2e91f2f4c008
Instruction ID: 7dbcdd9c3e8d58c75c8b1c9d91ee6549ba16e4a38235482d1a8bed8be3ba4e8b
Opcode Fuzzy Hash: 7f97b9e242049e2e7e28718f8113352c8fe3f48163faec2ee73b2e91f2f4c008
Instruction Fuzzy Hash: 1A11D030A0A78E8FEB65EB64C8696BD7BE0FF19305F0105BAC419C71B2DE7466448701

Function 00007FFD9B7DCB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681e1e85a989523e2b29135203f3fbac3ce653fc741ddbbb3c33253b76d382dc
Instruction ID: add774b979b32e01b3198898c476c4c084c732c9253e11e17dba65fe17748b43
Opcode Fuzzy Hash: 681e1e85a989523e2b29135203f3fbac3ce653fc741ddbbb3c33253b76d382dc
Instruction Fuzzy Hash: D2118F30A0964E8EDB56EB7484286B97BB0FF49304F0106BBD41AD61B2DE35A694C750

Function 00007FFD9B7D11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a7abc3161d061dda9793a64f7795d9e8675a11344d2a088266edcd0f605167
Instruction ID: 02740fc6e46f25267a0caea3101bb50814645014cafb3acc5a3a60d19f237c3e
Opcode Fuzzy Hash: 85a7abc3161d061dda9793a64f7795d9e8675a11344d2a088266edcd0f605167
Instruction Fuzzy Hash: 7011E271E0E64E4EEBA5DBA488786B97BE0FF99340F0102BEC01EC64F2DA356644C700

Function 00007FFD9B7DC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction ID: 0cd6e9cedf4de1f33d3eeb50bd06a485d4df578068729f30ded8a6ccffe4d269
Opcode Fuzzy Hash: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction Fuzzy Hash: D211B370E0960D8FDB64DF98D8A4AEDB7B1EF98340F01463AD419E62A1DB346A44CB40

Function 00007FFD9B7DBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c221977b4d890b987d03aa1dcb868a227dc7e40ff850fcd7a503c115075c8fd5
Instruction ID: 4da5425dd212b5162aed75257fb8165e9014dffb338e5c8f6b661056767ca220
Opcode Fuzzy Hash: c221977b4d890b987d03aa1dcb868a227dc7e40ff850fcd7a503c115075c8fd5
Instruction Fuzzy Hash: 49117030E0A64E8FEB55EF64C4696BD7BA0FF58300F1106BED419CB2A1DA35A6448740

Function 00007FFD9B7E2D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715a2dbd5c669a00f0c177b32699d15f1b7edcaa8319dfd30c85ff7689179db7
Instruction ID: 499f885edd9f0c7a3f46f31e85648c9997b92c924f005565e16974b404348a3d
Opcode Fuzzy Hash: 715a2dbd5c669a00f0c177b32699d15f1b7edcaa8319dfd30c85ff7689179db7
Instruction Fuzzy Hash: 57018031E4964E8EEB62EBB4845D6F97BE0EF59301F014AB6D418C6076DA78A2898740

Function 00007FFD9B7E530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869f125b006216d7eb299da33676d77a05f923b89957b3b55527723fb28d7fd9
Instruction ID: 2b64c6d4a1e21d6e5ee23859fb9de182f496c6683523adca4cda31c0746da4ea
Opcode Fuzzy Hash: 869f125b006216d7eb299da33676d77a05f923b89957b3b55527723fb28d7fd9
Instruction Fuzzy Hash: 70119E30E0964E8FEB58EF6488696BA77A1FF18308F4505BED42DC61B2DF746540CB01

Function 00007FFD9B7E1202 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction ID: e0651dd5e5b0cccc78edd027b64034e8b392c4ffb2c225e878458874d4796089
Opcode Fuzzy Hash: 8fb897f5fdcf52ecb7383286179477369fa76c35c01460f8e52914699ecf8fe5
Instruction Fuzzy Hash: 5221C670A0931D8BEB68DF84C8A5BE8B7F1AF54300F1142AAD00DA72A1CB385A84DF11

Function 00007FFD9B7E514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e9fe01148e3995b1085f7184f0c2a570c18dc2bb0247fae26f80cb4d6b45bc
Instruction ID: 0660e0842f320cf8d5f719bd7af6f2f4b90c78427416d4c6ec92475346e6e641
Opcode Fuzzy Hash: 98e9fe01148e3995b1085f7184f0c2a570c18dc2bb0247fae26f80cb4d6b45bc
Instruction Fuzzy Hash: E9118271E4964E8FEB69EB6888795BD7BE0FF18304F0505BEE419C61B6DE3465408701

Function 00007FFD9B7D3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a64857a8cfc3df48717f68f19def46083a688b425b444f7c8cd293a2d110d1c
Instruction ID: 15de41d6d55401b17f3482222ba01d3f627dc015cda0a15b02dda1bf0d73ff15
Opcode Fuzzy Hash: 8a64857a8cfc3df48717f68f19def46083a688b425b444f7c8cd293a2d110d1c
Instruction Fuzzy Hash: 11117C71E1A68E8FDB54EB64C8685BD7BA0FF58304F0206BED41AC61A1DA34A644C700

Function 00007FFD9B7E2B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0018e93f321cf2232a5d42913664e31ca93f9cae45581a7774ae9ae05589c08
Instruction ID: 30e397720d36a58012d9e21f9e8bd6e2dbb13e1574479d9d8d301b31e3eaa815
Opcode Fuzzy Hash: e0018e93f321cf2232a5d42913664e31ca93f9cae45581a7774ae9ae05589c08
Instruction Fuzzy Hash: 03014C30A1964E8FDB69AFA4C4695B977A0EF18304F4205BED41ECA5B2EE35A550C700

Function 00007FFD9B7D2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9629f8d2769c85d1de65db031b3b3580de898d6c9310b17bf172d2b0031cf2
Instruction ID: fab41bff4cd449fd74d5811a03785989644835340049a35c3664bdcf3d09add4
Opcode Fuzzy Hash: af9629f8d2769c85d1de65db031b3b3580de898d6c9310b17bf172d2b0031cf2
Instruction Fuzzy Hash: AA018471E1E74E8FE761EBA4C4695A97BE0EF59340F461BB6D408C60B6EA34E5448700

Function 00007FFD9B7D05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffcf113a235011618e53ee4fbafaa677b163dcfb372b4ac1f61e08742e626f
Instruction ID: e48af26ccc319a66f2377094082e8583716fe63a37ee0ccbf581f1fbd460f84a
Opcode Fuzzy Hash: e0ffcf113a235011618e53ee4fbafaa677b163dcfb372b4ac1f61e08742e626f
Instruction Fuzzy Hash: 5B018C30A09A0E8FDB68EFA4C4656BA77A1EF98344F5106BAD41EC65A4CB31A654CB40

Function 00007FFD9B7DD98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: d3e9e1490ebf2676953580dfa8d54a7a0abcecfe94c76e43b8bf41a6f3db3a08
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 5911E570E0561D8FDB50EFA8C8947EDBBF1FB58350F11123AD409E72A5DB35A9888B10

Function 00007FFD9B7E1080 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5382f24b39df03286897e620e0a6355e1a8c5c1c43f619b2bf35d976b9ccb7f5
Instruction ID: 5b8a669d134a5fa9ee4d1078ee907bb04932ea179909a346cac77d868aa22229
Opcode Fuzzy Hash: 5382f24b39df03286897e620e0a6355e1a8c5c1c43f619b2bf35d976b9ccb7f5
Instruction Fuzzy Hash: 21017C30E15A4E8EEB94EFA4C46A6BE77E0FF18304F11097AD41ED21B4DE30A650CB00

Function 00007FFD9B7D28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ca29a0520cba2ec2ed8b97e87b5ffbd6c2757a61de9a0e2e32f707de451b49
Instruction ID: a2e34702a7f2edf46618fcaf684ab2e5fd6909669d3c2cd93c81aabfd940fd39
Opcode Fuzzy Hash: 75ca29a0520cba2ec2ed8b97e87b5ffbd6c2757a61de9a0e2e32f707de451b49
Instruction Fuzzy Hash: A301D430E1A64E8FE751EBA4C468AB977E0EF59300F4206B6D408D70B6EE34E254C711

Function 00007FFD9B7DAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3da2895a6f640d5e70256f24ce944e4c3838273217bfd64ad2484f2a5e0329
Instruction ID: a8e7ec83de5d68c984d446977218c921c32bbd624cca3ebe616af84b83e42d80
Opcode Fuzzy Hash: af3da2895a6f640d5e70256f24ce944e4c3838273217bfd64ad2484f2a5e0329
Instruction Fuzzy Hash: B201A730A4A74E4FD761ABB4C4596A97BE4FF55341F420AB3D009C70B6DE38E548C700

Function 00007FFD9B7D2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed69efd61e71048b71b5ce53e7aaccb942bc28c0fd17692777f1cf342efffc3b
Instruction ID: 7a99de573605c009a4f6366f4d18a4ffd7ed7f16c66abc411f57a5b9834247fb
Opcode Fuzzy Hash: ed69efd61e71048b71b5ce53e7aaccb942bc28c0fd17692777f1cf342efffc3b
Instruction Fuzzy Hash: 9001D870A0E74E4FE762A7B4C4695A97FE0EF89300F060AF2D408C70B6DE24A5488300

Function 00007FFD9B7E1061 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167d0225db2cb5ff0e4798875472861bd2c06ce8f1baf97c644ad29f644dbeb5
Instruction ID: 3f520395242b6756337d141ba0da20f1a02a91f210c3c07c79f773917d77528c
Opcode Fuzzy Hash: 167d0225db2cb5ff0e4798875472861bd2c06ce8f1baf97c644ad29f644dbeb5
Instruction Fuzzy Hash: 5EF0A930D0A78E8FDB55DF64886A1FD3BB0FF15200F45057AD418C21B1DB345654C740

Function 00007FFD9B7D0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03babd07a600c6f642a08d7fd6b6459c5c57177d0c14883c06053c66dceeb57
Instruction ID: 970ee65545c06843261a725d422504348bbca64f49b6f3f26ab5a1bbb9aab5ea
Opcode Fuzzy Hash: d03babd07a600c6f642a08d7fd6b6459c5c57177d0c14883c06053c66dceeb57
Instruction Fuzzy Hash: 5801AD30B0960E8AEB69EBA4C0686B972A0FF48305F110A7ED41ED21E4DF35A645C600

Function 00007FFD9B7D0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf02f78256329089cc6484d350d9b150be7593cfc35f9d7f61a44491dc9517f
Instruction ID: c40c5d5e58663444b3d42ea088fcaae9b33d1e4acf3c6b71ff03c74f2d25ab88
Opcode Fuzzy Hash: 3bf02f78256329089cc6484d350d9b150be7593cfc35f9d7f61a44491dc9517f
Instruction Fuzzy Hash: 0901AD30B0960E8AEB68EBA4C0286BD72A0FF98305F510A7ED41ED61F4DF35E645C600

Function 00007FFD9B7D11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f5620977768d5830bb83774965b8efab27fdb009e6c1edc25b969514f08c1c
Instruction ID: c4f08355fc3a8f61208355898d6258c5bcffafcc1030a0ccd00bd85e4d17ff4c
Opcode Fuzzy Hash: 72f5620977768d5830bb83774965b8efab27fdb009e6c1edc25b969514f08c1c
Instruction Fuzzy Hash: CBF0F431E0A64E8AEBA49BA488382FA77E0FF95244F01023ED41DC24F1DE246658C200

Function 00007FFD9B7DAE18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8b7287855e042b4c28c3ffca9ba9250c173fac85b1470d98deded62fdf5900
Instruction ID: 11d4bb843f3f82d5f2e43d52bc70912a82819af9d6efb73c7e2375768c6c80cb
Opcode Fuzzy Hash: fb8b7287855e042b4c28c3ffca9ba9250c173fac85b1470d98deded62fdf5900
Instruction Fuzzy Hash: 4BF08130A5960E8AEB68EFA4C4646B976A0EF08304F51057AE41ED21F5DE757650CA40

Function 00007FFD9B7D1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7db5cd8a876c51ca7474830ab2ab3007e148ed7e5a44ebc1fa8f6304430f0c
Instruction ID: a5e9056911b36df2cc07e37c2024bdf525ab5c06cce1fbe78582b735f4d52db1
Opcode Fuzzy Hash: 1c7db5cd8a876c51ca7474830ab2ab3007e148ed7e5a44ebc1fa8f6304430f0c
Instruction Fuzzy Hash: FA01A430A0A78E8FDB59DF6484656FA3BA0EF95304F5106BAD80DC75B2CB35A654C740

Function 00007FFD9B7D05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8d829b654494d25a2b2eb71f21544843c91b14048aecf4f3f5d53ea1f7ce4d
Instruction ID: 3103d1172f98ea1d433d6e166f53415c8b5912671092bd226d225ca6f8b11716
Opcode Fuzzy Hash: 4d8d829b654494d25a2b2eb71f21544843c91b14048aecf4f3f5d53ea1f7ce4d
Instruction Fuzzy Hash: CEF0C230A0A64E8FEB68EF6484656FE37A0EF85308F51067AE40DC25B1CF35A654C740

Function 00007FFD9B7E26D1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9380f3f2c8d30cfb3ed2876df75b1c5fb28cc65379ecded54ae1acbe0e2ff9d5
Instruction ID: 201b2f9283bae713570dc4f8001b2c7742cf7c5fc35ee794a649571d6418ce7d
Opcode Fuzzy Hash: 9380f3f2c8d30cfb3ed2876df75b1c5fb28cc65379ecded54ae1acbe0e2ff9d5
Instruction Fuzzy Hash: CEF08230E5A34E8BDB649FA088656FA3760EF05304F41057AE81DD60F2DA38A9508A41

Function 00007FFD9B7DB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56157b43f44bf2d1be9e254a61ad9fc3a5d6a8e1f87ca9b93fd53294dea22160
Instruction ID: df2f02f38f0fa099db8fcc6bcac4a90b12a481f396ce493363013d873e6c8457
Opcode Fuzzy Hash: 56157b43f44bf2d1be9e254a61ad9fc3a5d6a8e1f87ca9b93fd53294dea22160
Instruction Fuzzy Hash: C4011270E0961E8ADB24DF90C450BFEB3B1AF94340F154776C009A62A5DA38AA49CB50

Function 00007FFD9B7D27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715f5f04f75f9c57e767de1b90f042d71f9cc2523e9a0c3c985ce6a5ac0d532e
Instruction ID: d1f190e992ee22ded5b1d1dba1a56e1a1795d4746f13840c6b7dbeee63a13e1d
Opcode Fuzzy Hash: 715f5f04f75f9c57e767de1b90f042d71f9cc2523e9a0c3c985ce6a5ac0d532e
Instruction Fuzzy Hash: 51F09630A1E78E8FDB5A9F6088246A93BA0AF86205F454AFBD419C61E2DB389558C711

Function 00007FFD9B7D284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7f0e7e26603c5541fae323ec1ca60406c78372d7b5bde926e6e2649f62c630
Instruction ID: 2c859bc89c38214bec370abfb79ddf14d118979f84c288d9c596c5a5ec1515c3
Opcode Fuzzy Hash: 2e7f0e7e26603c5541fae323ec1ca60406c78372d7b5bde926e6e2649f62c630
Instruction Fuzzy Hash: FFF02B30B1E38E8FDB599B6084241F97760BF85200F4105BAE819C51F1DF38E558C700

Function 00007FFD9B7DBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: 817db20d4ee07e05f3393dd2b582a18a79299f039ed382c473dd7d8595e6f1a3
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: 4ED0E274A0D70E8BDB58DF9889646BD72A5FB98340F111229D00EE72A1CA306A009B00

Function 00007FFD9B7D0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffe3e01fe1502da49b937b7cb9cb6fb867c4f6e45e0958dc1824a03f44445b4
Instruction ID: cb5f5baef2972c87e5ddfb61c50cbcaef96a7edb1366ace12eadf944b697729e
Opcode Fuzzy Hash: 5ffe3e01fe1502da49b937b7cb9cb6fb867c4f6e45e0958dc1824a03f44445b4
Instruction Fuzzy Hash: DBE08C30E0591D8AEB94EB14CC60FEDB6B0BF84304F1143B1C00DA32A5CE382A848B40

Non-executed Functions

Function 00007FFD9B7DE9FC Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B7DFC72
u, xrefs: 00007FFD9B7DFC65
/, xrefs: 00007FFD9B7DFA14
O, xrefs: 00007FFD9B7DEA44

Memory Dump Source

Source File: 00000024.00000002.1769370429.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b7d0000_dllhost.jbxd

Similarity

API ID:
String ID: /$O$d$u
API String ID: 0-1393434931
Opcode ID: d8dc60453a4afa79744cbd654655b1433082e325e3ae81d72a0c208cfe4dc651
Instruction ID: 708638a1c0e012ba4cde7526aa0f013f615f8b5978cb9f95010d3d6b7be5fefd
Opcode Fuzzy Hash: d8dc60453a4afa79744cbd654655b1433082e325e3ae81d72a0c208cfe4dc651
Instruction Fuzzy Hash: 5551D870E0966E8FDB64DF54C8947E9B7B1BF94341F0146BAD40DA72A0DB34AA84CF40

Analysis Process: fontdrvhost.exePID: 7240, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e093ee03da2df8c4f0d3e834be189f15d840c69bb22e794024042060e39acd
Instruction ID: 8b5c3f021daa425d53f045fffbed5289d6cb8424524ec50349008137c277767c
Opcode Fuzzy Hash: 52e093ee03da2df8c4f0d3e834be189f15d840c69bb22e794024042060e39acd
Instruction Fuzzy Hash: BBA1A271A1994D8FEB98DF68D8657ED7BE1FF95300F4202BAD00DD72E6DB6428018B40

Function 00007FFD9B7F1380 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B7F1463
}, xrefs: 00007FFD9B7F13B7
[, xrefs: 00007FFD9B7F1555
/, xrefs: 00007FFD9B7F14CC
", xrefs: 00007FFD9B7F1525
(, xrefs: 00007FFD9B7F1C8E

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: !$"$($/$[$}
API String ID: 0-134420937
Opcode ID: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction ID: 9a2e354611c71a127452ea44731d950af01de9665402401c777b79cdcdf93cbb
Opcode Fuzzy Hash: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction Fuzzy Hash: B371C570E0932E8EEBA4DF94C8647BDBAF1AF54300F1145AAD44DA72A1CB385A84CF54

Function 00007FFD9B7F156E Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9B7F1463
{, xrefs: 00007FFD9B7F19B3
/, xrefs: 00007FFD9B7F14CC
", xrefs: 00007FFD9B7F19C0

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: !$"$/${
API String ID: 0-4192511668
Opcode ID: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction ID: d784b745441f592ffc76acfbdd5a80fb5e1d0206150412b712aa2410efb19097
Opcode Fuzzy Hash: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction Fuzzy Hash: CB51B770E0532E8EEB68DF94C8647EDBBF1AF54300F5145AAD40DA72A1DB785A84CF44

Function 00007FFD9B7EFA23 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B7EFA37
k, xrefs: 00007FFD9B7EF81B
h, xrefs: 00007FFD9B7EFA44
I, xrefs: 00007FFD9B7EFAB8

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ef000_fontdrvhost.jbxd

Similarity

API ID:
String ID: I$[$h$k
API String ID: 0-3709709737
Opcode ID: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction ID: 5c2413dce3d38c3b1cef7b9c6e4508a2331cb780da9eac740d1f47e49f6fabeb
Opcode Fuzzy Hash: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction Fuzzy Hash: 7A21B870E09A2D8FEBA4DF14C8547A9B7B2BF55301F4086E9D00DE62A5DB345A85CF41

Function 00007FFD9B7F42B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B7F4397
@, xrefs: 00007FFD9B7F43BC

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 27ed48f4a3772a24b14d11ffbf26f79634bfa79724561eaa0f6957f794320c53
Instruction ID: 716e52953190f9fe56d94a8fa4ddac74ea9466143f4cc5afc8b33c837312b740
Opcode Fuzzy Hash: 27ed48f4a3772a24b14d11ffbf26f79634bfa79724561eaa0f6957f794320c53
Instruction Fuzzy Hash: 19419470E19A2D8FDBA5EB58C8657FCBAB1FF58301F5101B9D01DE32A1CA746A808F54

Function 00007FFD9B7EC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7ECA6E

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction ID: 2cc76cd23c4110a4ae36f5b607edd6969982541be155295d383f0ddc71ca9b4f
Opcode Fuzzy Hash: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction Fuzzy Hash: 2441F52BF0D66A8AE711B67CB8254FD3760EF80339B1642B7D159C90F7DD28348686E0

Function 00007FFD9B7ECAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yM_^, xrefs: 00007FFD9B7ECB01

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID: yM_^
API String ID: 0-4274066417
Opcode ID: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction ID: b7079e7a626f4de7ab55ade987b1465e05616229b0766a2e87187ff12fa0de24
Opcode Fuzzy Hash: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction Fuzzy Hash: 2131D03AF0D35B4AEB16BBB8A4254FC3770AF45329F0642BBD01DC90F3CE2825818295

Function 00007FFD9B7F1202 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7F14CC

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction ID: ce069ef8d5b8c70f623153359c10216a475244089380a901710901f04120d3ee
Opcode Fuzzy Hash: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction Fuzzy Hash: 1A21C670E0932D8BEB68DF84C8A4BF8B7F1AB54300F1141AAD00DA72A1CB385A84DF45

Function 00007FFD9B7EDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction ID: ef66b38b797efe6e9768c2e6936316148871cd49a4bebdeacd2ea13d4a097205
Opcode Fuzzy Hash: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction Fuzzy Hash: BEE13D71E19A5D8FEBA8DF58C8A4BB8B7A1FF58300F4541BAD01DD72E6DA346940CB40

Function 00007FFD9B7E1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction ID: d2d5fadd8fa6b60ffdbd9f4c4f8f7008aa26eba4e4bbff9bee26254931782c9b
Opcode Fuzzy Hash: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction Fuzzy Hash: CD81DF31B0DB494FDB58DE5888A65A977E2FF98310B15027EE45EC72B2DE34AD028780

Function 00007FFD9B7E1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction ID: 5f6059d7a5637e159a72c561228d8bdb47a8e6e1e7b2ff829e89800da1db0c1c
Opcode Fuzzy Hash: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction Fuzzy Hash: 3D51CD31B08B4A8FDB5CDE5888655BA73E2FF98311B10467EE45EC72A5CE34EC028780

Function 00007FFD9B7E22D5 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5d6ee694be655071991f6a810f7cd16c8cc52f867f57963fc411b673267b92
Instruction ID: 21bed0151854ea9426e85b875f3986164b930a8109451d601cbe8506938060b2
Opcode Fuzzy Hash: 6a5d6ee694be655071991f6a810f7cd16c8cc52f867f57963fc411b673267b92
Instruction Fuzzy Hash: F0516C30E0A61E8EEB78DB90C861BF9B7B1FF45304F1102B9D04E961B2DE796A45CB51

Function 00007FFD9B7EC359 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction ID: 43f41c7fde64fda4bbdbbb3143dc10dd4ea72e407acbea0dd3a948a02f3957f7
Opcode Fuzzy Hash: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction Fuzzy Hash: 48514D75E0961D8FEB64EBA8C4A56FD7BB1FF59300F51027AD009E72B2DE3869408B50

Function 00007FFD9B7E31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66545c5806bfd78fecd1fc8638af6e441cc4198298abaf830bdf5105b90bb973
Instruction ID: 3b1e0c2a3065b4da79503c1330490d3a4ec37e4b33fdd583cfa7c41f5644b199
Opcode Fuzzy Hash: 66545c5806bfd78fecd1fc8638af6e441cc4198298abaf830bdf5105b90bb973
Instruction Fuzzy Hash: 21510C70E0960D8FEB65DB98C464AEDBBF1EF58300F52417AD409E72B5DE386A44CB50

Function 00007FFD9B7E21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e31d21818a8991a88b1f18c6a8a29178de6b03344c64939114858b73eec418
Instruction ID: 6d97f6f55d249f3dc92893005c7270770e6747215eb2fd7f7822867446a9d8fd
Opcode Fuzzy Hash: 59e31d21818a8991a88b1f18c6a8a29178de6b03344c64939114858b73eec418
Instruction Fuzzy Hash: 2E414A31B0E78D4FD765D7B888651B9BBE4EF46310F0606FBD449C71B6DE28AA018341

Function 00007FFD9B7EB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dfb3a4ac5b3278c490c4ba0141481f754daf8232bd8ea7a16eefca26410780
Instruction ID: ae30dec08de056e6041ddd49c17f633c11d082d23435cb1cf4f78661dbc6d4bd
Opcode Fuzzy Hash: 26dfb3a4ac5b3278c490c4ba0141481f754daf8232bd8ea7a16eefca26410780
Instruction Fuzzy Hash: 4241B661F0E79A5BE721DBB888E91A87FA0FF51210F0906B6D069871F3EE24A5158741

Function 00007FFD9B7F2BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f83df0e0cdd9988238e181ea4b6f880c53528f8b8745cd963377b4ac1e7f7b
Instruction ID: 7db0f875f16ba2234572d93e1e91e7c918910860e08d3470f311ce4ecc7f0523
Opcode Fuzzy Hash: a1f83df0e0cdd9988238e181ea4b6f880c53528f8b8745cd963377b4ac1e7f7b
Instruction Fuzzy Hash: CF413970E1965E8FEB54EBD8D865AEDBBB1FF48300F410179E419E32A6CE346940CB81

Function 00007FFD9B7F7379 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction ID: bb7f84aa823934b90008b57ef5a1888ed132e46b0f25b772ed43f3eefefe32da
Opcode Fuzzy Hash: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction Fuzzy Hash: 1941C131F0A68EAFEB64DB94C4656FD7BE0EF54300F01027AD809C61B2DE3869449785

Function 00007FFD9B7EC408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction ID: 7edec665bf39e5406511a9ac747abfefa52cc7dcd9189d71a2244e38fa95f564
Opcode Fuzzy Hash: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction Fuzzy Hash: F831DE75E0DA1D8EEBA4EBA8D4A5ABCB7B1FF99300F51023AD00DD3271DE2469418B40

Function 00007FFD9B7EC480 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction ID: 6ebe7fe9ddc887c378ad783325f921d6c215779b4a51c999a56ae042f9ceafdb
Opcode Fuzzy Hash: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction Fuzzy Hash: C3312174E0DA1D8FEBA4EBA894A56BC7BB1FF59300F51023AD00DD72B2DE2469018710

Function 00007FFD9B7F7111 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction ID: 4e16ee2b462dbaff0585373aaf63af3461e883152d47832c67666bb7144f8e58
Opcode Fuzzy Hash: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction Fuzzy Hash: A3319371F0A64E9FEB64DF64C8656BE3BA0FF54301F01027AD419C71B6DE34A5458781

Function 00007FFD9B7ECAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction ID: 6c66028bf110f86e751dd38778996cb27c97176e07d4ed0d0d34c0b77be3d9a1
Opcode Fuzzy Hash: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction Fuzzy Hash: 4321E43AF0939E4AEB15BBB8A8254FD7770EF41329F0642B7D41DC60F7CE2825848694

Function 00007FFD9B7F7255 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction ID: 74987f2a758151915dd32326ba25df6266abd1ffb3ab5ab41f4a47b8716f2cc6
Opcode Fuzzy Hash: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction Fuzzy Hash: BE21E331B0E64E9BEBA8DF6488762BD3BA0FF14300F0101BAE41DC25B2CE346654C781

Function 00007FFD9B7F6439 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction ID: 7e4fc295679841895dc73aaa2a5acab2f37358bac3b459af69b0f4ba143f176f
Opcode Fuzzy Hash: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction Fuzzy Hash: 95219531F0E74E8EEB65ABA488696BD7AE0FF15310F0506B6D418C71F6DE34A644C741

Function 00007FFD9B7E32C6 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916e94ab12083902ac3fae364fd7bf2efb8eb33e177f377eb12b4e66e9d62041
Instruction ID: b6c50faadcb2ee54f169a8e7402e032b88603b69251d4c43c6cb97d366995c90
Opcode Fuzzy Hash: 916e94ab12083902ac3fae364fd7bf2efb8eb33e177f377eb12b4e66e9d62041
Instruction Fuzzy Hash: B621B671E1961D8FEB64DBD8C4A4AECBBB1EF58301F52017AD409E72B1CE386941CB10

Function 00007FFD9B7E33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction ID: 87ecc5579ae01c9a61de4ed2fb44f74a40a309c5ae52fe962f47fe1c3f6123a5
Opcode Fuzzy Hash: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction Fuzzy Hash: EC21813094E79A9FD743ABB488586A57BF4FF06310F0605F7D054CB0B2DA389545C721

Function 00007FFD9B7F7E59 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction ID: 2a668b331cdedc78cebf645bdffeebc91c0daa9a1b96cbb3424b6d345131122e
Opcode Fuzzy Hash: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction Fuzzy Hash: 3811A230F0E64E8FDB65DBA484252FD7BB1FF09300F1105BBD01AE71A2DA39A9408786

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e093312a0e599d319c16cd5e39c1d87e7923fbe745675a8bc8f117103f5b35
Instruction ID: 4182852b30b14642d797147df5ab068c7a51fc57cf2cb05c5797c28734688d0f
Opcode Fuzzy Hash: e5e093312a0e599d319c16cd5e39c1d87e7923fbe745675a8bc8f117103f5b35
Instruction Fuzzy Hash: 58119131E1960E8FEB50EFA8C85A5BD77E1FF58700F4246B6D41DC61B6EE34AA408740

Function 00007FFD9B7F4B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction ID: f595fbe0f3dddf37aedb299c8b5021f7e234a1deb3039aef36b6e4e279dfcef1
Opcode Fuzzy Hash: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction Fuzzy Hash: 8F11A230E0964E8FDB58EFA884696BD7BB0FF58301F0102BED41DC61A6DA346540C780

Function 00007FFD9B7F28B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction ID: 416b2c718a487c2b731ec3cd0a026c8f149e93733afe9dd24ee1caace66c0372
Opcode Fuzzy Hash: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction Fuzzy Hash: AF11AC70A0974D8FDB58DF58C4A51E93BA0FF68304F42027EE80A931A1CB34A640CB80

Function 00007FFD9B7F71B5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction ID: b39416ee14ddc1b5769d3cda8cff4cdddd619641143b4d5a55b4d0894cf98424
Opcode Fuzzy Hash: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction Fuzzy Hash: CE11B430E0964E9FDB94EF6484656BD7BB0FF58301F0105BAD41DC61B2DA34A240C780

Function 00007FFD9B7F4AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction ID: 57db9924e946491abddddfcca4e2014f703912c3a1fd8d16c4a8b684a19ce1a9
Opcode Fuzzy Hash: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction Fuzzy Hash: DF216D30A0E68E8FEB59EF6884692B97BB0FF58301F0102BFD419C65B6DA346540C781

Function 00007FFD9B7F5025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction ID: cf1a16ed6b55d4fc46ffbd828212a01b4f069b965bf1ae10f2b193689d86cd59
Opcode Fuzzy Hash: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction Fuzzy Hash: 0F11B271B0EB8E4BEB69DF74C8B52B87BA0EF55300F0601BED419865B2DE256550C781

Function 00007FFD9B7EDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 77efa2b42ab6ae2a983b7ef47ceab24a7f403f70e7d760d38fba8e4033b51893
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 53219370E0561D8FDB50DFA8C8946EDBBF1EF18311F11162AD419E72B1DA786A448B50

Function 00007FFD9B7ECB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction ID: fbb3764e073860a9954f898850eb42b5e2dc21cd6c0ce99b910d3c327abf26ff
Opcode Fuzzy Hash: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction Fuzzy Hash: C4114F30E0974E8FDB56EB6488695B97BB0FF09304F0105BBD419D61B6DE346A50C750

Function 00007FFD9B7E11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction ID: 4ff4ecef20118a65576a2b83ba56fbcdd783eaa53e31a9829b9ad3dc4e02c9db
Opcode Fuzzy Hash: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction Fuzzy Hash: C311B671E0A64E4EEB65DBA4887A6BD7BE0FF59305F0105BED41AC64F1DA346650C700

Function 00007FFD9B7F5399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction ID: 33bdbd2da25b80dab35436bdd1064f086bac68142a2720a161f71f448401129e
Opcode Fuzzy Hash: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction Fuzzy Hash: 2011B130A0A78E8FEB55EB68C8692BD7FE0FF14304F0105BAC419C71B2DE7465448741

Function 00007FFD9B7EC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction ID: 976b6a27e484f822ef01004c9e6f63170823b65c9f1acfb512be85ed51660153
Opcode Fuzzy Hash: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction Fuzzy Hash: 0E11B374E0960E8FDB64DF98D8A4AEDB7B1EF58310F01423AD419E62B1DB346A40CB40

Function 00007FFD9B7EBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction ID: 429b4cd7001047f6a255734f9b20a1d4e4bfe9e985bb84cbe8b7af9d7a7e37d0
Opcode Fuzzy Hash: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction Fuzzy Hash: 6A115231E0A64E8FEB55EFA4C4A96BD7BE0FF18300F5105BAD419C62B1DB35A650C740

Function 00007FFD9B7F78A1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction ID: 1a5bb2e7812df68eee3cd77a8cc4bf7147f162ab9db57e7e1f2bdf526444e3b9
Opcode Fuzzy Hash: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction Fuzzy Hash: 06116131A1960E9FE752EBB4C858AAA7BF4FF19301F0106B6D019D70B5DB38A281C751

Function 00007FFD9B7F1061 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction ID: 6387f0db71c402edd0f6410260e0f34fd4cdabe95a58887e1360be97194a5257
Opcode Fuzzy Hash: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction Fuzzy Hash: 3D118E30E0968E8FDB95EB64C4696BD7BF0FF18300F0106BAD419D65B2DB35A644C740

Function 00007FFD9B7F2D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction ID: ff3189690f96ddda4c16d0a1fb5f1c5ed344caa75334e560f7739f1f179748cb
Opcode Fuzzy Hash: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction Fuzzy Hash: 67018431E1964E8FEB51EBB4845D5F97FE0FF19300F4146B6E418C6075DA78A2858780

Function 00007FFD9B7F72ED Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction ID: e652b91956b32069a74635519000af0e894095d273989f29e6f241b271cd0ddf
Opcode Fuzzy Hash: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction Fuzzy Hash: 4211E331B0968E9FDBA8EF6484656B93BA0EF58300F4501BAD81DC61B2DE346540C780

Function 00007FFD9B7F530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction ID: f0a50121c913799d39df171f92a00f1520191ae6b721aef8fb0df2d54ee3e1ed
Opcode Fuzzy Hash: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction Fuzzy Hash: FE11E030E0968E8FEB58EB68C8296B97BE0FF19304F0505BAD41DC61B2DF346540C740

Function 00007FFD9B7F514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction ID: 5ede7dd8cd7ff6906612b441545d6716d76bbfae140b7ade9c05894ced725d9a
Opcode Fuzzy Hash: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction Fuzzy Hash: 1F119D70A4A64E8FEB69EB68C8796BD7BE0FF18304F0105BAD419C61A2DE347540C741

Function 00007FFD9B7E3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction ID: 4825f9dfea0aa4e17dcbceb30a5c5b2a1b0aa73ee1641ffce400abdc4a1d7eb0
Opcode Fuzzy Hash: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction Fuzzy Hash: 29113C70E1A68E8FDB59EB6484695BD7BA0FF18304F4205BED419C62B1DA35A640C700

Function 00007FFD9B7F26D1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction ID: 8fdee27fb3cd0e67a3e97e7309d0ceb38fff0071ac1a5ea23b1b95afedac1138
Opcode Fuzzy Hash: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction Fuzzy Hash: 9C018430F4A64E8FDF59ABA0C4656F93BA0EF19304F8105BAE41EC61F6DE35A540CB50

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction ID: b5e80b6cd77655702bdb6533a349a4603707a556713f03e17641e7ca096bc2fa
Opcode Fuzzy Hash: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction Fuzzy Hash: 34019E30A09A0E8FDB68EF64C4666BE77A1FF58304F5105BED41EC65B4CE31A690CB40

Function 00007FFD9B7E2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction ID: 2486b04fb1c7517ff4277a11b4d1c53cb49eec2f6c69bf7fe9d069bfa5b1924b
Opcode Fuzzy Hash: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction Fuzzy Hash: 74018F71E1E74E8FE761EBA488695B97BE0EF19300F4606B6D408CA0B6EA34E6548700

Function 00007FFD9B7F2B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction ID: 5ce57395586417e644f97a79d782221a86439374e6d74070a3a7c29ee9ed6fed
Opcode Fuzzy Hash: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction Fuzzy Hash: 53019230A0A64E8FDB659FA084685F97BB0FF19304F8205BEE80DC60B2DE35A540C700

Function 00007FFD9B7ED98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 36a3bcc202955c90f292d56b63a2387f8f08d7d2d5e10aeb6bb86ee59c918f66
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 98119370E0561D8FDB50EFA8C8946EDBBF1FF18311F11162AD419E72B1DB74A9848B50

Function 00007FFD9B7E28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction ID: 0b3c460dcda9d212c72eb4bac21fd6a9730d4efbe6d7a4de151243ee67872557
Opcode Fuzzy Hash: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction Fuzzy Hash: FB018F30E1A60E8FE751EFA484599B977E0FF19304F4245B6D418D70B6EE38E690C741

Function 00007FFD9B7EAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction ID: 8fc282bda5b706382289fd690a784f568fa6a047704754763c66c4b38fb8d431
Opcode Fuzzy Hash: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction Fuzzy Hash: 1B01A730A4A74E5FD761EBB4C4596A97BF0EF05301F4205B3D009C70B6DE38E5548700

Function 00007FFD9B7F7A29 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction ID: c0e3163eb2ca20bfd3ad1558ef5e052fa39a0ce8ad8119882ed604b0b4387272
Opcode Fuzzy Hash: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction Fuzzy Hash: 79018430A5E74E9FE752A7B888696A97FE0EF06300F4605F3D018CB0B6DA38A644C751

Function 00007FFD9B7E2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction ID: be3c5a43f28d857522403e4d9406a28f6a566a728bc3cc73e953c598093303bf
Opcode Fuzzy Hash: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction Fuzzy Hash: 01018471A1E74E8FE762A7B488695A97BE0EF15300F4605F6D409CB0B6EE28A5448701

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction ID: a090a8e9651b2fde35dff3977ee04fffe372e80dda372714ecbdb61018c000c6
Opcode Fuzzy Hash: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction Fuzzy Hash: 6B016D30A1960E8AEB69EBA4C4686B973A0FF18305F51097EE41ED21F5DF35A650C600

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction ID: 72dcd18d1f05ad3daed851e5d093b69f1a840704cd01bdafb886eb03a5800b3c
Opcode Fuzzy Hash: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction Fuzzy Hash: E2016D30A1960E9AEB6CEBA4C4686BD72A0FF58305F51097ED41ED61F5DE35E650C600

Function 00007FFD9B7E11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction ID: 79f262be689087ddb600174b02a736105fc216188aaf164a2465de1e726fcda7
Opcode Fuzzy Hash: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction Fuzzy Hash: BFF0F470E0A74E8AEBA49BA48C2A3BE77E4BF59204F01053EE41EC24F1DE346610C201

Function 00007FFD9B7E1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction ID: 8372d164cba2b75e45e12124df356c3260104bcd0b8d6160368a0add697b1ff6
Opcode Fuzzy Hash: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction Fuzzy Hash: A701A430A0A78E8FDB59DF64C4666BA37A0FF15304F4105BAD80DC65B1CB35A990C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction ID: 1b071fbcfc36dba70498dfa42376b154fd7c70c3916f1097bc606f0709508356
Opcode Fuzzy Hash: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction Fuzzy Hash: 44F0F630A0A74E8FEB68EF6484666FE37A0EF05308F51057AE41DC25F1CE35A690C740

Function 00007FFD9B7EB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction ID: e31cb3b31839689b2a8e7d7f272e82fdd57dc52e332335fc683e6206e5f1553f
Opcode Fuzzy Hash: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction Fuzzy Hash: 5F011E70E0961E8ADB24DF90C450AFEB7B1AF54300F154676C009A22B5DA38A645CB90

Function 00007FFD9B7E27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction ID: dc02038a37882afb58346b0719b108ffa5bbcf6e7d9680981e1b3dc85869d12f
Opcode Fuzzy Hash: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction Fuzzy Hash: 5CF0F630A0E38E8FDB1A9F6088245B93BB0BF06204F4109BBD409C61F2DB389944C701

Function 00007FFD9B7E284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction ID: 76179327ef6c3f49c7b3dda66f32716becf2e468c86a1a7aed0cba4415c35a50
Opcode Fuzzy Hash: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction Fuzzy Hash: 39F09030A5A78E8FDB5D9FA488241F937A0FF55304F8105BAE819C91F1DF38A554C601

Function 00007FFD9B7F1080 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction ID: 0d65c732253c4d91d27c239d697fdbd75c4bdddb5acc00f117ab95a24e3d3127
Opcode Fuzzy Hash: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction Fuzzy Hash: B4F0FE30E15A4E8EEBA4EFA4D8696FE76E4FF18305F41053AE81DD21B0DB3466548784

Function 00007FFD9B7EBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: 063a10b5dd3ec6aa29c24dfba2efe4146a7bcab285dc4b6598d8bb937777b495
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: 66D04274A0D64E8BDB58DF9889A56BD76A5FF58300F111629E40EE72B1DA346A009B40

Function 00007FFD9B7E0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d31eafa44376264cde9c4efeb742f7b600dbaa48bd494f2947e3ce6e1e20b68
Instruction ID: bd716b6a877875c8773adb1b6d6771c41341bbe27afd92295d5f79c2c471db54
Opcode Fuzzy Hash: 9d31eafa44376264cde9c4efeb742f7b600dbaa48bd494f2947e3ce6e1e20b68
Instruction Fuzzy Hash: 2FE0EC30E1591D8AEB94EB54DC61FEEBA71BF44304F1146B5D00DA32E5CE3869854B44

Function 00007FFD9B7F5794 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction ID: 7ebc4f51af634ec24f5ad909049ebe1b36f833e41e690780256b98eb99be2a1c
Opcode Fuzzy Hash: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction Fuzzy Hash: 9BD05E62E0AA1E9EEFA0EA5C80A45A97BE0EF28300F010139D44CC21B6DE2820028761

Non-executed Functions

Function 00007FFD9B7EF0B5 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

0, xrefs: 00007FFD9B7EF179
k, xrefs: 00007FFD9B7EF81B
", xrefs: 00007FFD9B7EF100
S, xrefs: 00007FFD9B7EF0BA

Memory Dump Source

Source File: 00000026.00000002.1769848392.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b7ef000_fontdrvhost.jbxd

Similarity

API ID:
String ID: "$0$S$k
API String ID: 0-2456877467
Opcode ID: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction ID: 4c1945261375aa22af48d14475ccc460cc5e49cf52b58f9926e73243994d9b4d
Opcode Fuzzy Hash: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction Fuzzy Hash: A621E574E0A62D8EEB64DF64D8943A9B7B1BF58300F0186E9D00DA72A0DB785B84CF51

Analysis Process: fontdrvhost.exePID: 7232, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E35A5 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0440d71dfe90b16ad59d395ab948098f282fb98ce0f46d11b3864a56330c6eff
Instruction ID: 1185bb622b64d6cdf9e9bb900862ed71c5af6478eba438b9b82adaad8f089ec3
Opcode Fuzzy Hash: 0440d71dfe90b16ad59d395ab948098f282fb98ce0f46d11b3864a56330c6eff
Instruction Fuzzy Hash: 6EA18171A19A4D8FEB99DB68D865BED7BE1FF95300F4102BAD009D72E6DF6828018740

Function 00007FFD9B7F1380 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B7F1555
/, xrefs: 00007FFD9B7F14CC
}, xrefs: 00007FFD9B7F13B7
!, xrefs: 00007FFD9B7F1463
(, xrefs: 00007FFD9B7F1C8E
", xrefs: 00007FFD9B7F1525

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: !$"$($/$[$}
API String ID: 0-134420937
Opcode ID: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction ID: 9a2e354611c71a127452ea44731d950af01de9665402401c777b79cdcdf93cbb
Opcode Fuzzy Hash: b08f45995fb49a30586701d84795e2c69fb360d2877d4022104568b6c35746f4
Instruction Fuzzy Hash: B371C570E0932E8EEBA4DF94C8647BDBAF1AF54300F1145AAD44DA72A1CB385A84CF54

Function 00007FFD9B7F156E Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7F14CC
{, xrefs: 00007FFD9B7F19B3
!, xrefs: 00007FFD9B7F1463
", xrefs: 00007FFD9B7F19C0

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: !$"$/${
API String ID: 0-4192511668
Opcode ID: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction ID: d784b745441f592ffc76acfbdd5a80fb5e1d0206150412b712aa2410efb19097
Opcode Fuzzy Hash: 698e2e6b8e3f2faa5bb536ac6600e048868bba9accacb491bda954aa86fff7e0
Instruction Fuzzy Hash: CB51B770E0532E8EEB68DF94C8647EDBBF1AF54300F5145AAD40DA72A1DB785A84CF44

Function 00007FFD9B7EFA23 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

k, xrefs: 00007FFD9B7EF81B
h, xrefs: 00007FFD9B7EFA44
[, xrefs: 00007FFD9B7EFA37
I, xrefs: 00007FFD9B7EFAB8

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ef000_fontdrvhost.jbxd

Similarity

API ID:
String ID: I$[$h$k
API String ID: 0-3709709737
Opcode ID: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction ID: 5c2413dce3d38c3b1cef7b9c6e4508a2331cb780da9eac740d1f47e49f6fabeb
Opcode Fuzzy Hash: 16181eb15da2ae31dad19b29ce7e0c4371dbbcdd1ba980b90445bd109a913885
Instruction Fuzzy Hash: 7A21B870E09A2D8FEBA4DF14C8547A9B7B2BF55301F4086E9D00DE62A5DB345A85CF41

Function 00007FFD9B7F42B0 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFD9B7F43BC
, xrefs: 00007FFD9B7F4397

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 6a0b072c1d8a11bf09110b558e63f90cfe29ca0e762e1c047aa895b6370ccf5d
Instruction ID: f73f87029f30255fe636c69f9d172d0773222797278f35d801680e4d3c9959fd
Opcode Fuzzy Hash: 6a0b072c1d8a11bf09110b558e63f90cfe29ca0e762e1c047aa895b6370ccf5d
Instruction Fuzzy Hash: EA418370E19A2D8FDBA5EB58C8657FCBAB1FF58301F5101A9901DE32A1CA746A808F54

Function 00007FFD9B7EC9AD Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

%Kz, xrefs: 00007FFD9B7ECA6E

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID: %Kz
API String ID: 0-1743607883
Opcode ID: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction ID: 2cc76cd23c4110a4ae36f5b607edd6969982541be155295d383f0ddc71ca9b4f
Opcode Fuzzy Hash: 7aa64daca888b2e7ed0f2c9bb8ea493ab1f650138b21439c4f11ecee62b2e0dc
Instruction Fuzzy Hash: 2441F52BF0D66A8AE711B67CB8254FD3760EF80339B1642B7D159C90F7DD28348686E0

Function 00007FFD9B7ECAFB Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

yM_^, xrefs: 00007FFD9B7ECB01

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID: yM_^
API String ID: 0-4274066417
Opcode ID: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction ID: b7079e7a626f4de7ab55ade987b1465e05616229b0766a2e87187ff12fa0de24
Opcode Fuzzy Hash: ffaf803f1e59fcabc19e9d99940969ca664ccf1a90ac99b210df0b9d1f44ae91
Instruction Fuzzy Hash: 2131D03AF0D35B4AEB16BBB8A4254FC3770AF45329F0642BBD01DC90F3CE2825818295

Function 00007FFD9B7F1202 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B7F14CC

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction ID: ce069ef8d5b8c70f623153359c10216a475244089380a901710901f04120d3ee
Opcode Fuzzy Hash: a41f28f066a3d17cb07ae852f7a39f6c946cc6a682d21b39568a92616b317578
Instruction Fuzzy Hash: 1A21C670E0932D8BEB68DF84C8A4BF8B7F1AB54300F1141AAD00DA72A1CB385A84DF45

Function 00007FFD9B7EDB89 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction ID: ef66b38b797efe6e9768c2e6936316148871cd49a4bebdeacd2ea13d4a097205
Opcode Fuzzy Hash: 2fc613787ed269172aa7059eca84179397dca004f4e5d1e44e5197c4568dffba
Instruction Fuzzy Hash: BEE13D71E19A5D8FEBA8DF58C8A4BB8B7A1FF58300F4541BAD01DD72E6DA346940CB40

Function 00007FFD9B7E1748 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction ID: d2d5fadd8fa6b60ffdbd9f4c4f8f7008aa26eba4e4bbff9bee26254931782c9b
Opcode Fuzzy Hash: 47038479cfc43071b15337977479d44b5086c57ebf45dad003f0ac6125966768
Instruction Fuzzy Hash: CD81DF31B0DB494FDB58DE5888A65A977E2FF98310B15027EE45EC72B2DE34AD028780

Function 00007FFD9B7E1D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction ID: 5f6059d7a5637e159a72c561228d8bdb47a8e6e1e7b2ff829e89800da1db0c1c
Opcode Fuzzy Hash: 13da97c4236debe8ac5746e78b1bb8d5c7b74764eeb506c6ad4f8a9a2600bf5f
Instruction Fuzzy Hash: 3D51CD31B08B4A8FDB5CDE5888655BA73E2FF98311B10467EE45EC72A5CE34EC028780

Function 00007FFD9B7EC359 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction ID: 43f41c7fde64fda4bbdbbb3143dc10dd4ea72e407acbea0dd3a948a02f3957f7
Opcode Fuzzy Hash: b345cd590a4e6bceac2577675a555f9c50d7e87c9e06d284f48556561b567f21
Instruction Fuzzy Hash: 48514D75E0961D8FEB64EBA8C4A56FD7BB1FF59300F51027AD009E72B2DE3869408B50

Function 00007FFD9B7E31F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fd55d1e01c78696f6911be50b937718a65b7fee9fa93f42eced8d66034b235
Instruction ID: 3279e5e7049042ff19b6ef251d0c0aa95de77c55ad26f942029afa813fdc309b
Opcode Fuzzy Hash: 29fd55d1e01c78696f6911be50b937718a65b7fee9fa93f42eced8d66034b235
Instruction Fuzzy Hash: AD510B70E0960D8FEB65EB98C464AEDBBB1EF58300F524179D409E72B1DE386A44CB60

Function 00007FFD9B7E21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981d79933d608608b3df03479b3dee305d3c9b83f3a2941d139d793880f7c36a
Instruction ID: 13dfd12740f28d32ab2d9a1c63964e40efb32abdea6f9430a771be3da4fe6fec
Opcode Fuzzy Hash: 981d79933d608608b3df03479b3dee305d3c9b83f3a2941d139d793880f7c36a
Instruction Fuzzy Hash: 36414A31B0E78D4FD765D7B888651B9BBE4EF46310F0646FBD449C71B6DE28AA018341

Function 00007FFD9B7EB13D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aa1a31399da6e23530e83801b3a56c748d013da3f2a7a25493403a6b4c12db
Instruction ID: c687afeb7a1255accea40ef5aa390c47dce5bd012917d4f9f5b03cadc1e21528
Opcode Fuzzy Hash: 26aa1a31399da6e23530e83801b3a56c748d013da3f2a7a25493403a6b4c12db
Instruction Fuzzy Hash: 7041B761F0E79A5FE721DBB888E91A87FA0FF51210F0506B6D069C71F3EE24A515C741

Function 00007FFD9B7F2BBD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ed614beeecad78e5606973b1941ca185eda562bbf97ce6877a52e041e9f04c
Instruction ID: 5176ceecddbe7f31ea6b8fc64d6ba9776c4d949288a36536267beb5132ef380d
Opcode Fuzzy Hash: 87ed614beeecad78e5606973b1941ca185eda562bbf97ce6877a52e041e9f04c
Instruction Fuzzy Hash: 64413970E1965E8FEB54EBD8D865AEDBBB1FF58300F410179E419E32A6CE346940CB81

Function 00007FFD9B7F7379 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction ID: bb7f84aa823934b90008b57ef5a1888ed132e46b0f25b772ed43f3eefefe32da
Opcode Fuzzy Hash: 1e7b38928d5cb0666ed558076d5bf08b06de2fe355930c24ccc88b346635a03e
Instruction Fuzzy Hash: 1941C131F0A68EAFEB64DB94C4656FD7BE0EF54300F01027AD809C61B2DE3869449785

Function 00007FFD9B7EC408 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction ID: 7edec665bf39e5406511a9ac747abfefa52cc7dcd9189d71a2244e38fa95f564
Opcode Fuzzy Hash: e23eaecf18a6c6a32b899c82c7eb130165614ad0458df39fc5ba7d2e65ad2055
Instruction Fuzzy Hash: F831DE75E0DA1D8EEBA4EBA8D4A5ABCB7B1FF99300F51023AD00DD3271DE2469418B40

Function 00007FFD9B7EC480 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction ID: 6ebe7fe9ddc887c378ad783325f921d6c215779b4a51c999a56ae042f9ceafdb
Opcode Fuzzy Hash: 57126d35ec99be3626f26e90cd6d47d5b857ed3d151f154c41b8899566ba8819
Instruction Fuzzy Hash: C3312174E0DA1D8FEBA4EBA894A56BC7BB1FF59300F51023AD00DD72B2DE2469018710

Function 00007FFD9B7F7111 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction ID: 4e16ee2b462dbaff0585373aaf63af3461e883152d47832c67666bb7144f8e58
Opcode Fuzzy Hash: 91a394111d4139ffb0ae0b734268bcfd098c6d06f5985e7fcf56f904d657cd4b
Instruction Fuzzy Hash: A3319371F0A64E9FEB64DF64C8656BE3BA0FF54301F01027AD419C71B6DE34A5458781

Function 00007FFD9B7ECAD3 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction ID: 6c66028bf110f86e751dd38778996cb27c97176e07d4ed0d0d34c0b77be3d9a1
Opcode Fuzzy Hash: 76d20ca680065720c1f87a5a63024508e6be84ec787dd5e3719673af1063fe24
Instruction Fuzzy Hash: 4321E43AF0939E4AEB15BBB8A8254FD7770EF41329F0642B7D41DC60F7CE2825848694

Function 00007FFD9B7F7255 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction ID: 74987f2a758151915dd32326ba25df6266abd1ffb3ab5ab41f4a47b8716f2cc6
Opcode Fuzzy Hash: 6fff15da51be62ec633d32d4ee68c040f9ce3534d3022dcc4ddfff58628cc405
Instruction Fuzzy Hash: BE21E331B0E64E9BEBA8DF6488762BD3BA0FF14300F0101BAE41DC25B2CE346654C781

Function 00007FFD9B7F6439 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction ID: 7e4fc295679841895dc73aaa2a5acab2f37358bac3b459af69b0f4ba143f176f
Opcode Fuzzy Hash: b51c65eae28f8bcab7ae62e46ba48203c1ab9420143c51146ae0bc4a1402102a
Instruction Fuzzy Hash: 95219531F0E74E8EEB65ABA488696BD7AE0FF15310F0506B6D418C71F6DE34A644C741

Function 00007FFD9B7E32C6 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f0c5db88acf1bfbbf032b572c49b1c4d69189300b96524fc3d147c590ba789
Instruction ID: c97ef81c647062023f2b0c2307364bd77063d7b5c568e8da3c355528510b0f48
Opcode Fuzzy Hash: 73f0c5db88acf1bfbbf032b572c49b1c4d69189300b96524fc3d147c590ba789
Instruction Fuzzy Hash: 5E21A571E1961D8FEB64EBD8C4A4AECBBB1FF58301F520179D409A72B1CA386941CB14

Function 00007FFD9B7E33F8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction ID: 87ecc5579ae01c9a61de4ed2fb44f74a40a309c5ae52fe962f47fe1c3f6123a5
Opcode Fuzzy Hash: a431c6b3df78dec71bae0301ab19c017079919d3eb492bffbf0686f3a2d93691
Instruction Fuzzy Hash: EC21813094E79A9FD743ABB488586A57BF4FF06310F0605F7D054CB0B2DA389545C721

Function 00007FFD9B7F7E59 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction ID: 2a668b331cdedc78cebf645bdffeebc91c0daa9a1b96cbb3424b6d345131122e
Opcode Fuzzy Hash: ed2cf4a5f38dd59eb9dbddba6286496df27ca90a1bcb20109082dbcb06b78527
Instruction Fuzzy Hash: 3811A230F0E64E8FDB65DBA484252FD7BB1FF09300F1105BBD01AE71A2DA39A9408786

Function 00007FFD9B7E084D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction ID: 025b66b69dc90df47ea2906d4dc01b441e90bc7fc32f9741df74bd2bf1cf6263
Opcode Fuzzy Hash: f112cc7aae71cee7e4a76ca659b71dca1d82b7f2f5e4c778f11e4710e74db6f0
Instruction Fuzzy Hash: A8113630B0920E8FEB11EBB8C4A99E937E0EF45304F0645B6D419DB0BBDD34A544C291

Function 00007FFD9B7E0A01 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be292c6ec63d64e21fe4e93f857cfc3fb45c2604e44b92c9b0b40325961f4b0a
Instruction ID: 7e12e3c0788e5be4fdca326696d93eb4d111b7a876cd558a62a895f8e64d0805
Opcode Fuzzy Hash: be292c6ec63d64e21fe4e93f857cfc3fb45c2604e44b92c9b0b40325961f4b0a
Instruction Fuzzy Hash: 54118F31E1960E8FEB50EFA8885A5BD77E1FF58700F4146B6D418C61B6EE34A6448740

Function 00007FFD9B7F4B85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction ID: f595fbe0f3dddf37aedb299c8b5021f7e234a1deb3039aef36b6e4e279dfcef1
Opcode Fuzzy Hash: 67a6a4c5b3718058a2f3be4145acaef7c0a0580ca744091c0a9150bcb99f2cdd
Instruction Fuzzy Hash: 8F11A230E0964E8FDB58EFA884696BD7BB0FF58301F0102BED41DC61A6DA346540C780

Function 00007FFD9B7F28B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction ID: 416b2c718a487c2b731ec3cd0a026c8f149e93733afe9dd24ee1caace66c0372
Opcode Fuzzy Hash: 4422bb5f323a40829b7affaccb9296c9b5c5014c681be8ed5985bde1019f91a4
Instruction Fuzzy Hash: AF11AC70A0974D8FDB58DF58C4A51E93BA0FF68304F42027EE80A931A1CB34A640CB80

Function 00007FFD9B7F71B5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction ID: b39416ee14ddc1b5769d3cda8cff4cdddd619641143b4d5a55b4d0894cf98424
Opcode Fuzzy Hash: f21a254773203ee6ce2e3d54e5c708f9dffef7b90790ca587dd2024d350a4309
Instruction Fuzzy Hash: CE11B430E0964E9FDB94EF6484656BD7BB0FF58301F0105BAD41DC61B2DA34A240C780

Function 00007FFD9B7F4AE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction ID: 57db9924e946491abddddfcca4e2014f703912c3a1fd8d16c4a8b684a19ce1a9
Opcode Fuzzy Hash: 7587658dbc3e4462790256ab60368da26267fafd4f5733888188ed543ca029af
Instruction Fuzzy Hash: DF216D30A0E68E8FEB59EF6884692B97BB0FF58301F0102BFD419C65B6DA346540C781

Function 00007FFD9B7F5025 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction ID: cf1a16ed6b55d4fc46ffbd828212a01b4f069b965bf1ae10f2b193689d86cd59
Opcode Fuzzy Hash: 8d7453706e1a9a82fed247b8b1b81d3505135bbbce053b5ab0b13972f2d278d8
Instruction Fuzzy Hash: 0F11B271B0EB8E4BEB69DF74C8B52B87BA0EF55300F0601BED419865B2DE256550C781

Function 00007FFD9B7EDA2F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction ID: 77efa2b42ab6ae2a983b7ef47ceab24a7f403f70e7d760d38fba8e4033b51893
Opcode Fuzzy Hash: 1e3b17863cbbc5c2371a1197e69d8b6ba35e9ff68241fdfa21bc6a59cb7965af
Instruction Fuzzy Hash: 53219370E0561D8FDB50DFA8C8946EDBBF1EF18311F11162AD419E72B1DA786A448B50

Function 00007FFD9B7F5399 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction ID: 33bdbd2da25b80dab35436bdd1064f086bac68142a2720a161f71f448401129e
Opcode Fuzzy Hash: a088fb942b638d9878e89763e2d4c1e813f4dbf17cfd131ad6416c844e4fdd84
Instruction Fuzzy Hash: 2011B130A0A78E8FEB55EB68C8692BD7FE0FF14304F0105BAC419C71B2DE7465448741

Function 00007FFD9B7ECB90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction ID: fbb3764e073860a9954f898850eb42b5e2dc21cd6c0ce99b910d3c327abf26ff
Opcode Fuzzy Hash: 062337acc8772e8a94ff37ecd0c6c0448d44e7bb1a78557945c0582ad4c07309
Instruction Fuzzy Hash: C4114F30E0974E8FDB56EB6488695B97BB0FF09304F0105BBD419D61B6DE346A50C750

Function 00007FFD9B7E11BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction ID: 4ff4ecef20118a65576a2b83ba56fbcdd783eaa53e31a9829b9ad3dc4e02c9db
Opcode Fuzzy Hash: 5331ebb53aa9d442f9fce00aa3de3f96eebfe4c75221a9d051de48059a8a37b9
Instruction Fuzzy Hash: C311B671E0A64E4EEB65DBA4887A6BD7BE0FF59305F0105BED41AC64F1DA346650C700

Function 00007FFD9B7F78A1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction ID: 1a5bb2e7812df68eee3cd77a8cc4bf7147f162ab9db57e7e1f2bdf526444e3b9
Opcode Fuzzy Hash: fa50424894ad8fdd00b843a6a43c6e3b637757dd49412421413c846cadaacc5d
Instruction Fuzzy Hash: 06116131A1960E9FE752EBB4C858AAA7BF4FF19301F0106B6D019D70B5DB38A281C751

Function 00007FFD9B7EC040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction ID: 976b6a27e484f822ef01004c9e6f63170823b65c9f1acfb512be85ed51660153
Opcode Fuzzy Hash: 025f5d126387c38c8ae506bb853663c83c4d79c23cb4c43ac41c35027b725449
Instruction Fuzzy Hash: 0E11B374E0960E8FDB64DF98D8A4AEDB7B1EF58310F01423AD419E62B1DB346A40CB40

Function 00007FFD9B7EBE85 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction ID: 429b4cd7001047f6a255734f9b20a1d4e4bfe9e985bb84cbe8b7af9d7a7e37d0
Opcode Fuzzy Hash: 9a600946e3e5dbfd72fb6489b0834743f31eaad66f1013a5e89eed495b957d40
Instruction Fuzzy Hash: 6A115231E0A64E8FEB55EFA4C4A96BD7BE0FF18300F5105BAD419C62B1DB35A650C740

Function 00007FFD9B7F1061 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction ID: 6387f0db71c402edd0f6410260e0f34fd4cdabe95a58887e1360be97194a5257
Opcode Fuzzy Hash: ada51598c226121a71a7528a1eea248be7a2d5d7db1f7302fd4a201e93e851fe
Instruction Fuzzy Hash: 3D118E30E0968E8FDB95EB64C4696BD7BF0FF18300F0106BAD419D65B2DB35A644C740

Function 00007FFD9B7F2D11 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction ID: ff3189690f96ddda4c16d0a1fb5f1c5ed344caa75334e560f7739f1f179748cb
Opcode Fuzzy Hash: 2affc211cbf2b1f6b1a2ee3858be90d2ddf6b67c0dded3d03ba23ee716523fe4
Instruction Fuzzy Hash: 67018431E1964E8FEB51EBB4845D5F97FE0FF19300F4146B6E418C6075DA78A2858780

Function 00007FFD9B7F72ED Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction ID: e652b91956b32069a74635519000af0e894095d273989f29e6f241b271cd0ddf
Opcode Fuzzy Hash: 51cfbd623296297b300ee790eba50a162c083f22f1bb42d701f3086e1cf46ff0
Instruction Fuzzy Hash: 4211E331B0968E9FDBA8EF6484656B93BA0EF58300F4501BAD81DC61B2DE346540C780

Function 00007FFD9B7F530D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction ID: f0a50121c913799d39df171f92a00f1520191ae6b721aef8fb0df2d54ee3e1ed
Opcode Fuzzy Hash: 99e5ce7a9457cfa3a652b9fda7e0a47d4915b79228a8bd4c359b7df082bd3e18
Instruction Fuzzy Hash: FE11E030E0968E8FEB58EB68C8296B97BE0FF19304F0505BAD41DC61B2DF346540C740

Function 00007FFD9B7F514D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction ID: 5ede7dd8cd7ff6906612b441545d6716d76bbfae140b7ade9c05894ced725d9a
Opcode Fuzzy Hash: 807204b7b0382f9af696ddfac075f9d0d90f1ca81d3fcb38b26719b7075abe23
Instruction Fuzzy Hash: 1F119D70A4A64E8FEB69EB68C8796BD7BE0FF18304F0105BAD419C61A2DE347540C741

Function 00007FFD9B7E3525 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction ID: 4825f9dfea0aa4e17dcbceb30a5c5b2a1b0aa73ee1641ffce400abdc4a1d7eb0
Opcode Fuzzy Hash: 86c786bab12f2381966ccd63788dc18c305dcc5e52f9f9f54181419ad533febb
Instruction Fuzzy Hash: 29113C70E1A68E8FDB59EB6484695BD7BA0FF18304F4205BED419C62B1DA35A640C700

Function 00007FFD9B7F26D1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction ID: 8fdee27fb3cd0e67a3e97e7309d0ceb38fff0071ac1a5ea23b1b95afedac1138
Opcode Fuzzy Hash: 989fd7956a2bd8d3f4f31b1910a66a7ee6ead4f684a8774f4e19b4375bf6c61a
Instruction Fuzzy Hash: 9C018430F4A64E8FDF59ABA0C4656F93BA0EF19304F8105BAE41EC61F6DE35A540CB50

Function 00007FFD9B7F2B45 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction ID: 5ce57395586417e644f97a79d782221a86439374e6d74070a3a7c29ee9ed6fed
Opcode Fuzzy Hash: 3efbe7ef687ed013812ac439b34e3d9fb76000b1522ef56fc8a34b52d28753b6
Instruction Fuzzy Hash: 53019230A0A64E8FDB659FA084685F97BB0FF19304F8205BEE80DC60B2DE35A540C700

Function 00007FFD9B7E05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction ID: b5e80b6cd77655702bdb6533a349a4603707a556713f03e17641e7ca096bc2fa
Opcode Fuzzy Hash: 767a20ab8d94e3fa93661c06d6199d9ca0d36ef7a86098a03307fc0764f16c38
Instruction Fuzzy Hash: 34019E30A09A0E8FDB68EF64C4666BE77A1FF58304F5105BED41EC65B4CE31A690CB40

Function 00007FFD9B7E2EE1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction ID: 2486b04fb1c7517ff4277a11b4d1c53cb49eec2f6c69bf7fe9d069bfa5b1924b
Opcode Fuzzy Hash: 5ddb02bd46d38aa4306b7854cc4db6e85dc64220693571ff913c37f97d8e8cfc
Instruction Fuzzy Hash: 74018F71E1E74E8FE761EBA488695B97BE0EF19300F4606B6D408CA0B6EA34E6548700

Function 00007FFD9B7ED98B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction ID: 36a3bcc202955c90f292d56b63a2387f8f08d7d2d5e10aeb6bb86ee59c918f66
Opcode Fuzzy Hash: 4cf93eeb85bc72eadfef0610ac271494ccbcd7673d4c2a5dbb214165a4b09c20
Instruction Fuzzy Hash: 98119370E0561D8FDB50EFA8C8946EDBBF1FF18311F11162AD419E72B1DB74A9848B50

Function 00007FFD9B7E28BD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction ID: 0b3c460dcda9d212c72eb4bac21fd6a9730d4efbe6d7a4de151243ee67872557
Opcode Fuzzy Hash: bc90580dd0d3190dd1d1b8100d21031f4b80183bef340d0adcb68742fd6381f9
Instruction Fuzzy Hash: FB018F30E1A60E8FE751EFA484599B977E0FF19304F4245B6D418D70B6EE38E690C741

Function 00007FFD9B7F7A29 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction ID: c0e3163eb2ca20bfd3ad1558ef5e052fa39a0ce8ad8119882ed604b0b4387272
Opcode Fuzzy Hash: 5653e806e48909cc7a47b04a0fb09646cfd8e74139587874c0bd01b480352758
Instruction Fuzzy Hash: 79018430A5E74E9FE752A7B888696A97FE0EF06300F4605F3D018CB0B6DA38A644C751

Function 00007FFD9B7EAD49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction ID: 8fc282bda5b706382289fd690a784f568fa6a047704754763c66c4b38fb8d431
Opcode Fuzzy Hash: 7addf12432b09b669921e62b517c70cc2360a5ea48d5460670b80da564fb3190
Instruction Fuzzy Hash: 1B01A730A4A74E5FD761EBB4C4596A97BF0EF05301F4205B3D009C70B6DE38E5548700

Function 00007FFD9B7E2F59 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction ID: be3c5a43f28d857522403e4d9406a28f6a566a728bc3cc73e953c598093303bf
Opcode Fuzzy Hash: 9bb8ce45363d9145d3caeade6275bd4356a74e06b1cf48fb46f6b0bfb5b44f13
Instruction Fuzzy Hash: 01018471A1E74E8FE762A7B488695A97BE0EF15300F4605F6D409CB0B6EE28A5448701

Function 00007FFD9B7E0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction ID: a090a8e9651b2fde35dff3977ee04fffe372e80dda372714ecbdb61018c000c6
Opcode Fuzzy Hash: 32de2c57daeda8ccd67b084c006494a33726835c4568b9653c630d801ac4221a
Instruction Fuzzy Hash: 6B016D30A1960E8AEB69EBA4C4686B973A0FF18305F51097EE41ED21F5DF35A650C600

Function 00007FFD9B7E0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction ID: 72dcd18d1f05ad3daed851e5d093b69f1a840704cd01bdafb886eb03a5800b3c
Opcode Fuzzy Hash: f8dfc66b9ab5905f93101f2f18662ffb3ffd3c4ed37b68c50bbc77d47f7df6db
Instruction Fuzzy Hash: E2016D30A1960E9AEB6CEBA4C4686BD72A0FF58305F51097ED41ED61F5DE35E650C600

Function 00007FFD9B7E11D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction ID: 79f262be689087ddb600174b02a736105fc216188aaf164a2465de1e726fcda7
Opcode Fuzzy Hash: 256a913c7ba550121829308f0b941257f001b2c5cb85bd07644a1bc2ecfe7eb0
Instruction Fuzzy Hash: BFF0F470E0A74E8AEBA49BA48C2A3BE77E4BF59204F01053EE41EC24F1DE346610C201

Function 00007FFD9B7E1D0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction ID: 8372d164cba2b75e45e12124df356c3260104bcd0b8d6160368a0add697b1ff6
Opcode Fuzzy Hash: 990e744b6ca7f6a33915ec1c16667eca7a53295af0fa987d892537a371f0da03
Instruction Fuzzy Hash: A701A430A0A78E8FDB59DF64C4666BA37A0FF15304F4105BAD80DC65B1CB35A990C740

Function 00007FFD9B7E05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction ID: 1b071fbcfc36dba70498dfa42376b154fd7c70c3916f1097bc606f0709508356
Opcode Fuzzy Hash: b752a02799d567e574ce10ac963f41d198739a0ef24fa66a1916348565ef265b
Instruction Fuzzy Hash: 44F0F630A0A74E8FEB68EF6484666FE37A0EF05308F51057AE41DC25F1CE35A690C740

Function 00007FFD9B7EB4D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction ID: e31cb3b31839689b2a8e7d7f272e82fdd57dc52e332335fc683e6206e5f1553f
Opcode Fuzzy Hash: abfef5baf87162da84018874c0b9eae4d1c20b5c0ea65ec15cf21731e3a01443
Instruction Fuzzy Hash: 5F011E70E0961E8ADB24DF90C450AFEB7B1AF54300F154676C009A22B5DA38A645CB90

Function 00007FFD9B7E27D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction ID: dc02038a37882afb58346b0719b108ffa5bbcf6e7d9680981e1b3dc85869d12f
Opcode Fuzzy Hash: 6b1ff35f653aec09f51d354db68855c494c07b292c81b6c9a9508f7c833c1e3c
Instruction Fuzzy Hash: 5CF0F630A0E38E8FDB1A9F6088245B93BB0BF06204F4109BBD409C61F2DB389944C701

Function 00007FFD9B7E284D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction ID: 76179327ef6c3f49c7b3dda66f32716becf2e468c86a1a7aed0cba4415c35a50
Opcode Fuzzy Hash: 17338e7034d8e007b14fcfc24b9a984a6d5597a4f5a0f2e704a099e183e21fc9
Instruction Fuzzy Hash: 39F09030A5A78E8FDB5D9FA488241F937A0FF55304F8105BAE819C91F1DF38A554C601

Function 00007FFD9B7F1080 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction ID: 0d65c732253c4d91d27c239d697fdbd75c4bdddb5acc00f117ab95a24e3d3127
Opcode Fuzzy Hash: baa305ecac5bf8f7a8937c4d448d7ee2ad19941b58ac9ea12ed99112aae07d41
Instruction Fuzzy Hash: B4F0FE30E15A4E8EEBA4EFA4D8696FE76E4FF18305F41053AE81DD21B0DB3466548784

Function 00007FFD9B7EBFEA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ea000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction ID: 063a10b5dd3ec6aa29c24dfba2efe4146a7bcab285dc4b6598d8bb937777b495
Opcode Fuzzy Hash: ed7cdcad9021802319240a5134c708812a733022afd1e1e92db60a67c64a9d86
Instruction Fuzzy Hash: 66D04274A0D64E8BDB58DF9889A56BD76A5FF58300F111629E40EE72B1DA346A009B40

Function 00007FFD9B7F5794 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7f4000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction ID: 7ebc4f51af634ec24f5ad909049ebe1b36f833e41e690780256b98eb99be2a1c
Opcode Fuzzy Hash: 76a9cb6242cd312ba16e897809449edb827128319c94f332005911e0e1c9595d
Instruction Fuzzy Hash: 9BD05E62E0AA1E9EEFA0EA5C80A45A97BE0EF28300F010139D44CC21B6DE2820028761

Function 00007FFD9B7E0FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911c6b8ec132b47a85dd6c244e12151149d363984321dc6dfee48d6d39a2ae3e
Instruction ID: 61c2c9ecad0f5f26db50b838460d5bc306f3d39e18ea77dfd4dad034fc7561cc
Opcode Fuzzy Hash: 911c6b8ec132b47a85dd6c244e12151149d363984321dc6dfee48d6d39a2ae3e
Instruction Fuzzy Hash: F1E0EC30E1591D4AEBA4EB54CC65FEEBA71BF44304F1146B5D00DA32A5CE3869854B44

Non-executed Functions

Function 00007FFD9B7EF0B5 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B7EF100
k, xrefs: 00007FFD9B7EF81B
0, xrefs: 00007FFD9B7EF179
S, xrefs: 00007FFD9B7EF0BA

Memory Dump Source

Source File: 00000027.00000002.1776490022.00007FFD9B7EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd9b7ef000_fontdrvhost.jbxd

Similarity

API ID:
String ID: "$0$S$k
API String ID: 0-2456877467
Opcode ID: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction ID: 4c1945261375aa22af48d14475ccc460cc5e49cf52b58f9926e73243994d9b4d
Opcode Fuzzy Hash: 4ed355d1756b53b4e65e0b82e69da6c1aec4a28e7d8c33d72dda8e30b96f24cd
Instruction Fuzzy Hash: A621E574E0A62D8EEB64DF64D8943A9B7B1BF58300F0186E9D00DA72A0DB785B84CF51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5tqXx7iu9m.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\95aaaff3431df3

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\95aaaff3431df3

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

C:\Program Files (x86)\Windows Defender\95aaaff3431df3

C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe

C:\Program Files (x86)\Windows Defender\sqPKQawpTnLujfRgyPwI.exe:Zone.Identifier

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\886983d96e3d3e

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe

C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\csrss.exe:Zone.Identifier

C:\Program Files\Microsoft\5b884080fd4f94

C:\Program Files\Microsoft\9e8d7a4ca61bd9

C:\Program Files\Microsoft\RuntimeBroker.exe

C:\Program Files\Microsoft\RuntimeBroker.exe:Zone.Identifier

C:\Program Files\Microsoft\fontdrvhost.exe

Windows Analysis Report
5tqXx7iu9m.exe